reverse engineering android applications
TRANSCRIPT
CURRENT SECURITY STATUS
According to the Google Android Security 2014 Final Report:
➔ Over 1 billion devices run Google Play which conducts 200 million security scans ofdevices per day.
➔ Fewer than 1% (up to 10 million devices) of Android devices had a Potentially Harmful App(PHA) installed in 2014. Fewer than 0.15% of devices that only install from Google Play hada PHA installed.
➔ The overall worldwide rate of Potentially Harmful Application (PHA) installs decreased bynearly 50% between Q1 and Q4 2014.
➔ SafetyNet checks over 400 million connections per day for potential SSL issues.
➔ Android and its partners responded to 79 externally reported security issues, and over25,000 applications in Google Play were updated following security notifcations fromGoogle Play.
➔ Rooted Android devices contain 2x more malware.
OWASP – TOP 10 MOBILE RISKS
Open Web Application Security Project is an open community dedicated toenabling organizations to conceive, develop, acquire, operate, and maintainapplications that can be trusted.
M1: Weak Server Side ControlsM2: Insecure Data StorageM3: Insufficient Transport Layer ProtectionM4: Unintended Data LeakageM5: Poor Authorization and AuthenticationM6: Broken CryptographyM7: Client Side InjectionM8: Security Decisions Via Untrusted InputsM9: Improper Session HandlingM10: Lack of Binary Protections
LACK OF BINARY PROTECTION
Threat Agents Application Specifc Analyze and reverse engineer applicationcode, then modify it.
Attack VectorsExploitability
Medium
Use a set of tools to reverse engineer thecode and modify it using malware toperform some hidden functionality.
Security Weakness
PrevalenceCommon
It is extremely common for apps to bedeployed without binary protection.
DetectabilityEasy
It is diffcult to detect that an adversary hasreverse engineered an app’s code.
Technical ImpactsImpactSevere
The majority of mobile apps do not preventreverse engineering.
Business ImpactsApplication / Business
Specifc
Typical business impacts:● Confdential Data Theft● Unauthorized Access and Fraud● Brand and Trust Damage● Revenue Loss and Piracy● Intellectual Property Theft● User Experience Compromise
PROCESS
ProflingStatic
analysisDynamicanalysis Tampering
Gather initial informationabout the targetapplication:
● Info about developer● Application
dependencies● Use of particular
SDKs, libraries or webservices
● Permissions list
Analyze code and data of theapplication without actuallyexecuting it.
Identify hard-coded values suchas URIs, keys or credentials.
Decompile the APK withapktool to get access to thesource code (smali format) andapplication XMLs (such as theAndroidManifest and layouts).
Use AndroGuard to get moreinsight and information aboutthe application.
Execute the application – in aninstrumented or monitoredversion – to get more preciseinformation on its behavior:
● Monitor network traffic● Monitor processes● Search for data left on the
file system
Code manipulation orinjection.
This can be performedmodifying directly the smalifiles or using one of theseframeworks:- Soot- Javassist- AspectJ
ANATOMY OF AN APK
APK format is an extension of the Java JAR format, which is an extension of the ZIP fle.
AndroidManifest.xml
classes.dex
resources.arsc
assets
lib
res
META-INF
which declares package name, version, components, and other metadata of theapplication.
executable code of the application in DEX format for the Dalvik VM.
packages all compiled resources of the application such as strings and styles.
raw assets of the application (fonts, videos, music fles, ...).
native libraries used by application through JNI interface.
application resources (strings, animations, images, layouts, ...).
package manifest fle and code signatures.
DEMO
Demo application:https://github.com/fasteque/VoxxedTicino2015
StaticanalysisAPK Tampering
Identify points of interest:- root detection- fle download
APK
- bypass root detection- download fle on the public storage
No source code!
QUICK WINS
➔ Obfuscate and shrink your code using one of the manyJava/Android obfuscators available in the market.They convert all variable and method names into one or two character strings and some alsochange the flow of the code.It will not stop hackers from understanding your code but it will make it harder.
➔ ProGuard is free, ships with the Android SDK and is easy toenable.
➔ However ProGuard is not enough, it mostly scrambles identifers.An alternative is DexGuard (commercial), an enhanced version ofProguard.It supports encryption for strings, classes, native libraries and assets, XML resources obfuscationand many other features.
QUICK WINS
➔ Dynamic bytecode loading.Additional bytecode can be loaded at runtime using the DexClassLoader: a class loader that loadsclasses from .jar and .apk fles containing a classes.dex entry. This can be used to execute codenot installed as part of an application .It can be encrypted in the original APK and stored as an asset or downloaded at runtime.
➔ Integrity checks at runtime.Validate the signature of the application.
➔ Use the NDK to protect your business logic and data.Obfuscators only protect you from decompiling an APK but not from disassembling it.
DO NOT ROOT YOUR DEVICE!
You give malware the rights to execute harmful code... programmatically too:Runtime.getRuntime().exec(...);
Remove the lock pattern security protectionshell@android:/data # cd /data/systemshell@android:/data/system # rm gesture.key
Copy application databases manuallyfind . -name "*.db" -type f -exec cp {} /mnt/sdcard/DB_COPY \;
FINAL TIPS
➔ Protect your sensitive data using SQLCipher, an open sourceencrypted SQLite database.
➔ Do I want to let my application run on rooted devices?
➔ Do not underestimate security of your app
➔ Think about which security level you really need
➔ Implement best practices
➔ Review, test and audit your code
➔ Always check your APK package fle before release.
THANK YOU!