This document discusses techniques for analyzing and exploiting Android applications. It begins by explaining why security is important given people's growing dependency on digital technology and mobile devices. It then discusses decompiling APK files and using tools like Apktool, Dex2Jar, and decompilers to view an app's code. The document also covers using proxies like Burp Suite and Frida to intercept network traffic and manipulate app behavior at runtime. The goal is usually to obtain sensitive data, bypass restrictions, or modify the app. Examples of scenarios explored include tampering with network requests, bypassing security checks, and decrypting encrypted data.

1. From Reversing
to Exploitation
Android Application Security in Essence
Reversing.ID
Revealing the Truth through Breaking Things

2. Hi!
I am Satria Ady Pradana
Cyber Security
Consultant
@
Mitra Integrasi
Informatika
xathrya
@xathrya
Reversing.ID
Revealing the Truth through Breaking Things

3. First of All, Why Security?

4. Cyberspace
Around You
It’s hard to not depend on IT
technology.

5. (Y)our Dependency to Digital Technology
 Communication
 Entertainment
 Financial
 Education
 News

6. Digital Age Has Came.
Mobile Device Is the Key.
It means most of your activity will have to interact with smartphone.

7. http://www.businessinsider.sg/smartphone-market-share-android-ios-windows-
blackberry-2016-8

8. Android is Dominating, but …
With the great userbase comes great threats

9. Focus on Android Application
Can we pwn the application?

10. The Joy of Android Apps Exploitation
 Application is in your possession.
 Basically it means we can do anything.
 Modify, bypass, etc.
 Your Code is Mine
 “Your code is not stolen, you give it in binary.”

11. Remember this Mantra!
 APK is just a zip.
 Everything inside is in binary form.
 Java can be decompiled.
 No software is free of bug.
 Exploitation is not always about taking over devices.

12. What Do You Need?
 Proper goals.
 Proper knowledge.
 Proper tools and environment.

13. Our Goal (Mostly)
 Obtain the Sensitive Information / Data
 Get the Algorithm
 Bypass restriction
 Manipulate the application.

14. Proper Knowledge
 Basic understanding of programming.
 Know what process involved in building an APK.
 What should I do for start hacking?
 Common penetration methodology.

15. Analysis Lab
Anything you need to prepare
 Android Device / Emulator
 Disassembler
 Decompiler
 HTTP / TCP Proxy for MITM
 Packet Sniffer
 Dynamic Binary Instrumentation

16. Reversing
Extracting knowledge, structures, and mechanics of a system.
Reversing.ID
Komunitas Reverse Engineering Indonesia

17. Think of him
YES!!!

18. About Reverse Engineering
 Reveal the secret mechanism or components that makes
something.
 Formally it described as
“Extracting knowledge or design information from
anything man-made and reproducing it or reproduce
anything based on the extracted information.”
 Basically we want to know what secrets behind the
application are.

19. How APK is Made?

20. Code in Java / Kotlin
VS

21. Behind the “Build” command*
*Simplified build process
How to Get the
Code Back?

22. Peeking Under the APK
 Classes.dex, the code in binary
 AndroidManifest.xml, the manifest
 META-INF, directory
 Res, directory, contain resource used by APK

23. Step by Step
 Use ApkTool to extract and decompile the APK to readable code
and data.
 https://ibotpeaches.github.io/Apktool/
 $ apktool d the_file.apk
 Enter the newly created directory.
 But the code is decompiled to smali, not java (yet)
 Use Dex2Jar to decompile classes.dex to Java .jar
 https://github.com/pxb1988/dex2jar
 $ d2j-dex2jar classes.dex
 Code in jar, still not in source code

24. Step by Step cont’d
 Use any java decompiler to decompile java bytecode to
source code.
 JD-GUI
 Procyon
 CFR
 FernFlower
 Or use the all-in-one solution, such as: ByteCodeViewer,
JEB Android.

25. Step by Step cont’d
 Use MITM proxy to intercept request made by application.
 Burp Suite
 ZAProxy
 Use DBI to manipulate application behavior.
 Frida

26. Intercepting with Burp Suite
 Create an MITM proxy
 Force application to send all request via MITM proxy.
 Setting the proxy option on Android device.
 Forward / Reject the request from application to server.
 Tamper the content, modify anything before forwarding.

27. What Scenario?
 Practically, like web hacking or web service hacking.
 Change ID or parameter, can we access something that
should not be accessed?
 Is sensitive data encrypted?
 Do we have hardcoded credentials (API key) to access
service?
 etc

28. Dynamic Binary Analysis (with Frida)
 Relatively new approach for analysis.
 DBI is a method of analyzing the behavior of a binary
application at runtime through the injection of
instrumentation code.
 In short: manipulate application behavior by a script
(javascript).

29. What Frida Can Do?
 Access process memory
 Overwrite functions while the application is running
 Call functions from imported classes
 Find object instance on the heap and use them
 Hook, trace, and intercept function.
https://www.slideshare.net/satriapradana1/bypass-security-
checking-with-frida

30. What Scenario?
 Bypass security checking
 Root checker
 SSL pinning
 Get encryption process, what is the plaintext processed
by this function?
 Modify function as wish, want to make this function
always return true.

31. Demo …

32. End of Game.