Decompiling Android


Published on

Decompiling Android presentation from 1DevDay Detroit 2011

Published in: Technology
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Gave similar talk last year – not such a big issueDid it more as a favor for DavidThis year couldn’t be more different
  • Decompiling Android – coming in the Spring 2012 also from ApressDecompiling Java will also be translated into another languageNot very high selling book, expect DA to do better
  • Moral issues
  • Before we can say why Android, have to ask Why Java first
  • Java Classfile Structure.
  • Book didn’t sell because java code is server sideno access => no decompilation
  • We’ll be showing you how to do this manually a bit later
  • Works best on Android 2.2, but you can still load it manuallyAnti-Virus on your PC will probably complain ----- Meeting Notes (11/4/11 16:28) -----Do adb demo
  • chmod 777
  • Provides all assetsReverse engineers manifest.xmlGets phonegap and titanium code too----- Meeting Notes (11/4/11 16:28) -----smali and baksmali
  • Fake apps like recent Netflix app
  • Web Service API keys
  • Titanium and PhoneGapjavascript code visible using one click apk-tool
  • May need to change APIs
  • Goto considered harmful
  • Decompiled
  • ProGuard
  • DashO
  • Decompiling Android

    1. 1. DECOMPILINGANDROIDGodfrey Nolan1DevDay 11/5/11
    2. 2. Intro• What is a Decompiler?• Why Android?• Decompilers• Protect Yourself• Raising the Bar
    3. 3. SPAM #1
    4. 4. What is a Decompiler• Reverse Engineers apps into source code• Many languages can be decompiled • Java, C#, VB.Net., Visual Basic• Others can only be disassembled • C, C++, Objective-C• Java and .Net particularly at risk • Because of JVM and CLR design• Why use decompilers? • Curiosity, Hacking, Learning, Fair Use
    5. 5. Why Java• Exploits JVM Design • Originally interpreted not compiled • Lots more symbolic information than binaries • Data and method separation • Simple classfile structure • Very few opcodes
    6. 6. Why Java
    7. 7. Why Java Classfile { int magic, short minor_version, short major_version, short constant_pool_count, cp_info constant_pool[constant_pool_count], short access_flags, short this_class, short super_class, short interfaces_count, interface_info interfaces[interfaces_count], short fields_count, field_info fields[field_count], short methods_count, method_info methods[methods_count], short attribute_count, attr_info attributes[attributes_count] }
    8. 8. Why Java
    9. 9. Why Android• Client side code• Easy access to apk’s • Download apk to sd card using Astro File Mgr • Download from xdadevelopers forum • Download using ‘adb pull’ on jailbroken phone• Nobody is using obfuscation • 1 out of 20 apks downloaded were protected• Easy to convert apk to Java to decompile
    10. 10. Why Android
    11. 11. Why Androidjava –jar dex2jar.jarjd-gui
    12. 12. Why Android• Dex file • Different structure • Different opcodes • Register based not stack based • Multiple JVMs on device
    13. 13. Why Android
    14. 14. Why Android
    15. 15. Why not iPhone?• Objective-C • Compiled not interpreted • Much less information • Fat binaries approach• Can still be disassembled • strings and otool unix commands • Other tools like IDA Pro
    16. 16. Why Android• Jailbreak/Root phone • Use Z4Root • Uses RageAgainstTheCage Trojan exploit • Not available on Android Marketplace ;-)• Using Android SDK platform tools • Turn on USB debugging • Find apk using adb shell • Download using adb pull
    17. 17. Why Android
    18. 18. Why Android• Even easier is the apk-tool• Install APK-tool • Download apk • Right click
    19. 19. Decompilers• Jive• Mocha• JAD• SourceAgain• JD-GUI
    20. 20. Possible Exploits• Web Service API keys exposed• Database logins• Credit Card information• Fake apps
    21. 21. Possible Exploits
    22. 22. Possible Exploits
    23. 23. Possible Exploitspublic static final String USER_NAME = "BC7E9322-0B6B-4C28B4";public static final String PASSWORD = "waZawuzefrabru96ebeb";
    24. 24. Protect Yourself• Protect code before releasing • Hard to recover once it’s been made available• Obfuscators • ProGuard • DashO• Native Code • Use C++ and JNI • 99.99% of Android devices run on ARM processor • Use digital signature checking to protect lib
    25. 25. Protect Yourself• ProGuard: • Detects and removes unused classes, fields, methods, and attributes. • Optimizes bytecode and removes unused instructions. • Renames remaining classes, fields, and methods using short meaningless names. • Preverifies the processed code for Java.• Enable in files • proguard.config=proguard.cfg
    26. 26. Protect Yourself• DashO (basic): • Improvement over ProGuards naming by using strange characters and heavily reusing the same names at different scopes. • Does much more involved control flow obfuscation than ProGuard, reordering code operations to make them very difficult to understand and often breaking decompilers. • Supports string encryption to render important string data unreadable to attackers.
    27. 27. Protect Yourself• DashO (advanced): • Supports tamper detection, handling, and reporting to prevent users from changing the compiled code, even while debugging, and to alert you if it happens. • Can automatically inject Preemptives Runtime Intelligence functionality for remote error reporting.
    28. 28. Protect Yourself• DashO demo
    29. 29. Protect Yourself - Decompiled
    30. 30. Protect Yourself - ProGuard
    31. 31. Protect Yourself – DashO
    32. 32. Protect Yourself – JNIjstring Java_com_getPassword(JNIEnv* env, jobject thiz){ char *password = “waZawuzefrabru96ebeb”; return (*env)->NewStringUTF(env, password);}
    33. 33. Protect Yourself – JNI
    34. 34. Protect Yourself – JNI
    35. 35. Links• format-revealed.html•••
    36. 36. Raising the Bar• APK’s are available• Tools are easy to use• Turn on ProGuard• Investigate other obfuscators• Hide keys using JNI• Don’t put sensitive information unencrypted in APKs
    37. 37. SPAM #2• RIIS LLC • Southfield, MI• Clients • Fandango • DTE • Comerica • BCBSM• Mobile Development • DTE Outage Maps • Broadsoft Front Office Assistant• Contact Information •
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.