Inside DVM
Basics

Nick Bova
@mykola_bova
Nov 14 2013
Why Java is vulnerable?
1. For portability, Java code is partially compiled
and then interpreted by the JVM.
2. Java’s com...
Why Android apps are vulnerable?
1. There are multiple easy ways to gain access
to Android APKs.
2. It’s simple to transla...
Legal Issues to Consider When
Decompiling
Цель оправдывает средства?
Legal Issues to Consider When
Decompiling
1. Don’t decompile an APK, recompile it, and then
pass it off as your own.
2. Do...
Protecting Yourself (Protection
schemes)
Protection schemes in your code: Spreading
protection schemes throughout your cod...
Protecting Yourself (Obfuscation)
Obfuscation: Obfuscation replaces the method
names and variable names in a class file wi...
Protecting Yourself (Server-side code)
Server-side code: The safest protection for APKs
is to hide all the interesting cod...
Protecting Yourself (Native code)
Native code: The Android Native Development
Kit (NDK) allows you to hide password
inform...
Protecting Yourself (Encryption)
Encryption can also be used in conjunction with
the NDK to provide an additional layer of...
Protecting Yourself
What else?
Upcoming SlideShare
Loading in …5
×

Inside Dvm basics

610 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
610
On SlideShare
0
From Embeds
0
Number of Embeds
225
Actions
Shares
0
Downloads
5
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Inside Dvm basics

  1. 1. Inside DVM Basics Nick Bova @mykola_bova Nov 14 2013
  2. 2. Why Java is vulnerable? 1. For portability, Java code is partially compiled and then interpreted by the JVM. 2. Java’s compiled classes contain a lot of symbolic information for the JVM. 3. The JVM is a simple stack machine. 4. Standard applications have no real protection against decompilation.
  3. 3. Why Android apps are vulnerable? 1. There are multiple easy ways to gain access to Android APKs. 2. It’s simple to translate an APK to a Java jar file for subsequent decompilation. 3. One-click decompilation is possible, using tools such as apktool. 4. APKs are shared on hacker forums.
  4. 4. Legal Issues to Consider When Decompiling Цель оправдывает средства?
  5. 5. Legal Issues to Consider When Decompiling 1. Don’t decompile an APK, recompile it, and then pass it off as your own. 2. Don’t even think of trying to sell a recompiled APK to any third parties. 3. Try not to decompile an APK or application that comes with a license agreement that expressly forbids decompiling or reverse-engineering the code. 4. Don’t decompile an APK to remove any protection mechanisms and then recompile it for your own personal use..
  6. 6. Protecting Yourself (Protection schemes) Protection schemes in your code: Spreading protection schemes throughout your code (such as checking whether the phone is rooted) is useless because the schemes can be commented out of the decompiled code.
  7. 7. Protecting Yourself (Obfuscation) Obfuscation: Obfuscation replaces the method names and variable names in a class file with weird and wonderful names. This can be an excellent deterrent, but the source code is often still visible, depending on your choice of obfuscator.
  8. 8. Protecting Yourself (Server-side code) Server-side code: The safest protection for APKs is to hide all the interesting code on the web server and only use the APK as a thin front-end GUI. This has the downside that you may still need to hide an API key somewhere to gain access to the web server
  9. 9. Protecting Yourself (Native code) Native code: The Android Native Development Kit (NDK) allows you to hide password information in C++ files that can be disassembled but not decompiled and that still run on top of the DVM. Done correctly, this technique can add a significant layer of protection.
  10. 10. Protecting Yourself (Encryption) Encryption can also be used in conjunction with the NDK to provide an additional layer of protection from disassembly, or as a way of passing public and private key information to any backend web server.
  11. 11. Protecting Yourself What else?

×