Reverse engineering and instrumentation of android apps


Published on

Our product (Little Eye Labs) is a performance monitoring and optimization tool for Android apps.

We wanted to expose detailed network usage information from the app, and we explored binary instrumentation as a way to do this.

The presentation covers many learnings from the process - what are different reverse engineering tools on android, which ones specifically help with instrumentation, and a link to some of the source code from this process.

Published in: Technology

Reverse engineering and instrumentation of android apps

  1. 1. Reverse engineering and instrumenting android apps Gaurav Lochan Little Eye Labs Friday 13 December 13
  2. 2. Outline Motivation? Instrumentation Guts of an android app Instrumentation approaches Chosen approach Friday 13 December 13
  3. 3. Motivation? Little Eye Measures, Analyzes and helps optimize app resource usage on Android. But network stats are aggregates only Friday 13 December 13
  4. 4. Motivation (2) Needed granular network stats - each endpoint/URL, Latency, Data transferred Considered different approaches Implement a VPN client app Use a proxy Looked at OS stats - didn’t find anything Java debug wire protocol (JDWP) Instrumentation Friday 13 December 13
  5. 5. Instrumentation ie, Rewriting parts of a binary (in this case, android app) Allows us to intercept HTTP calls, with code-level context (parameters, errors) for each call Works on any app Works on practically any android version/device Opens up a lot of exciting possibilities... Friday 13 December 13
  6. 6. Instrumentation (2) Can be: Static or Runtime Examples Android Traceview (startMethodTracing) Android test automation framework iOS instruments Purify (Rational / IBM) JVM -javaagent option AspectJ Friday 13 December 13
  7. 7. Guts of an app Friday 13 December 13
  8. 8. classes.dx Dalvik is the custom android VM (different from JVM) Dex = Dalvik EXecutable format. It’s a custom bytecode format designed for android Build process: compile .java code into .class files dx converts each .class file into .dx representation, and stores them in the single classes.dx all ref’d library code also goes into classes.dex Friday 13 December 13
  9. 9. Reverse engineering tools Smali (by JesusFreke) - dex disassembler ApkTool - decodes resources, repackage app dex2jar - disassembles dex to .class format JD-GUI - Decompiles .class into .java Androguard - Tool for deep analysis of android app ApkAnalyzer - Tool for analysis of app, also supports instrumentation of the app. Friday 13 December 13
  10. 10. Smali: Before Friday 13 December 13
  11. 11. Smali: After Friday 13 December 13
  12. 12. Androguard Friday 13 December 13
  13. 13. ApkAnalyzer Friday 13 December 13
  14. 14. Instrumentation Approaches Explored the following approaches on android Runtime Instrument .class files during build process Instrument .dex file Friday 13 December 13
  15. 15. Runtime instrumentation A JVM allows this - pass in a java.lang.instrumentation (using the -javaagent flag) which can transform class at class-load time Dalvik doesn’t support this It supports passing in a, but that has a limited set of methods, mostly for automated testing Friday 13 December 13
  16. 16. Instrumenting .class files Considered modifying .class files, in two ways: Using the JavaAssist tool/library AspectJ Both are well understood tools, but need to be done at build time Requires a process change, plus not all of our users have access to the build (e.g. 3rd party QA team) Friday 13 December 13
  17. 17. Instrumenting .dex file Found some tools - none of these looked solid enough dexpler - research project redexer - research project apkil - google summer of code project Tried dex2jar to convert .dx into .class - but this is not a reliable method. Fine for reading code (skip the failed conversions), but not for this use case. Friday 13 December 13
  18. 18. Instrumenting .dex file (2) Smali A simple tool that decompiles the .dx into an intermediate format (also known as smali) This is well-used (e.g. ApkTool, ApkAnalyzer, and apkil use it) Active project, well supported by JesusFreke I disassemble an app, modified the smali code, and reassembled and repackaged, and it just worked! Friday 13 December 13
  19. 19. Automating instrumentation Challenges: Need a way to find all the appropriate calls in the app to replace Need to do it without side-effects. Tried many approaches, JesusFreke pointed me to MutableMethod which did what i needed Called my approach Umbreyta (icelandic for transform). Friday 13 December 13
  20. 20. Voila! Friday 13 December 13