SlideShare a Scribd company logo

Cracking the Mobile Application Code

Download as PPTX, PDF
c0c0n - International Cyber Security and Policing Conference
c0c0n - International Cyber Security and Policing Conference

Cracking the Mobile Application Code by Sreenarayan A. at c0c0n - International Cyber Security and Policing Conference http://is-ra.org/c0c0n/speakers.html

1 of 24
Cracking the Mobile Application Code - Sreenarayan A Paladion Mobile Security Team
Take Away for the day • Purpose of Decompiling Mobile Applications • Methodology of Decompilation • Live Demo’s: – Android App – iOS (iPhone / iPad App) – Blackberry Apps / Nokia App
Why is security relevant for Mobile Platform? • 400% Increase in the number for Organizations Developing Mobile Platform based applications. • 300% Increase in the no of Mobile Banking Applications. • 500% Increase in the number of people using the Mobile Phones for their day to day transactions. • 82% Chances of end users not using their Mobile Phones with proper caution. • 79% Chances of Mobile Phone users Jail Breaking their Phones. • 65% Chances of Mobile Phone users not installing Anti-virus on their Mobile Phones. • 71% Chances of any application to get misused. • 57% Chances of a user losing his sensitive credentials to a hacker.
Market Statistics of Mobile Users
Mobile Market Trends
Different Types of Mobile Applications • WAP Mobile Applications • Native Mobile Applications • Hybrid Mobile Applications
Different Types of Mobile Applications
Different Types of Mobile Architecture
Why did we learn the above types?? • Which applications can be Decompiled? – WAP Mobile Applications ? – Native Mobile Applications ? – Hybrid Mobile Applications ? • We have to get to know of the basics!
Cracking the Mobile Application Code
Cracking the Mobile Application Code •What do you mean by Reverse Engineering? •What do you mean by Decompilation? -> What is Compilation? Questions to be answered: •What are the goals/purpose of Cracking the code? •What is the methodology of Decompilation? •What the tools which can be used to Decompile? •Can Decompilation be done on all platforms? 1. ANDROID ? 2. iPHONE / iPAD ? 3. BLACKBERRY ? 4. NOKIA ?
Goal of cracking the Mobile Application Code
Goals of Cracking the Source Code •“UNDERSTAND THE WORKING OF THE APPLICATION AND TO FIGURE OUT THE LOOPHOLES!” •To find Treasure Key Words (password , keys , sql, algo, AES, DES, Base64, etc) •Figure out the Algorithms Used and their keys. •By-passing the client side checks by rebuilding the app. •E.g. Password in Banking Application (Sensitive Information) •E.g. Angry Birds Malware (Stealing Data) •E.g. Zitmo Malware (Sending SMS) •We have understood the goals, how to achieve them? Methodology.
Methodology of Cracking
Methodology / Study S1: Gaining access to the executable S2: Understanding the Technology used to code the application. S3: Finding out ways to derive the Object Code from the Executable. S4: Figuring out a way to derive the Class Files from the Object Code. S5: Figuring out a way to derive the Function Definitions from the Object Code
JUMP TO DEMO’s
Demo - Reverse Engineer the Android Application •Tools used: -De-compresser (Winrar / Winzip / 7zip) -Dex2jar -Jar Decompiler •Steps 1. .apk -> .dex 2. .dex -> .jar 3. .jar -> .java • Demo • Limitations
Demo - Reverse Engineer the iOS Application •Tools used: -iExplorer -Windows Explorer -oTool -Classdumpz •Steps 1. .app -> Garbage (Object Code) (DVM) 2. Object Code -> .Class • Demo • Limitations
Demo - Reverse Engineer the Blackberry Application •Tools used: -JD – GUI (Java Decompiler) -Notepad •There are two types of Application files found in Blackberry: 1. .Jar (.jad -> .jar) 2. .Cod (.jad -> .cod (Blackberry Code Files) •Steps 1. .jar -> .java (JD-GUI) Or 1. Notepad to open .cod (No luck!) • Demo • Limitation
Tip - Reverse Engineer the Windows Phone Application •Tools used: -.net decompiler -Visual Studio with Windows Phone SDK
Palisade Articles • iOS vs Android Testing • Mobile Data Encryption • Mobile Application Security Testing • Demystifying the Android • And … • Website link: palpapers.paladion.net
• Questions and Answers • Quiz • Feedback
Thank You Sreenarayan.india@gmail.com Sreenarayan.a@paladion.net Twitter: Ace_Sree

Recommended

Mobile testing. Tips and Tricks
Mobile testing. Tips and TricksMobile testing. Tips and Tricks
Mobile testing. Tips and Tricks
Artem Pinchuk
 
Attacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesAttacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS Devices
Tom Eston
 
CrikeyCon 2015 - iOS Runtime Hacking Crash Course
CrikeyCon 2015 - iOS Runtime Hacking Crash CourseCrikeyCon 2015 - iOS Runtime Hacking Crash Course
CrikeyCon 2015 - iOS Runtime Hacking Crash Course
eightbit
 
Security Best Practices for Mobile Development
Security Best Practices for Mobile DevelopmentSecurity Best Practices for Mobile Development
Security Best Practices for Mobile DevelopmentSalesforce Developers
 
OWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration TestingOWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration Testingeightbit
 
Malware could steal data from i phones using siri
Malware could steal data from i phones using siriMalware could steal data from i phones using siri
Malware could steal data from i phones using siri
Edward Perea
 
Penetrating Android Aapplications
Penetrating Android AapplicationsPenetrating Android Aapplications
Penetrating Android Aapplications
Roshan Thomas
 
The Password Is Dead: An Argument for Multifactor Biometric Authentication
The Password Is Dead: An Argument for Multifactor Biometric AuthenticationThe Password Is Dead: An Argument for Multifactor Biometric Authentication
The Password Is Dead: An Argument for Multifactor Biometric Authentication
Veridium
 

Recommended

Mobile testing. Tips and Tricks
Mobile testing. Tips and TricksMobile testing. Tips and Tricks
Mobile testing. Tips and Tricks
Artem Pinchuk
 
Attacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesAttacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS Devices
Tom Eston
 
CrikeyCon 2015 - iOS Runtime Hacking Crash Course
CrikeyCon 2015 - iOS Runtime Hacking Crash CourseCrikeyCon 2015 - iOS Runtime Hacking Crash Course
CrikeyCon 2015 - iOS Runtime Hacking Crash Course
eightbit
 
Security Best Practices for Mobile Development
Security Best Practices for Mobile DevelopmentSecurity Best Practices for Mobile Development
Security Best Practices for Mobile DevelopmentSalesforce Developers
 
OWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration TestingOWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration Testingeightbit
 
Malware could steal data from i phones using siri
Malware could steal data from i phones using siriMalware could steal data from i phones using siri
Malware could steal data from i phones using siri
Edward Perea
 
Penetrating Android Aapplications
Penetrating Android AapplicationsPenetrating Android Aapplications
Penetrating Android Aapplications
Roshan Thomas
 
The Password Is Dead: An Argument for Multifactor Biometric Authentication
The Password Is Dead: An Argument for Multifactor Biometric AuthenticationThe Password Is Dead: An Argument for Multifactor Biometric Authentication
The Password Is Dead: An Argument for Multifactor Biometric Authentication
Veridium
 
iOS 6 Exploitation: 280 days later
iOS 6 Exploitation: 280 days lateriOS 6 Exploitation: 280 days later
iOS 6 Exploitation: 280 days later
Seguridad Apple
 
Team 3 status report#4
Team 3 status report#4Team 3 status report#4
Team 3 status report#4Joaquim Jaime
 
iOS Developer Concept introduction
iOS Developer Concept introductioniOS Developer Concept introduction
iOS Developer Concept introduction
Banyapon Poolsawas
 
Tech savvy seniors term 4 introduction
Tech savvy seniors term 4 introductionTech savvy seniors term 4 introduction
Tech savvy seniors term 4 introduction
Marni3Bridges
 
Introduction to Mobile Apps
Introduction to Mobile Apps Introduction to Mobile Apps
Introduction to Mobile Apps
Shahryar Khan
 
Ios forensics
Ios forensicsIos forensics
Ios forensics
Kamal Patel
 
Android malware analysis
Android malware analysisAndroid malware analysis
Android malware analysis
Jason Ross
 
Dynamic Security Analysis & Static Security Analysis for Android Apps.
Dynamic Security Analysis & Static Security Analysis for Android Apps.Dynamic Security Analysis & Static Security Analysis for Android Apps.
Dynamic Security Analysis & Static Security Analysis for Android Apps.
VodqaBLR
 
UI-Redressing Attacks - The Process & Exploitation
UI-Redressing Attacks - The Process & ExploitationUI-Redressing Attacks - The Process & Exploitation
UI-Redressing Attacks - The Process & Exploitation
c0c0n - International Cyber Security and Policing Conference
 
Web Application Security 101 - 02 The Basics
Web Application Security 101 - 02 The BasicsWeb Application Security 101 - 02 The Basics
Web Application Security 101 - 02 The Basics
Websecurify
 
Leveraging mobile & wireless technology for Law and Order
Leveraging mobile & wireless technology for Law and OrderLeveraging mobile & wireless technology for Law and Order
Leveraging mobile & wireless technology for Law and Order
c0c0n - International Cyber Security and Policing Conference
 
Marine and Freshwater Ecology Revision
Marine and Freshwater Ecology RevisionMarine and Freshwater Ecology Revision
Marine and Freshwater Ecology Revision
anigvanderanal
 
OWASP A1 - Injection | The art of manipulation
OWASP A1 - Injection | The art of manipulationOWASP A1 - Injection | The art of manipulation
OWASP A1 - Injection | The art of manipulation
Pavan M
 
Hacker's jargons
Hacker's jargonsHacker's jargons
Hacker's jargons
Pavan M
 
OWASP A7 and A8
OWASP A7 and A8OWASP A7 and A8
OWASP A7 and A8
Pavan M
 
Web-App Remote Code Execution Via Scripting Engines
Web-App Remote Code Execution Via Scripting EnginesWeb-App Remote Code Execution Via Scripting Engines
Web-App Remote Code Execution Via Scripting Engines
c0c0n - International Cyber Security and Policing Conference
 
Cracking the mobile application code
Cracking the mobile application codeCracking the mobile application code
Cracking the mobile application code
Sreenarayan A
 
Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2drewz lin
 
I haz you and pwn your maal
I haz you and pwn your maalI haz you and pwn your maal
I haz you and pwn your maal
c0c0n - International Cyber Security and Policing Conference
 
I haz you and pwn your maal
I haz you and pwn your maalI haz you and pwn your maal
I haz you and pwn your maalHarsimran Walia
 
SmartDevCon - Katowice - 2013
SmartDevCon - Katowice - 2013SmartDevCon - Katowice - 2013
SmartDevCon - Katowice - 2013
Petr Dvorak
 
михаил дударев
михаил дударевмихаил дударев
михаил дударевapps4allru
 

More Related Content

What's hot

iOS 6 Exploitation: 280 days later
iOS 6 Exploitation: 280 days lateriOS 6 Exploitation: 280 days later
iOS 6 Exploitation: 280 days later
Seguridad Apple
 
Team 3 status report#4
Team 3 status report#4Team 3 status report#4
Team 3 status report#4Joaquim Jaime
 
iOS Developer Concept introduction
iOS Developer Concept introductioniOS Developer Concept introduction
iOS Developer Concept introduction
Banyapon Poolsawas
 
Tech savvy seniors term 4 introduction
Tech savvy seniors term 4 introductionTech savvy seniors term 4 introduction
Tech savvy seniors term 4 introduction
Marni3Bridges
 
Introduction to Mobile Apps
Introduction to Mobile Apps Introduction to Mobile Apps
Introduction to Mobile Apps
Shahryar Khan
 
Ios forensics
Ios forensicsIos forensics
Ios forensics
Kamal Patel
 
Android malware analysis
Android malware analysisAndroid malware analysis
Android malware analysis
Jason Ross
 
Dynamic Security Analysis & Static Security Analysis for Android Apps.
Dynamic Security Analysis & Static Security Analysis for Android Apps.Dynamic Security Analysis & Static Security Analysis for Android Apps.
Dynamic Security Analysis & Static Security Analysis for Android Apps.
VodqaBLR
 

What's hot (8)

iOS 6 Exploitation: 280 days later
iOS 6 Exploitation: 280 days lateriOS 6 Exploitation: 280 days later
iOS 6 Exploitation: 280 days later
 
Team 3 status report#4
Team 3 status report#4Team 3 status report#4
Team 3 status report#4
 
iOS Developer Concept introduction
iOS Developer Concept introductioniOS Developer Concept introduction
iOS Developer Concept introduction
 
Tech savvy seniors term 4 introduction
Tech savvy seniors term 4 introductionTech savvy seniors term 4 introduction
Tech savvy seniors term 4 introduction
 
Introduction to Mobile Apps
Introduction to Mobile Apps Introduction to Mobile Apps
Introduction to Mobile Apps
 
Ios forensics
Ios forensicsIos forensics
Ios forensics
 
Android malware analysis
Android malware analysisAndroid malware analysis
Android malware analysis
 
Dynamic Security Analysis & Static Security Analysis for Android Apps.
Dynamic Security Analysis & Static Security Analysis for Android Apps.Dynamic Security Analysis & Static Security Analysis for Android Apps.
Dynamic Security Analysis & Static Security Analysis for Android Apps.
 

Viewers also liked

UI-Redressing Attacks - The Process & Exploitation
UI-Redressing Attacks - The Process & ExploitationUI-Redressing Attacks - The Process & Exploitation
UI-Redressing Attacks - The Process & Exploitation
c0c0n - International Cyber Security and Policing Conference
 
Web Application Security 101 - 02 The Basics
Web Application Security 101 - 02 The BasicsWeb Application Security 101 - 02 The Basics
Web Application Security 101 - 02 The Basics
Websecurify
 
Leveraging mobile & wireless technology for Law and Order
Leveraging mobile & wireless technology for Law and OrderLeveraging mobile & wireless technology for Law and Order
Leveraging mobile & wireless technology for Law and Order
c0c0n - International Cyber Security and Policing Conference
 
Marine and Freshwater Ecology Revision
Marine and Freshwater Ecology RevisionMarine and Freshwater Ecology Revision
Marine and Freshwater Ecology Revision
anigvanderanal
 
OWASP A1 - Injection | The art of manipulation
OWASP A1 - Injection | The art of manipulationOWASP A1 - Injection | The art of manipulation
OWASP A1 - Injection | The art of manipulation
Pavan M
 
Hacker's jargons
Hacker's jargonsHacker's jargons
Hacker's jargons
Pavan M
 
OWASP A7 and A8
OWASP A7 and A8OWASP A7 and A8
OWASP A7 and A8
Pavan M
 
Web-App Remote Code Execution Via Scripting Engines
Web-App Remote Code Execution Via Scripting EnginesWeb-App Remote Code Execution Via Scripting Engines
Web-App Remote Code Execution Via Scripting Engines
c0c0n - International Cyber Security and Policing Conference
 

Viewers also liked (8)

UI-Redressing Attacks - The Process & Exploitation
UI-Redressing Attacks - The Process & ExploitationUI-Redressing Attacks - The Process & Exploitation
UI-Redressing Attacks - The Process & Exploitation
 
Web Application Security 101 - 02 The Basics
Web Application Security 101 - 02 The BasicsWeb Application Security 101 - 02 The Basics
Web Application Security 101 - 02 The Basics
 
Leveraging mobile & wireless technology for Law and Order
Leveraging mobile & wireless technology for Law and OrderLeveraging mobile & wireless technology for Law and Order
Leveraging mobile & wireless technology for Law and Order
 
Marine and Freshwater Ecology Revision
Marine and Freshwater Ecology RevisionMarine and Freshwater Ecology Revision
Marine and Freshwater Ecology Revision
 
OWASP A1 - Injection | The art of manipulation
OWASP A1 - Injection | The art of manipulationOWASP A1 - Injection | The art of manipulation
OWASP A1 - Injection | The art of manipulation
 
Hacker's jargons
Hacker's jargonsHacker's jargons
Hacker's jargons
 
OWASP A7 and A8
OWASP A7 and A8OWASP A7 and A8
OWASP A7 and A8
 
Web-App Remote Code Execution Via Scripting Engines
Web-App Remote Code Execution Via Scripting EnginesWeb-App Remote Code Execution Via Scripting Engines
Web-App Remote Code Execution Via Scripting Engines
 

Similar to Cracking the Mobile Application Code

Cracking the mobile application code
Cracking the mobile application codeCracking the mobile application code
Cracking the mobile application code
Sreenarayan A
 
Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2drewz lin
 
I haz you and pwn your maal
I haz you and pwn your maalI haz you and pwn your maal
I haz you and pwn your maal
c0c0n - International Cyber Security and Policing Conference
 
I haz you and pwn your maal
I haz you and pwn your maalI haz you and pwn your maal
I haz you and pwn your maalHarsimran Walia
 
SmartDevCon - Katowice - 2013
SmartDevCon - Katowice - 2013SmartDevCon - Katowice - 2013
SmartDevCon - Katowice - 2013
Petr Dvorak
 
михаил дударев
михаил дударевмихаил дударев
михаил дударевapps4allru
 
Software quality and mobile apps
Software quality and mobile appsSoftware quality and mobile apps
Software quality and mobile appsPrawesh Shrestha
 
Outsmarting SmartPhones
Outsmarting SmartPhonesOutsmarting SmartPhones
Outsmarting SmartPhones
saurabhharit
 
[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101
OWASP
 
Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)
ClubHack
 
Reading Group Presentation: Why Eve and Mallory Love Android
Reading Group Presentation: Why Eve and Mallory Love AndroidReading Group Presentation: Why Eve and Mallory Love Android
Reading Group Presentation: Why Eve and Mallory Love Android
Michael Rushanan
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013
Blueinfy Solutions
 
Virtue Security - The Art of Mobile Security 2013
Virtue Security - The Art of Mobile Security 2013Virtue Security - The Art of Mobile Security 2013
Virtue Security - The Art of Mobile Security 2013
Virtue Security
 
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationDEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
Felipe Prado
 
How to Test Security and Vulnerability of Your Android and iOS Apps
How to Test Security and Vulnerability of Your Android and iOS AppsHow to Test Security and Vulnerability of Your Android and iOS Apps
How to Test Security and Vulnerability of Your Android and iOS Apps
Bitbar
 
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud XiaoFruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Shakacon
 
Yow connected developing secure i os applications
Yow connected developing secure i os applicationsYow connected developing secure i os applications
Yow connected developing secure i os applications
mgianarakis
 
Hacking your Droid (Aditya Gupta)
Hacking your Droid (Aditya Gupta)Hacking your Droid (Aditya Gupta)
Hacking your Droid (Aditya Gupta)
ClubHack
 
Barcode scanning on Android
Barcode scanning on AndroidBarcode scanning on Android
Barcode scanning on Android
Pietro F. Maggi
 
Android Penetration testing - Day 2
Android Penetration testing - Day 2 Android Penetration testing - Day 2
Android Penetration testing - Day 2
Mohammed Adam
 

Similar to Cracking the Mobile Application Code (20)

Cracking the mobile application code
Cracking the mobile application codeCracking the mobile application code
Cracking the mobile application code
 
Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2
 
I haz you and pwn your maal
I haz you and pwn your maalI haz you and pwn your maal
I haz you and pwn your maal
 
I haz you and pwn your maal
I haz you and pwn your maalI haz you and pwn your maal
I haz you and pwn your maal
 
SmartDevCon - Katowice - 2013
SmartDevCon - Katowice - 2013SmartDevCon - Katowice - 2013
SmartDevCon - Katowice - 2013
 
михаил дударев
михаил дударевмихаил дударев
михаил дударев
 
Software quality and mobile apps
Software quality and mobile appsSoftware quality and mobile apps
Software quality and mobile apps
 
Outsmarting SmartPhones
Outsmarting SmartPhonesOutsmarting SmartPhones
Outsmarting SmartPhones
 
[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101
 
Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)
 
Reading Group Presentation: Why Eve and Mallory Love Android
Reading Group Presentation: Why Eve and Mallory Love AndroidReading Group Presentation: Why Eve and Mallory Love Android
Reading Group Presentation: Why Eve and Mallory Love Android
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013
 
Virtue Security - The Art of Mobile Security 2013
Virtue Security - The Art of Mobile Security 2013Virtue Security - The Art of Mobile Security 2013
Virtue Security - The Art of Mobile Security 2013
 
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationDEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
 
How to Test Security and Vulnerability of Your Android and iOS Apps
How to Test Security and Vulnerability of Your Android and iOS AppsHow to Test Security and Vulnerability of Your Android and iOS Apps
How to Test Security and Vulnerability of Your Android and iOS Apps
 
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud XiaoFruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
 
Yow connected developing secure i os applications
Yow connected developing secure i os applicationsYow connected developing secure i os applications
Yow connected developing secure i os applications
 
Hacking your Droid (Aditya Gupta)
Hacking your Droid (Aditya Gupta)Hacking your Droid (Aditya Gupta)
Hacking your Droid (Aditya Gupta)
 
Barcode scanning on Android
Barcode scanning on AndroidBarcode scanning on Android
Barcode scanning on Android
 
Android Penetration testing - Day 2
Android Penetration testing - Day 2 Android Penetration testing - Day 2
Android Penetration testing - Day 2
 

Recently uploaded

FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
Dorra BARTAGUIZ
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
Product School
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
OnBoard
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Product School
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
Product School
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Tobias Schneck
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
Cheryl Hung
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Jeffrey Haguewood
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
Product School
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
DianaGray10
 

Recently uploaded (20)

FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
 

Cracking the Mobile Application Code

  • 1. Cracking the Mobile Application Code - Sreenarayan A Paladion Mobile Security Team
  • 2. Take Away for the day • Purpose of Decompiling Mobile Applications • Methodology of Decompilation • Live Demo’s: – Android App – iOS (iPhone / iPad App) – Blackberry Apps / Nokia App
  • 3. Why is security relevant for Mobile Platform? • 400% Increase in the number for Organizations Developing Mobile Platform based applications. • 300% Increase in the no of Mobile Banking Applications. • 500% Increase in the number of people using the Mobile Phones for their day to day transactions. • 82% Chances of end users not using their Mobile Phones with proper caution. • 79% Chances of Mobile Phone users Jail Breaking their Phones. • 65% Chances of Mobile Phone users not installing Anti-virus on their Mobile Phones. • 71% Chances of any application to get misused. • 57% Chances of a user losing his sensitive credentials to a hacker.
  • 4. Market Statistics of Mobile Users
  • 6. Different Types of Mobile Applications • WAP Mobile Applications • Native Mobile Applications • Hybrid Mobile Applications
  • 7. Different Types of Mobile Applications
  • 8. Different Types of Mobile Architecture
  • 9.
  • 10. Why did we learn the above types?? • Which applications can be Decompiled? – WAP Mobile Applications ? – Native Mobile Applications ? – Hybrid Mobile Applications ? • We have to get to know of the basics!
  • 11. Cracking the Mobile Application Code
  • 12. Cracking the Mobile Application Code •What do you mean by Reverse Engineering? •What do you mean by Decompilation? -> What is Compilation? Questions to be answered: •What are the goals/purpose of Cracking the code? •What is the methodology of Decompilation? •What the tools which can be used to Decompile? •Can Decompilation be done on all platforms? 1. ANDROID ? 2. iPHONE / iPAD ? 3. BLACKBERRY ? 4. NOKIA ?
  • 13. Goal of cracking the Mobile Application Code
  • 14. Goals of Cracking the Source Code •“UNDERSTAND THE WORKING OF THE APPLICATION AND TO FIGURE OUT THE LOOPHOLES!” •To find Treasure Key Words (password , keys , sql, algo, AES, DES, Base64, etc) •Figure out the Algorithms Used and their keys. •By-passing the client side checks by rebuilding the app. •E.g. Password in Banking Application (Sensitive Information) •E.g. Angry Birds Malware (Stealing Data) •E.g. Zitmo Malware (Sending SMS) •We have understood the goals, how to achieve them? Methodology.
  • 16. Methodology / Study S1: Gaining access to the executable S2: Understanding the Technology used to code the application. S3: Finding out ways to derive the Object Code from the Executable. S4: Figuring out a way to derive the Class Files from the Object Code. S5: Figuring out a way to derive the Function Definitions from the Object Code
  • 18. Demo - Reverse Engineer the Android Application •Tools used: -De-compresser (Winrar / Winzip / 7zip) -Dex2jar -Jar Decompiler •Steps 1. .apk -> .dex 2. .dex -> .jar 3. .jar -> .java • Demo • Limitations
  • 19. Demo - Reverse Engineer the iOS Application •Tools used: -iExplorer -Windows Explorer -oTool -Classdumpz •Steps 1. .app -> Garbage (Object Code) (DVM) 2. Object Code -> .Class • Demo • Limitations
  • 20. Demo - Reverse Engineer the Blackberry Application •Tools used: -JD – GUI (Java Decompiler) -Notepad •There are two types of Application files found in Blackberry: 1. .Jar (.jad -> .jar) 2. .Cod (.jad -> .cod (Blackberry Code Files) •Steps 1. .jar -> .java (JD-GUI) Or 1. Notepad to open .cod (No luck!) • Demo • Limitation
  • 21. Tip - Reverse Engineer the Windows Phone Application •Tools used: -.net decompiler -Visual Studio with Windows Phone SDK
  • 22. Palisade Articles • iOS vs Android Testing • Mobile Data Encryption • Mobile Application Security Testing • Demystifying the Android • And … • Website link: palpapers.paladion.net
  • 23. • Questions and Answers • Quiz • Feedback