Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Decompiling Android

6,047 views

Published on

Decompiling Android presentation from 1DevDay Detroit 2011

Published in: Technology
  • Be the first to comment

Decompiling Android

  1. 1. DECOMPILINGANDROIDGodfrey Nolan1DevDay 11/5/11
  2. 2. Intro• What is a Decompiler?• Why Android?• Decompilers• Protect Yourself• Raising the Bar
  3. 3. SPAM #1
  4. 4. What is a Decompiler• Reverse Engineers apps into source code• Many languages can be decompiled • Java, C#, VB.Net., Visual Basic• Others can only be disassembled • C, C++, Objective-C• Java and .Net particularly at risk • Because of JVM and CLR design• Why use decompilers? • Curiosity, Hacking, Learning, Fair Use
  5. 5. Why Java• Exploits JVM Design • Originally interpreted not compiled • Lots more symbolic information than binaries • Data and method separation • Simple classfile structure • Very few opcodes
  6. 6. Why Java
  7. 7. Why Java Classfile { int magic, short minor_version, short major_version, short constant_pool_count, cp_info constant_pool[constant_pool_count], short access_flags, short this_class, short super_class, short interfaces_count, interface_info interfaces[interfaces_count], short fields_count, field_info fields[field_count], short methods_count, method_info methods[methods_count], short attribute_count, attr_info attributes[attributes_count] }
  8. 8. Why Java
  9. 9. Why Android• Client side code• Easy access to apk’s • Download apk to sd card using Astro File Mgr • Download from xdadevelopers forum • Download using ‘adb pull’ on jailbroken phone• Nobody is using obfuscation • 1 out of 20 apks downloaded were protected• Easy to convert apk to Java to decompile
  10. 10. Why Android
  11. 11. Why Androidjava –jar dex2jar.jar com.riis.mobile.apkjd-gui com.riis.mobile.apk.dex2jar
  12. 12. Why Android• Dex file • Different structure • Different opcodes • Register based not stack based • Multiple JVMs on device
  13. 13. Why Android
  14. 14. Why Android
  15. 15. Why not iPhone?• Objective-C • Compiled not interpreted • Much less information • Fat binaries approach• Can still be disassembled • strings and otool unix commands • Other tools like IDA Pro
  16. 16. Why Android• Jailbreak/Root phone • Use Z4Root • Uses RageAgainstTheCage Trojan exploit • Not available on Android Marketplace ;-)• Using Android SDK platform tools • Turn on USB debugging • Find apk using adb shell • Download using adb pull
  17. 17. Why Android
  18. 18. Why Android• Even easier is the apk-tool• Install APK-tool • Download apk • Right click
  19. 19. Decompilers• Jive• Mocha• JAD• SourceAgain• JD-GUI
  20. 20. Possible Exploits• Web Service API keys exposed• Database logins• Credit Card information• Fake apps
  21. 21. Possible Exploits
  22. 22. Possible Exploits
  23. 23. Possible Exploitspublic static final String USER_NAME = "BC7E9322-0B6B-4C28B4";public static final String PASSWORD = "waZawuzefrabru96ebeb";
  24. 24. Protect Yourself• Protect code before releasing • Hard to recover once it’s been made available• Obfuscators • ProGuard • DashO• Native Code • Use C++ and JNI • 99.99% of Android devices run on ARM processor • Use digital signature checking to protect lib
  25. 25. Protect Yourself• ProGuard: • Detects and removes unused classes, fields, methods, and attributes. • Optimizes bytecode and removes unused instructions. • Renames remaining classes, fields, and methods using short meaningless names. • Preverifies the processed code for Java.• Enable in default.properties files • proguard.config=proguard.cfg
  26. 26. Protect Yourself• DashO (basic): • Improvement over ProGuards naming by using strange characters and heavily reusing the same names at different scopes. • Does much more involved control flow obfuscation than ProGuard, reordering code operations to make them very difficult to understand and often breaking decompilers. • Supports string encryption to render important string data unreadable to attackers.
  27. 27. Protect Yourself• DashO (advanced): • Supports tamper detection, handling, and reporting to prevent users from changing the compiled code, even while debugging, and to alert you if it happens. • Can automatically inject Preemptives Runtime Intelligence functionality for remote error reporting.
  28. 28. Protect Yourself• DashO demo
  29. 29. Protect Yourself - Decompiled
  30. 30. Protect Yourself - ProGuard
  31. 31. Protect Yourself – DashO
  32. 32. Protect Yourself – JNIjstring Java_com_getPassword(JNIEnv* env, jobject thiz){ char *password = “waZawuzefrabru96ebeb”; return (*env)->NewStringUTF(env, password);}
  33. 33. Protect Yourself – JNI
  34. 34. Protect Yourself – JNI
  35. 35. Links• http://viralpatel.net/blogs/2009/01/tutorial-java-class-file- format-revealed.html• http://code.google.com/p/z4root/• http://code.google.com/p/android-apktool/• http://www.dalvikvm.com/
  36. 36. Raising the Bar• APK’s are available• Tools are easy to use• Turn on ProGuard• Investigate other obfuscators• Hide keys using JNI• Don’t put sensitive information unencrypted in APKs
  37. 37. SPAM #2• RIIS LLC • Southfield, MI• Clients • Fandango • DTE • Comerica • BCBSM• Mobile Development • DTE Outage Maps • Broadsoft Front Office Assistant• Contact Information • godfrey@riis.com

×