михаил дударев

345 views

Published on

Published in: Software, Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
345
On SlideShare
0
From Embeds
0
Number of Embeds
20
Actions
Shares
0
Downloads
9
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

михаил дударев

  1. 1. Android  applica,ons  in  the  cruel   world   Defence  Against  the  Dark  Forces:  how   to  save  an  Android  applica,on  from   threats?   Mikhail  Dudarev,  Ivan  Kinash   Licel,  2014,  DroidCon  Moscow  2014  
  2. 2. •  Mikhail  Dudarev,  old-­‐school  java  security   guy,  founder  of  jCardSim,  a  Java  Card   simulator,  has  won  the  2013  Duke's   Choice  Award,  co-­‐founder  Licel.     •  Ivan  Kinash,  co-­‐founder  &  CEO  at  Licel   •  Licel  creates  applica,on  protec,on   solu,ons  for  Java  and  Android  plaQorms.     About  
  3. 3. Report   Mobile  Techworld  Report:   Looking  at  a  total  of  230  apps  –  the  top  100  paid   apps  and  top  15  free  apps  for  Android  and  iOS  –   Arxan  found  that  100  percent  of  the  top  paid  apps   on  Android  and  56  percent  on  iOS  were  being   impersonated  in  a  compromised  form  on  grey   markets.   hDp://goo.gl/mW1WxZ      
  4. 4. Android  Applica,on  Security  Model   •  There  is  no  standard  EULA,  every  publisher  is  sole   responsible  for  one  (Google  Play)   •  Installed  APK  is  stored  on  a  device   •  It  is  signed  with  a  publisher’s  signature   •  There  is  a  privilege  system  (users  do  not  take  it   seriously,  or  they  simply  have  no  choice)   •  APKs  stored  on  devices  are  accessible  even   without  root  privileges      
  5. 5. Android  Applica,on  Security  Model   •  Signature  is  designed  to  confirm  integrity  of  an   applica,on   •  Truth  is  that  it  gives  you  absolutely  nothing   •  A  couple  of  minutes  needed  to  resign  an   applica,on   •  Then  put  it  to  grey  markets,  p2p,  warez  sites…  Or   even  to  the  same  market  where  original  one  is   (was)    
  6. 6. APK  Structure   classes.dex   (dalvik   bytecode)   resources.arsc   (compiled   resources)   META-­‐INF/   (signatures)   res/   (resources)   assets/   (assets)   lib/   (na,ve  libs)   AndroidManifest.xml   (name,  version,  access  rights,   referenced  libs)  
  7. 7. Dalvik  bytecode   •  Is  it  protected?   •  Is  it  hard  to  reverse  engineer?     No  and  no  once  again…      
  8. 8. Example   •  Imagine  you  have  an  applica,on  with  ads   •  What  malicious  person  have  to  do  to  own  your  app?   •  Apktool  disassemble  -­‐>  change  ad  id  -­‐>  Apktool   assemble  -­‐>  add  its  own  signature  -­‐>  zipalign  -­‐>   distribute  (p2p,  grey  markets,  official  markets,  warez   sites)    =  10  mins   •  If  you  are  using  just  name  obfusca,on  technique,  it  will   require  one  extra  minute  to  hack…  
  9. 9. Short  funny   demo  
  10. 10. Exis,ng  threats   •  Applica,on  cloning   •  Sensi,ve  informa,on  (user)  thef   •  Licensing  system  cracking   •  Reverse  engineering  
  11. 11. Applica,on  cloning   •  Illegal  publishing  on  alterna,ve  app  stores   – App  sales  revenue  loss   •  Rerou,ng  of  Ad/IAP  revenue  streams   – Lost  revenue  from  ads  and  purchases   •  Malicious  code  injec,on   – Loss  of  reputa,on  and  harm  to  the  app’s  users  
  12. 12. Stealing  sensi,ve  informa,on  from  an   applica,on   •  User’s  Data   –  Logins/Passwords/Keys/Credit   card  info…   –  Social  Network  data   –  Loca,on   •  Applica,on  Data   –  Unique  mul,media  resources   –  Informa,on  from  embedded   databases   –  Business  Logic   •  Corporate  Data   –  DBs/Confiden,al  files/…       Cracking  tools  (free):  ApkTool,  Androguard,  Dex2jar    
  13. 13. Licensing  system  cracking.  Google  Play   LVL   •  The  main  app  licensing  service  in  Google  Play   •  Based  on  asymmetric  cryptography   – Secret  keys  are  stored  on  the  licensing  server,   public  keys  are  in  an  applica,on’s  code     Automa,c  cracking  tool:  An,LVL    
  14. 14. Reverse-­‐engineering   •  Analysis  of  weak/cri,cal  places  in  apps  in  order  to   detect  vulnerabili,es   •  Applica,on’s  internal  logic  analysis   –  OTP-­‐generator  for  a  banking  solu,on       hip://goo.gl/0Dauve     Cracking  tools:  ApkTool,  Androguard,  Dex2jar    
  15. 15. Reverse  engineering  my  bank's   security  token   •  Original  mobile  banking  applica,on  that   generates  OTP  (One  Time  Password)  codes   •  Afer  decompiling  with  Dex2Jar     – Detected  OTP  genera,on  algorithm  –  TOTP    TOTP  =  HOTP(SecretKey,  TimeCounter)   – Secret  key  extracted  from  code   – Arduino  clone  created  J  
  16. 16. Reverse  engineering  my  bank's   security  token  
  17. 17. Standard  protec,on  and  licensing   techniques   •  Name  obfusca,on  (in  par,cular  Proguard)     •  Licensing  services  provided  by  app  store   –  Google  Play  Licensing   –  Amazon  DRM   •  Custom  na,ve  libraries  for  license  checking,  string/class   encryp,on   •  Server-­‐side  computa,on   •  Mathema,cal  Jigsaw  Puzzle  Obfusca,on  (keep  ProGuard   op,mizer  away  from  this  parts  of  code)    
  18. 18. Useful,  but  do  not  work…   Ac,ve  and  Strong  Integrity  Protec,on   Techniques  and  set  of  other  great   approaches   They  do  not  work  without…    
  19. 19. Cracking  methods   •  Automa,c   –   An,LVL   •  Tools  for  analysis  and  modifica,on   –  ApkTool   –  Androlib   –  Dex2Jar   –  JD-­‐GUI/JEB/…   •  Text  editor  and  grep  J    
  20. 20. Advanced  protec,on  techniques   •  String  Encryp,on  (e.g.  whiteboxcrypto)   •  Hiding  of  API  calls   •  Class  Encryp,on   •  Resource  Encryp,on   • Strong  and  ac,ve  integrity   protec,on    
  21. 21. Protec,on  goal   •  Have  bytecode  (even  if  it  is  dumped)  as  hard   to  reverse  engineer  as  possible  (strings  are   encrypted,  valuable  algorithms  are  hidden,   API  calls  are  hidden)   •  Have  strong  integrity  protec,on  mechanism  in   order  to  block  repackaging  ability   •  Have  unique  resources  encrypted    
  22. 22. Protec,on  scheme   APK   Bytecode   • String  Encryp8on   • Class  Encryp8on   • Hide  API  calls   Resources   • Resource  encryp8on   Signature   • Ac8ve  Integrity  Protec8on  (Repackaging  protec8on)   If  an  app  has   network   abili,es,  you   can  also   change   communica, on  protocol   from  version   to  version…  
  23. 23. A  few  important  ,ps   If  you  are  developing  mobile  banking/financial/corporate/secure  app:   •  Device  fingerprint     •  Device-­‐related  One  ,me  passwords  via  second  communica,on  channel   (SMS)   •  Use  secured  communica,on  protocols  and  strong  cryptography  if  it  is   possible   •  Sensi,ve  informa,on  stored  on  a  device  should  be  encrypted  (SQLCipher),   keys  must  be  hidden  via  String  Encryp,on   •  Keep  in  mind  that  the  balance  between  usability/performance  and   security  is  important   •  Think  about  protec,on  and  do  protect  in  advance,  BEFORE  RELEASE  
  24. 24. A  few  important  ,ps  #2   Afer  applying  strong  protec,on  techniques  you   might  think  then  about:   •  App  cert  check  (just  in  case)   •  Debug  mode  check   •  Rooted  device  check   •  Emulator  check    
  25. 25. DexProtector   •  Having  huge  exper,ze  we  have  implemented  String   Encryp,on,  Class  Encryp,on,  Resource  Encryp,on,  Hide   Access  and  Integrity  Control  mechanisms  on  a  technology   leading  level   •  That  is  why  I  would  love  to  recommend  DexProtector  for   protec,ng  your  apps  from  threats     •  If  you  are  applying  addi,onal  security  prac,ces   DexProtector  will  help  you  to  protect  them  from  being   reverse  engineered     •  It  can  be  used  together  with  ProGuard  
  26. 26. Conclusion   •  Nobody  will  give  you  100%  guarantee  that  your  app   will  not  be  hacked   •  Relevance  of  piracy  is  increasing  day  by  day  as  the   Android  market  growth   •  Standard  protec,on  techniques  are  not  stand  any   more  against  current  methods  of  analysis  and  cracking   •  Must  have  a  set  of  protec,on  techniques  applied   •  Integrity  Protec,on  is  very  important  
  27. 27. Conclusion  #2   •  If  you  applied  security  measures  intelligently  you  are  safe   from  more  than  90%  of  poten,al  hackers.  It  is  hoped  that   the  remaining  10  percent  will  not  be  interested  in  breaking   you  app   •  Google  is  in  a  difficult  situa,on  with  Android  security  now.   Definitely  there  should  be  some  changes,  especially  in   securing  boot-­‐loader,  in  crea,ng  secure  app  execu,on   environment  and  storage  also.  They  tried  in  Jelly  Bean,  but   with  no  luck.  On  the  other  hand  I  see  Nexus  series  has   ability  to  be  legally  rooted  and  do  not  know  what  to  think    
  28. 28. Contacts   Email:  dudarev@licelus.com,  kinash@licelus.com       Twiier:  @MikhailDudarev,  @ivan_kinash     Web:  hip://licelus.com       DexProtector:  hip://dexprotector.com        

×