Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Protecting Source Code

7,626 views

Published on

Godfrey Nolan's class on Protecting Android Source code at AnDevCon 2012

Published in: Technology
  • Nice PPT. But I think online protect shell is more convenient, such as www.apkprotect.com.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Protecting Source Code

  1. 1. Godfrey Nolan
  2. 2.  Hear no evil, see no evil Decompiling APK demo Raising the bar
  3. 3.  Easy access to APKs APK design Nobody using obfuscation
  4. 4.  According to DuoSecurity  Over 50% of Android phones are rootable  See Xray.io for more information Vulnerabilities  ASHMEM  Exploid  Gingerbreak  Levitator  Memoproid  etc.
  5. 5.  Logins  API keys Credit card information Fake apps
  6. 6.  sdcard Rooting phone Download from forums
  7. 7.  Obfuscation Android NDK SQLCipher for SQLite Google Closure for JavaScript in HTML5/CSS Don’t use keys - login each time Break tools  Dex2Jar and Baksmali Google Encryption in Jelly Bean (RIP) Hide key info elsewhere (see resources)
  8. 8.  Obfuscation Theory  Layout  Control  Data
  9. 9. Obfuscation Type Classification TransformationLayout Scramble identifiers.Control Computations Insert dead or irrelevant code. Extend a loop condition. Reducible to non-reducible. Add redundant operands. Remove programming idioms. Parallelize code. Aggregations Inline and outline methods. Interleave methods. Clone methods. Loop transformations. Ordering Reorder statements. Reorder loops. Reorder expressions.Data Storage and encoding Change encoding. Split variables. Convert static data to procedural data. Aggregation Merge scalar variables. Factor a class. Insert a bogus class. Refactor a class. Split an array. Merge arrays. Fold an array. Flatten an array. Ordering Reorder methods and instance variables. Reorder arrays.
  10. 10.  Obfuscators  ProGuard and DexGuard  DashO
  11. 11.  Application size Performance Remove logging, debugging, testing code Protection
  12. 12.  At the bytecode level  Dead code elimination  Constant propagation  Method Inlining  Class Merging  Remove logging code  Peephole optimizations  Devirtualization
  13. 13.  Nothing is unbreakable, you can raise the bar:  Reflection  String encryption  Class encryption  Tamper detection  Debug detection  Emulator detection
  14. 14.  Bug fixing Unit testing Obfuscation = defactoring
  15. 15.  WordPress  ProGuard & DexGuard  DashO  HoseDex2Jar NDK
  16. 16.  DexToXML DexToSource Giveaway  What does Dex stand for?
  17. 17. http://www.strazzere.com/papers/DexEducation-PracticingSafeDex.pdfhttps://www.pcisecuritystandards.org/security_standards/documents.php?document=mobile_payment_security_guidelines1http://xray.iohttp://www.netmite.com/android/mydroid/dalvik/docs/dalvik-bytecode.htmlhttp://source.android.com/tech/dalvik/dex-format.htmlhttp://pallergabor.uw.hu/androidblog/dalvik_opcodes.htmlhttp://www.saikoa.com/dexguardhttp://www.preemptive.com/products/dasho/overviewhttp://android.wordpress.org/development/http://selinuxproject.org/page/SEAndroid
  18. 18.  http://www.decompilingandroid.com @decompiling godfrey@riis.com http://www.riis.com

×