1 / 37

Decompiling Android

Decompiling Android. Godfrey Nolan 1DevDay 11/5/11. Intro. What is a D ecompiler ? Wh y Android? Decompilers Protect Yourself Raising the Bar. SPAM #1. What is a Decompiler. Revers e Engineers apps into source code Many languages can be decompiled

nam
Download Presentation

Decompiling Android

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Decompiling Android Godfrey Nolan 1DevDay 11/5/11

  2. Intro • What is a Decompiler? • Why Android? • Decompilers • Protect Yourself • Raising the Bar

  3. SPAM #1

  4. What is a Decompiler • Reverse Engineers apps into source code • Many languages can be decompiled • Java, C#, VB.Net., Visual Basic • Others can only be disassembled • C, C++, Objective-C • Java and .Net particularly at risk • Because of JVM and CLR design • Why use decompilers? • Curiosity, Hacking, Learning, Fair Use

  5. Why Java • Exploits JVM Design • Originally interpreted not compiled • Lots more symbolic information than binaries • Data and method separation • Simple classfilestructure • Very few opcodes

  6. Why Java

  7. Why Java Classfile { int magic, short minor_version, short major_version, short constant_pool_count, cp_infoconstant_pool[constant_pool_count], short access_flags, short this_class, short super_class, short interfaces_count, interface_info interfaces[interfaces_count], short fields_count, field_info fields[field_count], short methods_count, method_info methods[methods_count], short attribute_count, attr_info attributes[attributes_count] }

  8. Why Java

  9. Why Android • Client side code • Easy access to apk’s • Download apk to sd card using Astro File Mgr • Download from xdadevelopers forum • Download using ‘adb pull’ on jailbroken phone • Nobody is using obfuscation • 1 out of 20 apks downloaded were protected • Easy to convert apk to Java to decompile

  10. Why Android

  11. Why Android • java –jar dex2jar.jar com.riis.mobile.apk • jd-gui com.riis.mobile.apk.dex2jar

  12. Why Android • Dex file • Different structure • Different opcodes • Register based not stack based • Multiple JVMs on device

  13. Why Android

  14. Why Android

  15. Why not iPhone? • Objective-C • Compiled not interpreted • Much less information • Fat binaries approach • Can still be disassembled • strings and otoolunix commands • Other tools like IDA Pro

  16. Why Android • Jailbreak/Root phone • Use Z4Root • Uses RageAgainstTheCage Trojan exploit • Not available on Android Marketplace ;-) • Using Android SDK platform tools • Turn on USB debugging • Find apk using adb shell • Download using adb pull

  17. Why Android

  18. Why Android • Even easier is the apk-tool • Install APK-tool • Download apk • Right click

  19. Decompilers • Jive • Mocha • JAD • SourceAgain • JD-GUI

  20. Possible Exploits • Web ServiceAPI keys exposed • Database logins • Credit Card information • Fake apps

  21. Possible Exploits

  22. Possible Exploits

  23. Possible Exploits publicstaticfinal String USER_NAME = "BC7E9322-0B6B-4C28B4"; publicstaticfinal String PASSWORD = "waZawuzefrabru96ebeb";

  24. Protect Yourself • Protect code before releasing • Hard to recover once it’s been made available • Obfuscators • ProGuard • DashO • Native Code • Use C++ and JNI • 99.99% of Android devices run on ARM processor • Use digital signature checking to protect lib

  25. Protect Yourself • ProGuard: • Detects and removes unused classes, fields, methods, and attributes. • Optimizes bytecode and removes unused instructions. • Renames remaining classes, fields, and methods using short meaningless names. • Preverifies the processed code for Java. • Enable in default.properties files • proguard.config=proguard.cfg

  26. Protect Yourself • DashO (basic): • Improvement over ProGuard's naming by using strange characters and heavily reusing the same names at different scopes. • Does much more involved control flow obfuscation than ProGuard, reordering code operations to make them very difficult to understand and often breaking decompilers.  • Supports string encryption to render important string data unreadable to attackers. 

  27. Protect Yourself • DashO (advanced): • Supports tamper detection, handling, and reporting to prevent users from changing the compiled code, even while debugging, and to alert you if it happens. • Can automatically inject Preemptive's Runtime Intelligence functionality for remote error reporting.

  28. Protect Yourself • DashO demo

  29. Protect Yourself - Decompiled

  30. Protect Yourself - ProGuard

  31. Protect Yourself – DashO

  32. Protect Yourself – JNI jstringJava_com_getPassword(JNIEnv* env, jobject thiz) { char *password = “waZawuzefrabru96ebeb”; return(*env)->NewStringUTF(env, password); }

  33. Protect Yourself – JNI

  34. Protect Yourself – JNI

  35. Links • http://viralpatel.net/blogs/2009/01/tutorial-java-class-file-format-revealed.html • http://code.google.com/p/z4root/ • http://code.google.com/p/android-apktool/ • http://www.dalvikvm.com/

  36. Raising the Bar • APK’s are available • Tools are easy to use • Turn on ProGuard • Investigate other obfuscators • Hide keys using JNI • Don’t put sensitive information unencrypted in APKs

  37. SPAM #2 • RIIS LLC • Southfield, MI • Clients • Fandango • DTE • Comerica • BCBSM • Mobile Development • DTE Outage Maps • Broadsoft Front Office Assistant • Contact Information • godfrey@riis.com

More Related