AnDevCon: Android Reverse Engineering

1,176 views
917 views

Published on

Slides of the presentation at the AnDevCon: Android Reverse Engineering

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,176
On SlideShare
0
From Embeds
0
Number of Embeds
8
Actions
Shares
0
Downloads
34
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

AnDevCon: Android Reverse Engineering

  1. 1. Agenda: -Intro -Purpose -Tools -APK Structure -Obtaining APKs -Decompiling -Manipulation -Repackage/signing -Examples -Prevention !
  2. 2. Ego slide Mobile Developer @ Sixt M. Sc. UCM/RWTH CS Teacher at Alcalá University ! ! ! +EnriqueLópezMañas @eenriquelopez
  3. 3. Reverse Engineering Obtaining source code from a compiled source !
  4. 4. Why Java? -Java code is partially compiled and then interpreted -JVM and opcodes are fixed -Few instructions -No real protection
  5. 5. Why Android? -APKs are easily downloadable -Obfuscation does not happen by default - APK to JAR translation is easy
  6. 6. Legal issues Small set: ! - Don’t decompile, recompile and pass it off as your own - Don’t try to sell it as your own - If License Agreement forbids decompiling, do not decompile -Don’t decompile to remove protection mechanisms
  7. 7. Legal issues US ! - Precedents allowing decompilation ! (Sega vs. Acolade, http://digitallaw-online.info/cases/ 24PQ2D1561.htm)
  8. 8. Legal issues EU (Directive on the Legal Protection of Computer Programs ) - Allows decompilation ! (if you need access to internal calls and authors refuse to divulge API) ! BUT: ! -Only to interface your program -Only if they are not protected
  9. 9. Generally YES: ! - Understand interoperatibility - Create a program interface ! NO: ! - Create a copy and sell it.
  10. 10. Privacy leaks Cheating Code injection Passwords Score manipulation Download from obscure sources Personal data Asset manipulation Unrequested data collection/steal Ads Malware
  11. 11. Educational Interfacing Protection Learning code Creating interfaces Checking our own mistakes! Researching bugs Improving existing resources
  12. 12. Dex2Jar
  13. 13. JD-GUI
  14. 14. JAD
  15. 15. apktool
  16. 16. Eclipse
  17. 17. Java programming (SDK/NDK) Distribution (freely, Google Play or other) Compiling to DEX, running in DVM Package signed as APK
  18. 18. Obtaining APK Converting DEX to Jar Decompiling Java
  19. 19. How to obtain APKs 1.2.3.4.- Pulling from device Using GooglePlay Python API Alternative sources Sniffer transfer
  20. 20. Pulling from device: Connect with USB cable ADB Root
  21. 21. Alternative Sources:
  22. 22. Sniffer:
  23. 23. Google Play Python API:
  24. 24. First unzip
  25. 25. Using dex2jar to create a Jar
  26. 26. Using a Java Decompiler
  27. 27. Some tips: •Look for known strings •Not only code: also XML and resources •Be aware of obfuscation
  28. 28. •Edit and modify resources •Change essential code •SMALI
  29. 29. •Create certificate with JDK Keytool •Sign Jar with JDK jarsigner
  30. 30. •HelloWorld •Crackme •Code injection
  31. 31. Protecting your source [We want] to protect [the] code by making reverse engineering so technically difficult that it becomes impossible or at the very least economically inviable. ! -Christian Collberg,
  32. 32. Idea #1 Writing two versions of the app
  33. 33. Idea #2 Obfuscation When obfu scation is outlawed, only outlaw s will sifj difdm wofiefiemf eifm.
  34. 34. Idea #3 WebServices
  35. 35. Idea #4 FingerPrinting our code
  36. 36. Idea #5 Native methods
  37. 37. Thank you ! + Enrique López Mañas @eenriquelopez

×