Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Reverse engineering android apps

7,688 views

Published on

With growth in app market it is essential to guard our android apps against possible threats, in this presentation we will walk through various tools and techniques which some one can use to reverse engineer an android app, we will see how some one can get access to APP DB, CODE, API, PREFERENCES.

We will also see different tools and techniques to guard our app against possible threats from code obfuscation with tools like dexgaurd to newer methods like verification of api calls using google play services.

This session was taken in Barcamp 13 bangalore http://barcampbangalore.org/bcb/bcb13/reverse-engineering-an-android-app-securing-your-android-apps-against-attacks
and bangalore android user group meetup Jan meetup http://www.meetup.com/blrdroid/events/100360682/

Published in: Technology
  • Be the first to comment

Reverse engineering android apps

  1. 1. Securing Your Android Apps By Pranay Airan @pranayairan
  2. 2. Pranay Airan Web application developer @IntuitAndroid Developer by choice  Assistant organizer Blrdroid @pranayairan
  3. 3. Current Threats Code Protection Tools Code Analysis Tools Android App Build Process How to disassembleDifferent protection techniques
  4. 4. Current ThreatsStealing App Stealing App Unauthorized Code Assets API AccessStealing App Repackaging Malwares DB and selling and viruses Piracy
  5. 5. Code Protectors Progaurd Dexgaurd Java obfuscators
  6. 6. Code Analysis Tools Dex2jar Smali IDA Pro Dexdump
  7. 7. Android Application Build Process Java .java files .class files Compiler Obfuscator Jar .so Dx tool resource Signer files Obfuscator .apk files APK Builder .dex filesRef: http://net.cs.uni-bonn.de/fileadmin/user_upload/plohmann/2012-Schulz-Code_Protection_in_Android.pdf
  8. 8. Reverse Engineering An App
  9. 9. Use this methods This can be used onFederal Offence ethically your apps
  10. 10. Lets disassemble App on phone Apk Extractor .apk files Extract APKImages DB AAPT Readable resource .dex files Manifest asset XML etc dex -> class (dex2jar) .class files Class -> java Java files
  11. 11. Code ProtectionObfuscation Shrinker Optimization ProgaurdUsing Progaurd in Android
  12. 12. Reversed APK with Progaurd
  13. 13. Reversed APK with Dexgaurd
  14. 14. Other Techniques junk byte insertion Dynamic Code loading Self Modifying code Obfuscation at dex levelRef: http://net.cs.uni-bonn.de/fileadmin/user_upload/plohmann/2012-Schulz-Code_Protection_in_Android.pdf
  15. 15. API Protection Google Play Service Token + Your Verify Google Client id Your Token Authutil Parameters Backend Fields Access Token Verify Token Signature Googleaudience:server:client_id:9414861317621.apps.googleusercontent.com
  16. 16. API ProtectionHiding url & Use HTTPSparameters (self signed will work)Use time & Use Userencoding in Agentparameters Identifier
  17. 17. DB ProtectionHash your data3rd Party DB encryption like SQLCipherString Encryption
  18. 18. To Sum UpNothing is full proofDon’t give away your code just like thatUse progaurd to protect your codeUse Google Api Verification for Sensitivebackend calls
  19. 19. Questions ??
  20. 20. Thank YouPranay.airan@iiitb.net @pranayairanhttp://goo.gl/okiJp
  21. 21. Useful Links• http://www.honeynet.org/downloads/Android.tar.gz• http://proguard.sourceforge.net/index.html#manual/examples. html• http://code.google.com/p/dex2jar/• http://code.google.com/p/android-apktool/• http://android-developers.blogspot.in/2013/01/verifying-back- end-calls-from-android.html• http://sqlcipher.net/sqlcipher-for-android/

×