Agenda
● Scenario
● APK - What is it? Is it hackable?
● Sandboxing of Android Processes
● Dalvik VM vs Java VM
● Native vs Non-Native Applications
● CPTs and CPMDs
● Reverse Engineering
● Problem of Hybrid Apps
● Best Practices
● Suggestions
2. Pedro Tavares
pedrotavares@domdigital.com
Av. Rainha D. Amélia, 142 Cave
6300 - 749 Guarda, Portugal
Agenda
● Scenario
● APK - What is it? Is it hackable?
● Sandboxing of Android Processes
● Dalvik VM vs Java VM
● Native vs Non-Native Applications
● CPTs and CPMDs
● Reverse Engineering
● Problem of Hybrid Apps
● Best Practices
● Suggestions
# Agenda
4. Pedro Tavares
pedrotavares@domdigital.com
Av. Rainha D. Amélia, 142 Cave
6300 - 749 Guarda, Portugal
APK - What is it? Is it hackable?
Android Package
# Agenda
# APK - What is it?
terminal> unzip edpartners.apk
RE is possible
5. Pedro Tavares
pedrotavares@domdigital.com
Av. Rainha D. Amélia, 142 Cave
6300 - 749 Guarda, Portugal
Sandboxing of Android
Processes
● Dedicated Virtual Machine (VM)
● Process Isolation (UID)
● Not shared resources
● Kernel protection
# Agenda
# APK - What is it?
# Sandboxing of android ...
Dalvik Virtual
Machine
6. Pedro Tavares
pedrotavares@domdigital.com
Av. Rainha D. Amélia, 142 Cave
6300 - 749 Guarda, Portugal
Dalvik VM vs Java VM# Agenda
# APK - What is it?
# Sandboxing of android …
# Dalvik VM vs Java VM
Java Source
Code
Java Byte
Code
Dalvik Byte
Code
Dalvik Executable
Dalvik VM
Java Source
Code
Java Byte
Code
Java Byte Code
Java VM
Java Compiler Java Compiler
Dex Compiler
Ant
Gradle
8. Pedro Tavares
pedrotavares@domdigital.com
Av. Rainha D. Amélia, 142 Cave
6300 - 749 Guarda, Portugal
CPTs and CPMDs# Agenda
# APK - What is it?
# Sandboxing of android …
# Dalvik VM vs Java VM
# CPTs and CPMDs
CPTs
(Cross-platform Tools)
CPMDs
(Cross-platform to Mobile Development)
Tools that automate the process
of creation mobile applications.
Web-based platforms which
enable the process of creation
mobile applications through
CPTs on web-browsers.
9. Pedro Tavares
pedrotavares@domdigital.com
Av. Rainha D. Amélia, 142 Cave
6300 - 749 Guarda, Portugal
Native vs Non-Native
Applications# Agenda
# APK - What is it?
# Sandboxing of android …
# Dalvik VM vs Java VM
# CPTs and CPMDs
# Native vs Non-Native ...
Native Hybrid Web
Fully Java Based. Direct
communication with the
native API.
HTML5 based. Javascript
provides a bridge with the
native API of mobile
operating system.
Based in HTML5 and on
web-services and online
content.
10. Pedro Tavares
pedrotavares@domdigital.com
Av. Rainha D. Amélia, 142 Cave
6300 - 749 Guarda, Portugal
# Agenda
# APK - What is it?
# Sandboxing of android …
# Dalvik VM vs Java VM
# CPTs and CPMDs
# Native vs Non-Native …
# Reverse Engineering
Reverse Engineering
App on phone
App on
marketplace
.apk files
resource .dex files Manifest
.class
files
Java files
Readable XML
aapt
(Android asset packaging tool)
Dex > jar (dex2jar)
Class > java (Java Decompiler)
Extract APK
HTML, CSS,
Javascript,
Images, assets,
etc.
Hybrid Apps
unzip
11. Pedro Tavares
pedrotavares@domdigital.com
Av. Rainha D. Amélia, 142 Cave
6300 - 749 Guarda, Portugal
Problem of Hybrid Apps# Agenda
# APK - What is it?
# Sandboxing of android …
# Dalvik VM vs Java VM
# CPTs and CPMDs
# Native vs Non-Native …
# Reverse Engineering
# Problem of Hybrid Apps ● Best user experience
● Portability (multi-platforms)
● Cheaper origination costs
● Faster (initial) speed to market
● Weak security (obfuscation, encryption, etc.)
● Weak performance (a bridge is needed)
● Creates a lot of junk
Advantages
Know Problems
12. Pedro Tavares
pedrotavares@domdigital.com
Av. Rainha D. Amélia, 142 Cave
6300 - 749 Guarda, Portugal
Best Practices# Agenda
# APK - What is it?
# Sandboxing of android …
# Dalvik VM vs Java VM
# CPTs and CPMDs
# Native vs Non-Native …
# Reverse Engineering
# Problem of Hybrid Apps
# Best Practices
● Architecture well-defined
● Obfuscation
○ Native Apps: ProGuard
○ Hybrid: Google Closure Compiler in the level
ADVANCED_OPTIMIZATIONS
● Obfuscation not resolve hardcoded strings
○ Android Keystore System
■ Store keys in Internal Storage
➢ Trusted Execution Environment
○ oauth2
● Javascript files available via remote callbacks
● Minify Javascript files
Increase the
cracking task
13. Pedro Tavares
pedrotavares@domdigital.com
Av. Rainha D. Amélia, 142 Cave
6300 - 749 Guarda, Portugal
Suggestions# Agenda
# APK - What is it?
# Sandboxing of android …
# Dalvik VM vs Java VM
# CPTs and CPMDs
# Native vs Non-Native …
# Reverse Engineering
# Problem of Hybrid Apps
# Best Practices
#Suggestions
“Meteor.js: um framework além do MVC”
www.meteor.com
Obfuscation
Android Keystore System
(MinSDK 18, Android 4.3 and higher, and Smartphone support)
https://medium.com/@vashisthg/android-secure-shared-preferences-10f8356a4c2b
https://github.com/ophio/secure-preferences
https://developer.android.com/training/articles/keystore.html#UsingAndroidKeyStore
AWS
Cognito, lambda, 3party apps, etc.
https://aws.amazon.com/pt/mobile/