SlideShare a Scribd company logo

ANTI-ANTI-CODE-MODIFICATION MiSSConf(SP5) 2019

B
Boonpoj Thongakaraniroj

MiSSConf(SP5)2019 Topic: ANTI-ANTI-CODE-MODIFICATION Date: 06/07/2019 Reference: https://missconf.github.io/SP5

Technology
1 of 34
Download to read offline
© 2019 Secure D Center Co.,Ltd ANTI ANTI-CODE MODIFICATION Boonpoj Thongakaraniroj, Secure D Center MiSSConf [SP5] 6 July 19
© 2019 Secure D Center Co.,Ltd About Secure D We operate across the ASEAN region with offices established in Kuala Lumpur, Malaysia and Bangkok, Thailand. We are independent and committed to your long-term goals by bringing a fresh, independent perspective, high passion to do an outstanding job and delivering cost-effective, innovation and high value services using global methodology and framework with our best cyber expertise certified by well-known cyber security certifications. We trust you will recognize our pragmatic ‘hands on’ style in the way we have structured our team, our approach and our deliverables. Our approach is based on the simple notion that the success of this project is measured by the results obtained and not just successful completion. Kuala Lumpur, Malaysia Bangkok, Thailand
© 2019 Secure D Center Co.,Ltd Introduction to Anti-Code Modification
© 2019 Secure D Center Co.,Ltd Introduction to Anti-Code Modification Code Modification in Context of Mobile Application What is Mobile Application ? q A mobile app or mobile application is a computer program or software application designed to run on a mobile device such as a phone/tablet or watch. q The PC software threats are applicable for Mobile application
© 2019 Secure D Center Co.,Ltd Introduction to Anti-Code Modification Case study for Binary patching (Code Modification)
© 2019 Secure D Center Co.,Ltd Introduction to Anti-Code Modification Case study for Binary patching (Code Modification)
© 2019 Secure D Center Co.,Ltd Introduction to Anti-Code Modification Anti-Code Modification is the risk mitigration Anti-Code Modification q Static § Code Obfuscation (Normally, Developer use ProGuard) § Anti-Patching q Dynamic § Anti-Frida § Anti-Debugging Code Modification q Static § Understand app logic flow § Modify app logic flow or malware in order to rebuild the app and contribute outside Google Play Store q Dynamic § Using Frida script to trace the application at runtime to determine loaded class/method in order to override method (Method Swizzling) for app manipulation § Understand app at the run-time using debugging technique in order to manipulate the logic
© 2019 Secure D Center Co.,Ltd Introduction to Anti-Code Modification Dangerous Mindsets q We don’t need to protect on server-side since the application is protected via Anti-code modification q We have an End-to-end encryption on application, Nobody can manipulate the data over HTTP(s) q We use ProGuard for binary obfuscation, Nobody can understand our application logic q We have root detection, Rooted device cannot run our application q We also have Anti-patching and Anti-Debugging solution, Nobody can modify or manipulate the data our application at the runtime q We deploy Google SafetyNet then we are SAFE !!
© 2019 Secure D Center Co.,Ltd Bypass Anti-Static Analysis Protection
© 2019 Secure D Center Co.,Ltd Bypass Anti-Static Analysis Protection Code Obfuscation Original Source Code Minified using ProGuard
© 2019 Secure D Center Co.,Ltd Bypass Anti-Static Analysis Protection Native Code in Action What is Native Code? q C/C++ code is compiled to machine code “.so” q Much faster than Java/Dalvik components q Hard to reverse more than on Java or Kotlin code Source: https://developer.android.com/ndk/guides/concepts https://docs.google.com/presentation/d/1r_DVzjCXw4gUum_WkRTzeivAnIArf8bw_q-rI0ywOSs/edit#slide=id.g47dd89f423_0_7
© 2019 Secure D Center Co.,Ltd Bypass Anti-Static Analysis Protection Native Code in Action Source: https://developer.android.com/ndk/guides/concepts https://docs.google.com/presentation/d/1r_DVzjCXw4gUum_WkRTzeivAnIArf8bw_q-rI0ywOSs/edit#slide=id.g47dd89f423_0_7
© 2019 Secure D Center Co.,Ltd Bypass Anti-Static Analysis Protection Anti-Patching What is Patching ? q Binary patching is one of the techniques used to alter the application functionalities. q Binary patching on Android can be achieved by modification of disassembled code in .smali or .so file(s). Extracting & Disassembling Modifying Smali or .so files Repackaging Signing APK file
© 2019 Secure D Center Co.,Ltd Bypass Anti-Static Analysis Protection Anti-Patching Instruction of Intel x86
© 2019 Secure D Center Co.,Ltd Bypass Anti-Static Analysis Protection Anti-Patching Example Code Flow of Application
© 2019 Secure D Center Co.,Ltd Bypass Anti-Static Analysis Protection DEMO q Bypassing Root detection (RootBeer Library) q Bypassing Code Patching Check
© 2019 Secure D Center Co.,Ltd Bypass Anti-Dynamic Analysis Protection
© 2019 Secure D Center Co.,Ltd Bypass Anti-Dynamic Analysis Protection Anti-Frida What is Frida ? q Frida is hugely popular with Android reverse engineers, and for good reason: It offers runtime access to pretty much everything one could dream of, from raw memory and native functions to Java object instances. Client Server
© 2019 Secure D Center Co.,Ltd Bypass Anti-Dynamic Analysis Protection Anti-Frida Example Code Flow of Application
© 2019 Secure D Center Co.,Ltd Bypass Anti-Dynamic Analysis Protection Anti-Debugging What is JDWP ? q The Java Debug Wire Protocol (JDWP) is the protocol used for communication between a debugger and the Java virtual machine (VM) q A JDWP debugger allows you to: § step through Java code § set breakpoints on Java methods § inspect and modify local and instance variables. Source: https://docs.oracle.com/javase/8/docs/technotes/guides/jpda/jdwp-spec.html https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05c-Reverse-Engineering-and-Tampering.md JDWP Debugger Device USB
© 2019 Secure D Center Co.,Ltd Bypass Anti-Dynamic Analysis Protection Anti-Debugging Example Code Flow of Application
© 2019 Secure D Center Co.,Ltd Bypass Anti-Dynamic Analysis Protection DEMO q Bypassing Frida detection q Bypassing Anti-Debugging detection
© 2019 Secure D Center Co.,Ltd Google SafetyNet
© 2019 Secure D Center Co.,Ltd Google SafetyNet Definition What is Google SafetyNet ? q SafetyNet provides a set of services and APIs that help protect your app against security threats, including device tampering, bad URLs, potentially harmful apps, and fake users. q The SafetyNet Attestation API provides a cryptographically- signed attestation, assessing the device's integrity. In order to create the attestation, the API examines the device's software and hardware environment, looking for integrity issues, and comparing it with the reference data for approved Android devices. The generated attestation is bound to the nonce that the caller app provides. The attestation also contains a generation timestamp and metadata about the requesting app. Source: https://developer.android.com/training/safetynet/attestation
© 2019 Secure D Center Co.,Ltd Google SafetyNet Anti-SafetyNet SNetKiller (https://github.com/iGio90/SNetKiller) q The app uses Frida to inject an agent into google services and prevent it to access certain files. q com.google.android.gms
© 2019 Secure D Center Co.,Ltd Google SafetyNet Anti-SafetyNet SNetKiller (https://github.com/iGio90/SNetKiller)
© 2019 Secure D Center Co.,Ltd Practical Scenario In-App Purchase
© 2019 Secure D Center Co.,Ltd Practical Scenario In-App Purchase Google Play Billing Type of Google Play Billing q One-time product q Rewarded product q Subscription Source: https://mulliner.org/collin/publications/asia226-mulliner.pdf Rogue Proxy App
© 2019 Secure D Center Co.,Ltd Practical Scenario In-App Purchase Google Play Billing Google Recommendation Source: https://developer.android.com/google/play/billing/billing_library_overview
© 2019 Secure D Center Co.,Ltd Practical Scenario In-App Purchase Google Play Billing Library q Prime31 q Unity
© 2019 Secure D Center Co.,Ltd Practical Scenario In-App Purchase Google Play Billing VerifyPurchase method
© 2019 Secure D Center Co.,Ltd Practical Scenario In-App Purchase Google Play Billing Verify method
© 2019 Secure D Center Co.,Ltd Practical Scenario In-App Purchase DEMO q Bypassing InApp Purchase
© 2019 Secure D Center Co.,Ltd Thank You Contact us: info@secure-d.tech

Recommended

Android App Development - Factors to be Considered Before Outsourcing
Android App Development - Factors to be Considered Before OutsourcingAndroid App Development - Factors to be Considered Before Outsourcing
Android App Development - Factors to be Considered Before OutsourcingSara Suarez
 
Managing Identity without Boundaries
Managing Identity without BoundariesManaging Identity without Boundaries
Managing Identity without BoundariesPing Identity
 
Creating an Omnichannel Experience for Your Customers
Creating an Omnichannel Experience for Your CustomersCreating an Omnichannel Experience for Your Customers
Creating an Omnichannel Experience for Your CustomersCA Technologies
 
Integrating AppSec into Your DevSecOps on AWS - DEM14 - AWS re:Inforce 2019
Integrating AppSec into Your DevSecOps on AWS - DEM14 - AWS re:Inforce 2019 Integrating AppSec into Your DevSecOps on AWS - DEM14 - AWS re:Inforce 2019
Integrating AppSec into Your DevSecOps on AWS - DEM14 - AWS re:Inforce 2019 Amazon Web Services
 
Tips To Protect Your Mobile App from Hackers.pdf
Tips To Protect Your Mobile App from Hackers.pdfTips To Protect Your Mobile App from Hackers.pdf
Tips To Protect Your Mobile App from Hackers.pdfFuGenx Technologies
 
2018 re:Invent - Safeguard the Integrity of Your Code for Fast and Secure Dep...
2018 re:Invent - Safeguard the Integrity of Your Code for Fast and Secure Dep...2018 re:Invent - Safeguard the Integrity of Your Code for Fast and Secure Dep...
2018 re:Invent - Safeguard the Integrity of Your Code for Fast and Secure Dep...Martin Klie
 
5 steps end to end security consumer apps
5 steps end to end security consumer apps5 steps end to end security consumer apps
5 steps end to end security consumer appsCA API Management
 
Enable and Secure Business Growth in the New Application Economy
Enable and Secure Business Growth in the New Application Economy Enable and Secure Business Growth in the New Application Economy
Enable and Secure Business Growth in the New Application EconomyCA Technologies
 

Recommended

Android App Development - Factors to be Considered Before Outsourcing
Android App Development - Factors to be Considered Before OutsourcingAndroid App Development - Factors to be Considered Before Outsourcing
Android App Development - Factors to be Considered Before OutsourcingSara Suarez
 
Managing Identity without Boundaries
Managing Identity without BoundariesManaging Identity without Boundaries
Managing Identity without BoundariesPing Identity
 
Creating an Omnichannel Experience for Your Customers
Creating an Omnichannel Experience for Your CustomersCreating an Omnichannel Experience for Your Customers
Creating an Omnichannel Experience for Your CustomersCA Technologies
 
Integrating AppSec into Your DevSecOps on AWS - DEM14 - AWS re:Inforce 2019
Integrating AppSec into Your DevSecOps on AWS - DEM14 - AWS re:Inforce 2019 Integrating AppSec into Your DevSecOps on AWS - DEM14 - AWS re:Inforce 2019
Integrating AppSec into Your DevSecOps on AWS - DEM14 - AWS re:Inforce 2019 Amazon Web Services
 
Tips To Protect Your Mobile App from Hackers.pdf
Tips To Protect Your Mobile App from Hackers.pdfTips To Protect Your Mobile App from Hackers.pdf
Tips To Protect Your Mobile App from Hackers.pdfFuGenx Technologies
 
2018 re:Invent - Safeguard the Integrity of Your Code for Fast and Secure Dep...
2018 re:Invent - Safeguard the Integrity of Your Code for Fast and Secure Dep...2018 re:Invent - Safeguard the Integrity of Your Code for Fast and Secure Dep...
2018 re:Invent - Safeguard the Integrity of Your Code for Fast and Secure Dep...Martin Klie
 
5 steps end to end security consumer apps
5 steps end to end security consumer apps5 steps end to end security consumer apps
5 steps end to end security consumer appsCA API Management
 
Enable and Secure Business Growth in the New Application Economy
Enable and Secure Business Growth in the New Application Economy Enable and Secure Business Growth in the New Application Economy
Enable and Secure Business Growth in the New Application EconomyCA Technologies
 
Enabling the Multi-Device Universe
Enabling the Multi-Device UniverseEnabling the Multi-Device Universe
Enabling the Multi-Device UniverseCA API Management
 
5 Steps for End-to-End Mobile Security with Consumer Apps
5 Steps for End-to-End Mobile Security with Consumer Apps5 Steps for End-to-End Mobile Security with Consumer Apps
5 Steps for End-to-End Mobile Security with Consumer AppsCA API Management
 
Building Secure Android Apps for Lahore_ A Guide to Best Practices.pdf
Building Secure Android Apps for Lahore_ A Guide to Best Practices.pdfBuilding Secure Android Apps for Lahore_ A Guide to Best Practices.pdf
Building Secure Android Apps for Lahore_ A Guide to Best Practices.pdfAD Techlogix - Website & Mobile App Development Company
 
AWS Meetup: Career Day 2019 - Lightning Talk with Cloud Career Path: DevOps E...
AWS Meetup: Career Day 2019 - Lightning Talk with Cloud Career Path: DevOps E...AWS Meetup: Career Day 2019 - Lightning Talk with Cloud Career Path: DevOps E...
AWS Meetup: Career Day 2019 - Lightning Talk with Cloud Career Path: DevOps E...AWS User Group - Thailand
 
Moving 400 Engineers to AWS: Our Journey to Secure Adoption (SEC306-S) - AWS ...
Moving 400 Engineers to AWS: Our Journey to Secure Adoption (SEC306-S) - AWS ...Moving 400 Engineers to AWS: Our Journey to Secure Adoption (SEC306-S) - AWS ...
Moving 400 Engineers to AWS: Our Journey to Secure Adoption (SEC306-S) - AWS ...Amazon Web Services
 
Protect Your Customers Data from Cyberattacks
Protect Your Customers Data from CyberattacksProtect Your Customers Data from Cyberattacks
Protect Your Customers Data from CyberattacksSAP Customer Experience
 
The Inconvenient Truth About API Security
The Inconvenient Truth About API SecurityThe Inconvenient Truth About API Security
The Inconvenient Truth About API SecurityDistil Networks
 
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptxEmphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptxlior mazor
 
Don't Trust, And Verify - Mobile Application Attacks
Don't Trust, And Verify - Mobile Application AttacksDon't Trust, And Verify - Mobile Application Attacks
Don't Trust, And Verify - Mobile Application AttacksPrathan Phongthiproek
 
Our Journey of Mobile App Development for Vodafone Idea | iProgrammer
Our Journey of Mobile App Development for Vodafone Idea | iProgrammerOur Journey of Mobile App Development for Vodafone Idea | iProgrammer
Our Journey of Mobile App Development for Vodafone Idea | iProgrammeriProgrammer Solutions
 
The Business of APIs, an Introduction for Everyone Else
The Business of APIs, an Introduction for Everyone ElseThe Business of APIs, an Introduction for Everyone Else
The Business of APIs, an Introduction for Everyone ElseGreg Kliewer
 
Enterprise on the Go - Devon Winkworth, Snr. Principal Consultant, Layer 7 @ ...
Enterprise on the Go - Devon Winkworth, Snr. Principal Consultant, Layer 7 @ ...Enterprise on the Go - Devon Winkworth, Snr. Principal Consultant, Layer 7 @ ...
Enterprise on the Go - Devon Winkworth, Snr. Principal Consultant, Layer 7 @ ...CA API Management
 
Web Application Security - Everything You Should Know
Web Application Security - Everything You Should KnowWeb Application Security - Everything You Should Know
Web Application Security - Everything You Should KnowNarola Infotech
 
Security Tips for Android App - iTrobes
Security Tips for Android App - iTrobesSecurity Tips for Android App - iTrobes
Security Tips for Android App - iTrobesiTrobes
 
Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...
Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...
Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...Amazon Web Services
 
FMDlite app to support Falsified Medicines Directive in UK
FMDlite app to support Falsified Medicines Directive in UKFMDlite app to support Falsified Medicines Directive in UK
FMDlite app to support Falsified Medicines Directive in UKKalpen Shah
 
The Cloud Challenge
The Cloud ChallengeThe Cloud Challenge
The Cloud ChallengeVMware Tanzu
 
PiTechnologies Company Profile
PiTechnologies Company ProfilePiTechnologies Company Profile
PiTechnologies Company ProfilePiTechnologies
 
Alfresco Virtual DevCon 2020 - Security First!
Alfresco Virtual DevCon 2020 - Security First!Alfresco Virtual DevCon 2020 - Security First!
Alfresco Virtual DevCon 2020 - Security First!Jason Jolley
 
Mobile Protection Application Development
Mobile Protection Application Development Mobile Protection Application Development
Mobile Protection Application Development Sigma Infosolutions, LLC
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 

More Related Content

Similar to ANTI-ANTI-CODE-MODIFICATION MiSSConf(SP5) 2019

Enabling the Multi-Device Universe
Enabling the Multi-Device UniverseEnabling the Multi-Device Universe
Enabling the Multi-Device UniverseCA API Management
 
5 Steps for End-to-End Mobile Security with Consumer Apps
5 Steps for End-to-End Mobile Security with Consumer Apps5 Steps for End-to-End Mobile Security with Consumer Apps
5 Steps for End-to-End Mobile Security with Consumer AppsCA API Management
 
AWS Meetup: Career Day 2019 - Lightning Talk with Cloud Career Path: DevOps E...
AWS Meetup: Career Day 2019 - Lightning Talk with Cloud Career Path: DevOps E...AWS Meetup: Career Day 2019 - Lightning Talk with Cloud Career Path: DevOps E...
AWS Meetup: Career Day 2019 - Lightning Talk with Cloud Career Path: DevOps E...AWS User Group - Thailand
 
Moving 400 Engineers to AWS: Our Journey to Secure Adoption (SEC306-S) - AWS ...
Moving 400 Engineers to AWS: Our Journey to Secure Adoption (SEC306-S) - AWS ...Moving 400 Engineers to AWS: Our Journey to Secure Adoption (SEC306-S) - AWS ...
Moving 400 Engineers to AWS: Our Journey to Secure Adoption (SEC306-S) - AWS ...Amazon Web Services
 
Protect Your Customers Data from Cyberattacks
Protect Your Customers Data from CyberattacksProtect Your Customers Data from Cyberattacks
Protect Your Customers Data from CyberattacksSAP Customer Experience
 
The Inconvenient Truth About API Security
The Inconvenient Truth About API SecurityThe Inconvenient Truth About API Security
The Inconvenient Truth About API SecurityDistil Networks
 
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptxEmphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptxlior mazor
 
Don't Trust, And Verify - Mobile Application Attacks
Don't Trust, And Verify - Mobile Application AttacksDon't Trust, And Verify - Mobile Application Attacks
Don't Trust, And Verify - Mobile Application AttacksPrathan Phongthiproek
 
Our Journey of Mobile App Development for Vodafone Idea | iProgrammer
Our Journey of Mobile App Development for Vodafone Idea | iProgrammerOur Journey of Mobile App Development for Vodafone Idea | iProgrammer
Our Journey of Mobile App Development for Vodafone Idea | iProgrammeriProgrammer Solutions
 
The Business of APIs, an Introduction for Everyone Else
The Business of APIs, an Introduction for Everyone ElseThe Business of APIs, an Introduction for Everyone Else
The Business of APIs, an Introduction for Everyone ElseGreg Kliewer
 
Enterprise on the Go - Devon Winkworth, Snr. Principal Consultant, Layer 7 @ ...
Enterprise on the Go - Devon Winkworth, Snr. Principal Consultant, Layer 7 @ ...Enterprise on the Go - Devon Winkworth, Snr. Principal Consultant, Layer 7 @ ...
Enterprise on the Go - Devon Winkworth, Snr. Principal Consultant, Layer 7 @ ...CA API Management
 
Web Application Security - Everything You Should Know
Web Application Security - Everything You Should KnowWeb Application Security - Everything You Should Know
Web Application Security - Everything You Should KnowNarola Infotech
 
Security Tips for Android App - iTrobes
Security Tips for Android App - iTrobesSecurity Tips for Android App - iTrobes
Security Tips for Android App - iTrobesiTrobes
 
Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...
Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...
Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...Amazon Web Services
 
FMDlite app to support Falsified Medicines Directive in UK
FMDlite app to support Falsified Medicines Directive in UKFMDlite app to support Falsified Medicines Directive in UK
FMDlite app to support Falsified Medicines Directive in UKKalpen Shah
 
The Cloud Challenge
The Cloud ChallengeThe Cloud Challenge
The Cloud ChallengeVMware Tanzu
 
PiTechnologies Company Profile
PiTechnologies Company ProfilePiTechnologies Company Profile
PiTechnologies Company ProfilePiTechnologies
 
Alfresco Virtual DevCon 2020 - Security First!
Alfresco Virtual DevCon 2020 - Security First!Alfresco Virtual DevCon 2020 - Security First!
Alfresco Virtual DevCon 2020 - Security First!Jason Jolley
 
Mobile Protection Application Development
Mobile Protection Application Development Mobile Protection Application Development
Mobile Protection Application Development Sigma Infosolutions, LLC
 

Similar to ANTI-ANTI-CODE-MODIFICATION MiSSConf(SP5) 2019 (20)

Enabling the Multi-Device Universe
Enabling the Multi-Device UniverseEnabling the Multi-Device Universe
Enabling the Multi-Device Universe
 
5 Steps for End-to-End Mobile Security with Consumer Apps
5 Steps for End-to-End Mobile Security with Consumer Apps5 Steps for End-to-End Mobile Security with Consumer Apps
5 Steps for End-to-End Mobile Security with Consumer Apps
 
Building Secure Android Apps for Lahore_ A Guide to Best Practices.pdf
Building Secure Android Apps for Lahore_ A Guide to Best Practices.pdfBuilding Secure Android Apps for Lahore_ A Guide to Best Practices.pdf
Building Secure Android Apps for Lahore_ A Guide to Best Practices.pdf
 
AWS Meetup: Career Day 2019 - Lightning Talk with Cloud Career Path: DevOps E...
AWS Meetup: Career Day 2019 - Lightning Talk with Cloud Career Path: DevOps E...AWS Meetup: Career Day 2019 - Lightning Talk with Cloud Career Path: DevOps E...
AWS Meetup: Career Day 2019 - Lightning Talk with Cloud Career Path: DevOps E...
 
Moving 400 Engineers to AWS: Our Journey to Secure Adoption (SEC306-S) - AWS ...
Moving 400 Engineers to AWS: Our Journey to Secure Adoption (SEC306-S) - AWS ...Moving 400 Engineers to AWS: Our Journey to Secure Adoption (SEC306-S) - AWS ...
Moving 400 Engineers to AWS: Our Journey to Secure Adoption (SEC306-S) - AWS ...
 
Protect Your Customers Data from Cyberattacks
Protect Your Customers Data from CyberattacksProtect Your Customers Data from Cyberattacks
Protect Your Customers Data from Cyberattacks
 
The Inconvenient Truth About API Security
The Inconvenient Truth About API SecurityThe Inconvenient Truth About API Security
The Inconvenient Truth About API Security
 
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptxEmphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
 
Don't Trust, And Verify - Mobile Application Attacks
Don't Trust, And Verify - Mobile Application AttacksDon't Trust, And Verify - Mobile Application Attacks
Don't Trust, And Verify - Mobile Application Attacks
 
Our Journey of Mobile App Development for Vodafone Idea | iProgrammer
Our Journey of Mobile App Development for Vodafone Idea | iProgrammerOur Journey of Mobile App Development for Vodafone Idea | iProgrammer
Our Journey of Mobile App Development for Vodafone Idea | iProgrammer
 
The Business of APIs, an Introduction for Everyone Else
The Business of APIs, an Introduction for Everyone ElseThe Business of APIs, an Introduction for Everyone Else
The Business of APIs, an Introduction for Everyone Else
 
Enterprise on the Go - Devon Winkworth, Snr. Principal Consultant, Layer 7 @ ...
Enterprise on the Go - Devon Winkworth, Snr. Principal Consultant, Layer 7 @ ...Enterprise on the Go - Devon Winkworth, Snr. Principal Consultant, Layer 7 @ ...
Enterprise on the Go - Devon Winkworth, Snr. Principal Consultant, Layer 7 @ ...
 
Web Application Security - Everything You Should Know
Web Application Security - Everything You Should KnowWeb Application Security - Everything You Should Know
Web Application Security - Everything You Should Know
 
Security Tips for Android App - iTrobes
Security Tips for Android App - iTrobesSecurity Tips for Android App - iTrobes
Security Tips for Android App - iTrobes
 
Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...
Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...
Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...
 
FMDlite app to support Falsified Medicines Directive in UK
FMDlite app to support Falsified Medicines Directive in UKFMDlite app to support Falsified Medicines Directive in UK
FMDlite app to support Falsified Medicines Directive in UK
 
The Cloud Challenge
The Cloud ChallengeThe Cloud Challenge
The Cloud Challenge
 
PiTechnologies Company Profile
PiTechnologies Company ProfilePiTechnologies Company Profile
PiTechnologies Company Profile
 
Alfresco Virtual DevCon 2020 - Security First!
Alfresco Virtual DevCon 2020 - Security First!Alfresco Virtual DevCon 2020 - Security First!
Alfresco Virtual DevCon 2020 - Security First!
 
Mobile Protection Application Development
Mobile Protection Application Development Mobile Protection Application Development
Mobile Protection Application Development
 

Recently uploaded

Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 

Recently uploaded (20)

Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 

ANTI-ANTI-CODE-MODIFICATION MiSSConf(SP5) 2019

  • 1. © 2019 Secure D Center Co.,Ltd ANTI ANTI-CODE MODIFICATION Boonpoj Thongakaraniroj, Secure D Center MiSSConf [SP5] 6 July 19
  • 2. © 2019 Secure D Center Co.,Ltd About Secure D We operate across the ASEAN region with offices established in Kuala Lumpur, Malaysia and Bangkok, Thailand. We are independent and committed to your long-term goals by bringing a fresh, independent perspective, high passion to do an outstanding job and delivering cost-effective, innovation and high value services using global methodology and framework with our best cyber expertise certified by well-known cyber security certifications. We trust you will recognize our pragmatic ‘hands on’ style in the way we have structured our team, our approach and our deliverables. Our approach is based on the simple notion that the success of this project is measured by the results obtained and not just successful completion. Kuala Lumpur, Malaysia Bangkok, Thailand
  • 3. © 2019 Secure D Center Co.,Ltd Introduction to Anti-Code Modification
  • 4. © 2019 Secure D Center Co.,Ltd Introduction to Anti-Code Modification Code Modification in Context of Mobile Application What is Mobile Application ? q A mobile app or mobile application is a computer program or software application designed to run on a mobile device such as a phone/tablet or watch. q The PC software threats are applicable for Mobile application
  • 5. © 2019 Secure D Center Co.,Ltd Introduction to Anti-Code Modification Case study for Binary patching (Code Modification)
  • 6. © 2019 Secure D Center Co.,Ltd Introduction to Anti-Code Modification Case study for Binary patching (Code Modification)
  • 7. © 2019 Secure D Center Co.,Ltd Introduction to Anti-Code Modification Anti-Code Modification is the risk mitigration Anti-Code Modification q Static § Code Obfuscation (Normally, Developer use ProGuard) § Anti-Patching q Dynamic § Anti-Frida § Anti-Debugging Code Modification q Static § Understand app logic flow § Modify app logic flow or malware in order to rebuild the app and contribute outside Google Play Store q Dynamic § Using Frida script to trace the application at runtime to determine loaded class/method in order to override method (Method Swizzling) for app manipulation § Understand app at the run-time using debugging technique in order to manipulate the logic
  • 8. © 2019 Secure D Center Co.,Ltd Introduction to Anti-Code Modification Dangerous Mindsets q We don’t need to protect on server-side since the application is protected via Anti-code modification q We have an End-to-end encryption on application, Nobody can manipulate the data over HTTP(s) q We use ProGuard for binary obfuscation, Nobody can understand our application logic q We have root detection, Rooted device cannot run our application q We also have Anti-patching and Anti-Debugging solution, Nobody can modify or manipulate the data our application at the runtime q We deploy Google SafetyNet then we are SAFE !!
  • 9. © 2019 Secure D Center Co.,Ltd Bypass Anti-Static Analysis Protection
  • 10. © 2019 Secure D Center Co.,Ltd Bypass Anti-Static Analysis Protection Code Obfuscation Original Source Code Minified using ProGuard
  • 11. © 2019 Secure D Center Co.,Ltd Bypass Anti-Static Analysis Protection Native Code in Action What is Native Code? q C/C++ code is compiled to machine code “.so” q Much faster than Java/Dalvik components q Hard to reverse more than on Java or Kotlin code Source: https://developer.android.com/ndk/guides/concepts https://docs.google.com/presentation/d/1r_DVzjCXw4gUum_WkRTzeivAnIArf8bw_q-rI0ywOSs/edit#slide=id.g47dd89f423_0_7
  • 12. © 2019 Secure D Center Co.,Ltd Bypass Anti-Static Analysis Protection Native Code in Action Source: https://developer.android.com/ndk/guides/concepts https://docs.google.com/presentation/d/1r_DVzjCXw4gUum_WkRTzeivAnIArf8bw_q-rI0ywOSs/edit#slide=id.g47dd89f423_0_7
  • 13. © 2019 Secure D Center Co.,Ltd Bypass Anti-Static Analysis Protection Anti-Patching What is Patching ? q Binary patching is one of the techniques used to alter the application functionalities. q Binary patching on Android can be achieved by modification of disassembled code in .smali or .so file(s). Extracting & Disassembling Modifying Smali or .so files Repackaging Signing APK file
  • 14. © 2019 Secure D Center Co.,Ltd Bypass Anti-Static Analysis Protection Anti-Patching Instruction of Intel x86
  • 15. © 2019 Secure D Center Co.,Ltd Bypass Anti-Static Analysis Protection Anti-Patching Example Code Flow of Application
  • 16. © 2019 Secure D Center Co.,Ltd Bypass Anti-Static Analysis Protection DEMO q Bypassing Root detection (RootBeer Library) q Bypassing Code Patching Check
  • 17. © 2019 Secure D Center Co.,Ltd Bypass Anti-Dynamic Analysis Protection
  • 18. © 2019 Secure D Center Co.,Ltd Bypass Anti-Dynamic Analysis Protection Anti-Frida What is Frida ? q Frida is hugely popular with Android reverse engineers, and for good reason: It offers runtime access to pretty much everything one could dream of, from raw memory and native functions to Java object instances. Client Server
  • 19. © 2019 Secure D Center Co.,Ltd Bypass Anti-Dynamic Analysis Protection Anti-Frida Example Code Flow of Application
  • 20. © 2019 Secure D Center Co.,Ltd Bypass Anti-Dynamic Analysis Protection Anti-Debugging What is JDWP ? q The Java Debug Wire Protocol (JDWP) is the protocol used for communication between a debugger and the Java virtual machine (VM) q A JDWP debugger allows you to: § step through Java code § set breakpoints on Java methods § inspect and modify local and instance variables. Source: https://docs.oracle.com/javase/8/docs/technotes/guides/jpda/jdwp-spec.html https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05c-Reverse-Engineering-and-Tampering.md JDWP Debugger Device USB
  • 21. © 2019 Secure D Center Co.,Ltd Bypass Anti-Dynamic Analysis Protection Anti-Debugging Example Code Flow of Application
  • 22. © 2019 Secure D Center Co.,Ltd Bypass Anti-Dynamic Analysis Protection DEMO q Bypassing Frida detection q Bypassing Anti-Debugging detection
  • 23. © 2019 Secure D Center Co.,Ltd Google SafetyNet
  • 24. © 2019 Secure D Center Co.,Ltd Google SafetyNet Definition What is Google SafetyNet ? q SafetyNet provides a set of services and APIs that help protect your app against security threats, including device tampering, bad URLs, potentially harmful apps, and fake users. q The SafetyNet Attestation API provides a cryptographically- signed attestation, assessing the device's integrity. In order to create the attestation, the API examines the device's software and hardware environment, looking for integrity issues, and comparing it with the reference data for approved Android devices. The generated attestation is bound to the nonce that the caller app provides. The attestation also contains a generation timestamp and metadata about the requesting app. Source: https://developer.android.com/training/safetynet/attestation
  • 25. © 2019 Secure D Center Co.,Ltd Google SafetyNet Anti-SafetyNet SNetKiller (https://github.com/iGio90/SNetKiller) q The app uses Frida to inject an agent into google services and prevent it to access certain files. q com.google.android.gms
  • 26. © 2019 Secure D Center Co.,Ltd Google SafetyNet Anti-SafetyNet SNetKiller (https://github.com/iGio90/SNetKiller)
  • 27. © 2019 Secure D Center Co.,Ltd Practical Scenario In-App Purchase
  • 28. © 2019 Secure D Center Co.,Ltd Practical Scenario In-App Purchase Google Play Billing Type of Google Play Billing q One-time product q Rewarded product q Subscription Source: https://mulliner.org/collin/publications/asia226-mulliner.pdf Rogue Proxy App
  • 29. © 2019 Secure D Center Co.,Ltd Practical Scenario In-App Purchase Google Play Billing Google Recommendation Source: https://developer.android.com/google/play/billing/billing_library_overview
  • 30. © 2019 Secure D Center Co.,Ltd Practical Scenario In-App Purchase Google Play Billing Library q Prime31 q Unity
  • 31. © 2019 Secure D Center Co.,Ltd Practical Scenario In-App Purchase Google Play Billing VerifyPurchase method
  • 32. © 2019 Secure D Center Co.,Ltd Practical Scenario In-App Purchase Google Play Billing Verify method
  • 33. © 2019 Secure D Center Co.,Ltd Practical Scenario In-App Purchase DEMO q Bypassing InApp Purchase
  • 34. © 2019 Secure D Center Co.,Ltd Thank You Contact us: info@secure-d.tech