Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Cracking the Mobile Application Code


Published on

Cracking the Mobile Application Code by Sreenarayan A. at c0c0n - International Cyber Security and Policing Conference

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Cracking the Mobile Application Code

  1. 1. Cracking the Mobile ApplicationCode - Sreenarayan A Paladion Mobile Security Team
  2. 2. Take Away for the day• Purpose of Decompiling Mobile Applications• Methodology of Decompilation• Live Demo’s: – Android App – iOS (iPhone / iPad App) – Blackberry Apps / Nokia App
  3. 3. Why is security relevant for Mobile Platform?• 400% Increase in the number for Organizations Developing Mobile Platform based applications.• 300% Increase in the no of Mobile Banking Applications.• 500% Increase in the number of people using the Mobile Phones for their day to day transactions.• 82% Chances of end users not using their Mobile Phones with proper caution.• 79% Chances of Mobile Phone users Jail Breaking their Phones.• 65% Chances of Mobile Phone users not installing Anti-virus on their Mobile Phones.• 71% Chances of any application to get misused.• 57% Chances of a user losing his sensitive credentials to a hacker.
  4. 4. Market Statistics of Mobile Users
  5. 5. Mobile Market Trends
  6. 6. Different Types of Mobile Applications• WAP Mobile Applications• Native Mobile Applications• Hybrid Mobile Applications
  7. 7. Different Types of Mobile Applications
  8. 8. Different Types of Mobile Architecture
  9. 9. Why did we learn the above types??• Which applications can be Decompiled? – WAP Mobile Applications ? – Native Mobile Applications ? – Hybrid Mobile Applications ?• We have to get to know of the basics!
  10. 10. Cracking the Mobile Application Code
  11. 11. Cracking the Mobile Application Code•What do you mean by Reverse Engineering?•What do you mean by Decompilation? -> What is Compilation?Questions to be answered:•What are the goals/purpose of Cracking the code?•What is the methodology of Decompilation?•What the tools which can be used to Decompile?•Can Decompilation be done on all platforms? 1. ANDROID ? 2. iPHONE / iPAD ? 3. BLACKBERRY ? 4. NOKIA ?
  12. 12. Goal of cracking the Mobile Application Code
  13. 13. Goals of Cracking the Source Code•“UNDERSTAND THE WORKING OF THE APPLICATION AND TO FIGURE OUTTHE LOOPHOLES!”•To find Treasure Key Words (password , keys , sql, algo, AES, DES, Base64,etc)•Figure out the Algorithms Used and their keys.•By-passing the client side checks by rebuilding the app.•E.g. Password in Banking Application (Sensitive Information)•E.g. Angry Birds Malware (Stealing Data)•E.g. Zitmo Malware (Sending SMS)•We have understood the goals, how to achieve them? Methodology.
  14. 14. Methodology of Cracking
  15. 15. Methodology / StudyS1: Gaining access to the executableS2: Understanding the Technology used to code the application.S3: Finding out ways to derive the Object Code from the Executable.S4: Figuring out a way to derive the Class Files from the Object Code.S5: Figuring out a way to derive the Function Definitions from the ObjectCode
  16. 16. JUMP TO DEMO’s
  17. 17. Demo - Reverse Engineer the AndroidApplication•Tools used: -De-compresser (Winrar / Winzip / 7zip) -Dex2jar -Jar Decompiler•Steps 1. .apk -> .dex 2. .dex -> .jar 3. .jar -> .java• Demo• Limitations
  18. 18. Demo - Reverse Engineer the iOS Application•Tools used: -iExplorer -Windows Explorer -oTool -Classdumpz•Steps 1. .app -> Garbage (Object Code) (DVM) 2. Object Code -> .Class• Demo• Limitations
  19. 19. Demo - Reverse Engineer the BlackberryApplication•Tools used: -JD – GUI (Java Decompiler) -Notepad•There are two types of Application files found in Blackberry: 1. .Jar (.jad -> .jar) 2. .Cod (.jad -> .cod (Blackberry Code Files)•Steps 1. .jar -> .java (JD-GUI) Or 1. Notepad to open .cod (No luck!)• Demo• Limitation
  20. 20. Tip - Reverse Engineer the Windows PhoneApplication•Tools used: decompiler -Visual Studio with Windows Phone SDK
  21. 21. Palisade Articles• iOS vs Android Testing• Mobile Data Encryption• Mobile Application Security Testing• Demystifying the Android• And …• Website link:
  22. 22. • Questions and Answers• Quiz• Feedback
  23. 23. Thank YouSreenarayan.india@gmail.comSreenarayan.a@paladion.netTwitter: Ace_Sree