reverse engineering android applications

Download Reverse Engineering Android Applications

Post on 15-Jul-2015




5 download

Embed Size (px)


  • Reverse Engineering Android Applications




    According to the Google Android Security 2014 Final Report:

    Over 1 billion devices run Google Play which conducts 200 million security scans ofdevices per day.

    Fewer than 1% (up to 10 million devices) of Android devices had a Potentially Harmful App(PHA) installed in 2014. Fewer than 0.15% of devices that only install from Google Play hada PHA installed.

    The overall worldwide rate of Potentially Harmful Application (PHA) installs decreased bynearly 50% between Q1 and Q4 2014.

    SafetyNet checks over 400 million connections per day for potential SSL issues.

    Android and its partners responded to 79 externally reported security issues, and over25,000 applications in Google Play were updated following security notifcations fromGoogle Play.

    Rooted Android devices contain 2x more malware.

  • OWASP TOP 10 MOBILE RISKSOpen Web Application Security Project is an open community dedicated toenabling organizations to conceive, develop, acquire, operate, and maintainapplications that can be trusted.

    M1: Weak Server Side ControlsM2: Insecure Data StorageM3: Insufficient Transport Layer ProtectionM4: Unintended Data LeakageM5: Poor Authorization and AuthenticationM6: Broken CryptographyM7: Client Side InjectionM8: Security Decisions Via Untrusted InputsM9: Improper Session HandlingM10: Lack of Binary Protections


    Threat Agents Application Specifc Analyze and reverse engineer applicationcode, then modify it.

    Attack Vectors ExploitabilityMediumUse a set of tools to reverse engineer thecode and modify it using malware toperform some hidden functionality.

    Security Weakness


    It is extremely common for apps to bedeployed without binary protection.


    It is diffcult to detect that an adversary hasreverse engineered an apps code.

    Technical Impacts ImpactSevereThe majority of mobile apps do not preventreverse engineering.

    Business Impacts Application / BusinessSpecifc

    Typical business impacts: Confdential Data Theft Unauthorized Access and Fraud Brand and Trust Damage Revenue Loss and Piracy Intellectual Property Theft User Experience Compromise


    Profling StaticanalysisDynamicanalysis Tampering

    Gather initial informationabout the targetapplication:

    Info about developer Application

    dependencies Use of particular

    SDKs, libraries or webservices

    Permissions list

    Analyze code and data of theapplication without actuallyexecuting it.

    Identify hard-coded values suchas URIs, keys or credentials.

    Decompile the APK withapktool to get access to thesource code (smali format) andapplication XMLs (such as theAndroidManifest and layouts).

    Use AndroGuard to get moreinsight and information aboutthe application.

    Execute the application in aninstrumented or monitoredversion to get more preciseinformation on its behavior:

    Monitor network traffic Monitor processes Search for data left on the

    file system

    Code manipulation orinjection.

    This can be performedmodifying directly the smalifiles or using one of theseframeworks:- Soot- Javassist- AspectJ


    APK format is an extension of the Java JAR format, which is an extension of the ZIP fle.AndroidManifest.xmlclasses.dexresources.arscassetslibresMETA-INF

    which declares package name, version, components, and other metadata of theapplication.

    executable code of the application in DEX format for the Dalvik VM.

    packages all compiled resources of the application such as strings and styles.

    raw assets of the application (fonts, videos, music fles, ...).

    native libraries used by application through JNI interface.

    application resources (strings, animations, images, layouts, ...).

    package manifest fle and code signatures.

  • DEMO

    Demo application:

    StaticanalysisAPK TamperingIdentify points of interest:- root detection- fle downloadAPK

    - bypass root detection- download fle on the public storageNo source code!

  • QUICK WINS Obfuscate and shrink your code using one of the many

    Java/Android obfuscators available in the market.They convert all variable and method names into one or two character strings and some alsochange the flow of the code.It will not stop hackers from understanding your code but it will make it harder.

    ProGuard is free, ships with the Android SDK and is easy toenable.

    However ProGuard is not enough, it mostly scrambles identifers.An alternative is DexGuard (commercial), an enhanced version ofProguard.It supports encryption for strings, classes, native libraries and assets, XML resources obfuscationand many other features.

  • QUICK WINS Dynamic bytecode loading.

    Additional bytecode can be loaded at runtime using the DexClassLoader: a class loader that loadsclasses from .jar and .apk fles containing a classes.dex entry. This can be used to execute codenot installed as part of an application .It can be encrypted in the original APK and stored as an asset or downloaded at runtime.

    Integrity checks at runtime.Validate the signature of the application.

    Use the NDK to protect your business logic and data.Obfuscators only protect you from decompiling an APK but not from disassembling it.

  • DO NOT ROOT YOUR DEVICE!You give malware the rights to execute harmful code... programmatically too:Runtime.getRuntime().exec(...);

    Remove the lock pattern security protectionshell@android:/data # cd /data/systemshell@android:/data/system # rm gesture.key

    Copy application databases manuallyfind . -name "*.db" -type f -exec cp {} /mnt/sdcard/DB_COPY \;

  • FINAL TIPS Protect your sensitive data using SQLCipher, an open source

    encrypted SQLite database.

    Do I want to let my application run on rooted devices?

    Do not underestimate security of your app

    Think about which security level you really need

    Implement best practices

    Review, test and audit your code

    Always check your APK package fle before release.


    Slide 1Slide 2Slide 3Slide 4Slide 5Slide 6Slide 7Slide 8Slide 9Slide 10Slide 11Slide 12