This document discusses techniques for analyzing and exploiting Android applications. It begins by explaining why security is important given people's growing dependency on digital technology and mobile devices. It then discusses decompiling APK files and using tools like Apktool, Dex2Jar, and decompilers to view an app's code. The document also covers using proxies like Burp Suite and Frida to intercept network traffic and manipulate app behavior at runtime. The goal is usually to obtain sensitive data, bypass restrictions, or modify the app. Examples of scenarios explored include tampering with network requests, bypassing security checks, and decrypting encrypted data.
2. Hi!
I am Satria Ady Pradana
Cyber Security
Consultant
@
Mitra Integrasi
Informatika
xathrya
@xathrya
Reversing.ID
Revealing the Truth through Breaking Things
10. The Joy of Android Apps Exploitation
Application is in your possession.
Basically it means we can do anything.
Modify, bypass, etc.
Your Code is Mine
“Your code is not stolen, you give it in binary.”
11. Remember this Mantra!
APK is just a zip.
Everything inside is in binary form.
Java can be decompiled.
No software is free of bug.
Exploitation is not always about taking over devices.
12. What Do You Need?
Proper goals.
Proper knowledge.
Proper tools and environment.
13. Our Goal (Mostly)
Obtain the Sensitive Information / Data
Get the Algorithm
Bypass restriction
Manipulate the application.
14. Proper Knowledge
Basic understanding of programming.
Know what process involved in building an APK.
What should I do for start hacking?
Common penetration methodology.
15. Analysis Lab
Anything you need to prepare
Android Device / Emulator
Disassembler
Decompiler
HTTP / TCP Proxy for MITM
Packet Sniffer
Dynamic Binary Instrumentation
18. About Reverse Engineering
Reveal the secret mechanism or components that makes
something.
Formally it described as
“Extracting knowledge or design information from
anything man-made and reproducing it or reproduce
anything based on the extracted information.”
Basically we want to know what secrets behind the
application are.
21. Behind the “Build” command*
*Simplified build process
How to Get the
Code Back?
22. Peeking Under the APK
Classes.dex, the code in binary
AndroidManifest.xml, the manifest
META-INF, directory
Res, directory, contain resource used by APK
23. Step by Step
Use ApkTool to extract and decompile the APK to readable code
and data.
https://ibotpeaches.github.io/Apktool/
$ apktool d the_file.apk
Enter the newly created directory.
But the code is decompiled to smali, not java (yet)
Use Dex2Jar to decompile classes.dex to Java .jar
https://github.com/pxb1988/dex2jar
$ d2j-dex2jar classes.dex
Code in jar, still not in source code
24. Step by Step cont’d
Use any java decompiler to decompile java bytecode to
source code.
JD-GUI
Procyon
CFR
FernFlower
Or use the all-in-one solution, such as: ByteCodeViewer,
JEB Android.
25. Step by Step cont’d
Use MITM proxy to intercept request made by application.
Burp Suite
ZAProxy
Use DBI to manipulate application behavior.
Frida
26. Intercepting with Burp Suite
Create an MITM proxy
Force application to send all request via MITM proxy.
Setting the proxy option on Android device.
Forward / Reject the request from application to server.
Tamper the content, modify anything before forwarding.
27. What Scenario?
Practically, like web hacking or web service hacking.
Change ID or parameter, can we access something that
should not be accessed?
Is sensitive data encrypted?
Do we have hardcoded credentials (API key) to access
service?
etc
28. Dynamic Binary Analysis (with Frida)
Relatively new approach for analysis.
DBI is a method of analyzing the behavior of a binary
application at runtime through the injection of
instrumentation code.
In short: manipulate application behavior by a script
(javascript).
29. What Frida Can Do?
Access process memory
Overwrite functions while the application is running
Call functions from imported classes
Find object instance on the heap and use them
Hook, trace, and intercept function.
https://www.slideshare.net/satriapradana1/bypass-security-
checking-with-frida
30. What Scenario?
Bypass security checking
Root checker
SSL pinning
Get encryption process, what is the plaintext processed
by this function?
Modify function as wish, want to make this function
always return true.