Uploaded byjduart
PDF, PPTX10,703 views

Introduction to mobile reversing

This document provides an introduction to mobile application reversing. It discusses reversing apps for Windows Mobile, Android, and iPhone operating systems. For Windows Mobile, it analyzes a Spanish banking app called BBVA. For Android, it analyzes a US banking app called Wells Fargo. For iPhone, it analyzes a Korean banking app called HanaBank. The document discusses the file formats, architectures, languages, and tools used for reversing apps on each mobile platform.

Technology
Related topics:
Reverse Engineering

Embed presentation

Download as PDF, PPTX
Introduction to mobile reversing tora@pandas.es jose.duart@zynamics.com
Who are you? • Reverse engineer since late 90s • Malware analysis, binary auditing and behaviour analysis • Mobile and embedded systems reversing as a hobby • Working at Zynamics GmbH
Summary • Windows Mobile • Android • Dalvik VM • Decompilation • iPhone • AppStore DRM • Reversing Objective-C code
Why mobile reversing? • Few years ago: • Lots of java-based mobileOS • Only Symbian and PalmOS were “interesting” • But not much development community • First? mobile malware developed for Symbian, codename Caribe/Cabir, author Vallez/29A • Now: • Android, iPhoneOS, Windows Mobile, Bada...
Why mobile reversing? • More SDK’s, more developers... more interesting stuff
Why mobile reversing? • ... and evil stuff
Windows Mobile Reversing a banking app: BBVA
WM: First Steps • Executable file format: PE • Architecture: ARM • Language: C++ • API: Windows-like
WM: Target • Spanish “banking app”: BBVA • https://www.bbva.es/TLBS/ BBVA_MobiDesc.htm • Versions for Java, RIM, Windows Mobile, iPhone and Android
WM: Analysis
WM: Thoughts • ARM can look a bit hard at first, but is much easier than x86!! • The API is a piece of cake for people with experience in Windows XP/Vista development/reversing. • Easy to debug the targets, emulate the OS and patch apps.
Google Android Reversing a banking app: Wells Fargo
Android: First Steps • Architecture: ARM • API: Dalvik VM based • Two ways of delevolment (SDK/NDK) • Executable file format: Dex/ELF • Language: Java/C++
Android: First Steps
Android: First Steps
Android: First Steps Android Java Source .java .java Binary .dex .class Binary .odex N/A Optimized Packages .apk .jar Reversing DeDexer, Baksmali, JAD, DJ Java Tools DeoDexerant Decompiler, JD-GUI...
Android: Analysis • Sample code
Android: Analysis • DeDexer way .method public onCreate(Landroid/os/Bundle;)V .limit registers 4 ; this: v2 (Lcom/example/android/helloactivity/HelloActivity;) ; parameter[0] : v3 (Landroid/os/Bundle;) .line 36 invoke-super {v2,v3},android/app/Activity/ onCreate ; onCreate(Landroid/os/Bundle;)V .line 40 const/high16 v1,32514 invoke-virtual {v2,v1},com/example/android/ helloactivity/HelloActivity/setContentView ; setContentView (I)V
Android: Analysis • Baksmali way .method public onCreate(Landroid/os/Bundle;)V .registers 4 .parameter "savedInstanceState" .prologue .line 36 invoke-super {p0, p1}, Landroid/app/Activity;->onCreate (Landroid/os/Bundle;)V .line 40 const/high16 v1, 0x7f02 invoke-virtual {p0, v1}, Lcom/example/android/ helloactivity/HelloActivity;->setContentView(I)V
Android: Target • US banking app: Wells Fargo • Downloaded from androlib.com • Also available for iPhone
Android: Analysis II .class public Ldroidheaven/app/wellsfargo/Main; .super Landroid/app/Activity; .source "Main.java" # annotations .annotation system Ldalvik/annotation/MemberClasses; value = { Ldroidheaven/app/wellsfargo/Main$HelloWebViewClient; } .end annotation # instance fields .field webview:Landroid/webkit/WebView;
Android: Thoughts • Decompilers are not ready yet • In the future, it will be similar to Java-reversing • Free emulator: • It’s possible to install apk’s • No access to Android Market :(
Apple iPhone Reversing a banking app: HanaBank
iPhone: First Steps • Executable file format: Mach-O • Architecture: ARM • Language: Objective-C • API: iPhone SDK Framework and libc
iPhone: First Steps • Apps come in IPA packages • ZIP files with executables and resources (images, package info, config files...) • iPhone Simulator works with i386 • Tricky to setup a debug environment • enable ssh access • iphonedbg/gdb
iPhone: First Steps • AppStore • Apps are encrypted, iPhone Mach-O loader is in charge of decryption • GDB and a little understanding of Mach-O headers (otool) can help • Objective-C • 80% calls to msgSend() == lots of fun :)
iPhone: First Steps Typical objective-C callgraph
iPhone: First Steps Callgraph after script (in blue new “msg” subs)
iPhone: Target • Korean banking app: HanaBank • Downloaded from AppStore
iPhone: Analysis • Removing AppStore encryption • Playing with FLIRT signatures • Reversing Objective-C code
iPhone: Thoughts • AppStore DRM is not a big problem • Objective-C can be quite painful • Debug using GDB: • Well known tool, but you need delevoper account or a jailbroken device. • Simulator is not useful for reversing
Questions? !!!

More Related Content

PDF
ShaREing Is Caring
bysporst
 
PPT
Packer Genetics: The selfish code
byjduart
 
PDF
Bootstrapping iPhone Development
byThoughtWorks
 
PDF
FlawDetector - Rubykaigi2013 LT
byginriki
 
PDF
Pigaios: A Tool for Diffing Source Codes against Binaries (Hacktivity 2018)
byJoxean Koret
 
PDF
Assignment1 B 0
byMahmoud
 
PDF
Rootcon X - Reverse Engineering Swift Applications
byeightbit
 
PPTX
ConFoo Montreal - Microservices for building an IDE - The innards of JetBrain...
byMaarten Balliauw
 
ShaREing Is Caring
bysporst
 
Packer Genetics: The selfish code
byjduart
 
Bootstrapping iPhone Development
byThoughtWorks
 
FlawDetector - Rubykaigi2013 LT
byginriki
 
Pigaios: A Tool for Diffing Source Codes against Binaries (Hacktivity 2018)
byJoxean Koret
 
Assignment1 B 0
byMahmoud
 
Rootcon X - Reverse Engineering Swift Applications
byeightbit
 
ConFoo Montreal - Microservices for building an IDE - The innards of JetBrain...
byMaarten Balliauw
 

What's hot

PPTX
C# 101: Intro to Programming with C#
byHawkman Academy
 
PPT
C++ to java
byAjmal Ak
 
PDF
Wahckon[2] - iOS Runtime Hacking Crash Course
byeightbit
 
PPTX
ConFoo Montreal - Approaches for application request throttling
byMaarten Balliauw
 
PDF
Handout 00 0
byMahmoud
 
PPTX
C++vs java
byPradeep wolf king
 
PPTX
Net serialization
byGreg Sohl
 
PPTX
C#
byGokul Ram
 
PDF
Tutorial c#
byMohammad Faizan
 
PPTX
Object Oriented Apologetics
byVance Lucas
 
PPT
Clean Code summary
byJan de Vries
 
PPT
C# features
bysagaroceanic11
 
PPTX
Tech breakfast 18
byJames Leone
 
ODP
Introduction to Binary Exploitation
byCysinfo Cyber Security Community
 
PDF
How to really obfuscate your pdf malware
byzynamics GmbH
 
PDF
1..Net Framework Architecture-(c#)
byShoaib Ghachi
 
PPTX
.NET and C# Introduction
bySiraj Memon
 
PDF
2.Getting Started with C#.Net-(C#)
byShoaib Ghachi
 
PDF
How To Become A Good C# Programmer
byLearnItFirst.com
 
C# 101: Intro to Programming with C#
byHawkman Academy
 
C++ to java
byAjmal Ak
 
Wahckon[2] - iOS Runtime Hacking Crash Course
byeightbit
 
ConFoo Montreal - Approaches for application request throttling
byMaarten Balliauw
 
Handout 00 0
byMahmoud
 
C++vs java
byPradeep wolf king
 
Net serialization
byGreg Sohl
 
C#
byGokul Ram
 
Tutorial c#
byMohammad Faizan
 
Object Oriented Apologetics
byVance Lucas
 
Clean Code summary
byJan de Vries
 
C# features
bysagaroceanic11
 
Tech breakfast 18
byJames Leone
 
Introduction to Binary Exploitation
byCysinfo Cyber Security Community
 
How to really obfuscate your pdf malware
byzynamics GmbH
 
1..Net Framework Architecture-(c#)
byShoaib Ghachi
 
.NET and C# Introduction
bySiraj Memon
 
2.Getting Started with C#.Net-(C#)
byShoaib Ghachi
 
How To Become A Good C# Programmer
byLearnItFirst.com
 

Viewers also liked

PDF
ShaREing is Caring
byzynamics GmbH
 
PPTX
0-knowledge fuzzing
byVincenzo Iozzo
 
PDF
Uni mannheim debuggers
byzynamics GmbH
 
PDF
Architectural Diversity (German)
byzynamics GmbH
 
PPTX
Tell me that story again
bymarkcmarino
 
PDF
0-knowledge fuzzing white paper
byVincenzo Iozzo
 
PDF
How to really obfuscate your pdf malware
byzynamics GmbH
 
PDF
Reverse Engineering iOS apps
byMax Bazaliy
 
PPT
前列腺癌治疗药物全球研发现状
byshanghq_cn
 
PPTX
Twitter for Social Care
byDaniel Slee
 
DOC
συναντηση υπουργειου πεχωδε
byATHANASIOS KAVVADAS
 
DOC
Opnieuw verliesjaar voor firma Delphine Boël
byThierry Debels
 
PDF
Data science guide for PASS Summit 2014
byMark Tabladillo
 
PDF
Your Health, Yourself
byOgilvy Health
 
DOC
συναντηση υπουργειου αθλητισμου
byATHANASIOS KAVVADAS
 
PDF
Star 8-solar-tile-presentation
byÔng Râu
 
PDF
Take care of your feet for a lifetime
byMattison Podiatry Group
 
PPTX
Keith hopper - General Assembly Product Roundtable
byhopperomatic
 
PPT
今日1日おつかれさま、これはマレーシアのおいしい果物 Delicious Fruits of Malaysia
byYama San
 
DOCX
Himpervinculos 1 km
byKatia Vega
 
ShaREing is Caring
byzynamics GmbH
 
0-knowledge fuzzing
byVincenzo Iozzo
 
Uni mannheim debuggers
byzynamics GmbH
 
Architectural Diversity (German)
byzynamics GmbH
 
Tell me that story again
bymarkcmarino
 
0-knowledge fuzzing white paper
byVincenzo Iozzo
 
How to really obfuscate your pdf malware
byzynamics GmbH
 
Reverse Engineering iOS apps
byMax Bazaliy
 
前列腺癌治疗药物全球研发现状
byshanghq_cn
 
Twitter for Social Care
byDaniel Slee
 
συναντηση υπουργειου πεχωδε
byATHANASIOS KAVVADAS
 
Opnieuw verliesjaar voor firma Delphine Boël
byThierry Debels
 
Data science guide for PASS Summit 2014
byMark Tabladillo
 
Your Health, Yourself
byOgilvy Health
 
συναντηση υπουργειου αθλητισμου
byATHANASIOS KAVVADAS
 
Star 8-solar-tile-presentation
byÔng Râu
 
Take care of your feet for a lifetime
byMattison Podiatry Group
 
Keith hopper - General Assembly Product Roundtable
byhopperomatic
 
今日1日おつかれさま、これはマレーシアのおいしい果物 Delicious Fruits of Malaysia
byYama San
 
Himpervinculos 1 km
byKatia Vega
 

Similar to Introduction to mobile reversing

PDF
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
byStephan Chenette
 
PPT
Outsmarting SmartPhones
bysaurabhharit
 
PPT
Steelcon 2015 Reverse-Engineering Obfuscated Android Applications
byTom Keetch
 
PDF
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
bynullowaspmumbai
 
PDF
Learning by hacking - android application hacking tutorial
byLandice Fu
 
PPTX
Mobile application security
byShubhneet Goel
 
PPTX
Mobile Application Security
byIshan Girdhar
 
PDF
Droidcon Greece '15 - Reverse Engineering in Android: Countermeasures and Tools
byDario Incalza
 
PDF
Bug hunting through_reverse_engineering
byarif
 
PPTX
Security Vulnerabilities in Mobile Applications (Kristaps Felzenbergs)
byTestDevLab
 
PDF
Introduction to Android Development and Security
byKelwin Yang
 
PDF
Android : How Do I Code Thee?
byViswanath J
 
PDF
Mobile Penetration Testing: Episode III - Attack of the Code
byNowSecure
 
PPTX
Android village @nullcon 2012
byhakersinfo
 
PDF
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
byRomansh Yadav
 
PPTX
Hacker Halted 2014 - Reverse Engineering the Android OS
byEC-Council
 
PPTX
Decompiling Android
byGodfrey Nolan
 
PDF
LinkedIn - Disassembling Dalvik Bytecode
byAlain Leon
 
PPTX
Basic of Android App Development
byAbhijeet Gupta
 
PPT
Reverse Engineering Android Application
byn|u - The Open Security Community
 
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
byStephan Chenette
 
Outsmarting SmartPhones
bysaurabhharit
 
Steelcon 2015 Reverse-Engineering Obfuscated Android Applications
byTom Keetch
 
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
bynullowaspmumbai
 
Learning by hacking - android application hacking tutorial
byLandice Fu
 
Mobile application security
byShubhneet Goel
 
Mobile Application Security
byIshan Girdhar
 
Droidcon Greece '15 - Reverse Engineering in Android: Countermeasures and Tools
byDario Incalza
 
Bug hunting through_reverse_engineering
byarif
 
Security Vulnerabilities in Mobile Applications (Kristaps Felzenbergs)
byTestDevLab
 
Introduction to Android Development and Security
byKelwin Yang
 
Android : How Do I Code Thee?
byViswanath J
 
Mobile Penetration Testing: Episode III - Attack of the Code
byNowSecure
 
Android village @nullcon 2012
byhakersinfo
 
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
byRomansh Yadav
 
Hacker Halted 2014 - Reverse Engineering the Android OS
byEC-Council
 
Decompiling Android
byGodfrey Nolan
 
LinkedIn - Disassembling Dalvik Bytecode
byAlain Leon
 
Basic of Android App Development
byAbhijeet Gupta
 
Reverse Engineering Android Application
byn|u - The Open Security Community
 

Recently uploaded

PDF
HOW TO OVERCOME THE THREATS OF ARTIFICIAL INTELLIGENCE AGAINST HUMANITY.pdf
byFaga1939
 
PPTX
Workflow and decision Automation with Flowable
bychakib ch
 
PDF
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
 
PPTX
Microsoft Azure News - February 2026 - BAUG
byDaniel Toomey
 
PDF
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 
PPTX
Tech Trends 2026: AI Agents, Quantum Computing, Robotics & Cybersecurity
byridwansassman
 
PDF
final~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.pdf
byomarbishtawi04
 
PDF
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
PDF
GenerationAI_Paris_2025_Architecting_Intelligence.pdf
byapidays
 
PDF
Odoo Implementation Checklist: A Strategic ERP Blueprint for Business-Ready D...
byBANIBRO IT SOLUTION
 
PDF
Preserve workload integrity during cross-architecture migration
byPrincipled Technologies
 
PPTX
PPTX game guess the logo with a twistppt
byAdrianAnig
 
PDF
Explaining specific examples of purpose-specific BOM
byakipii ogaoga
 
PDF
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
PDF
Constraint Collapse and Fidelity Decay in Scaled Language Models
bySemantic Fidelity Lab | A. Jacobs
 
PPTX
Do You Control the AI, or Does the AI Control You?
bymedhateltoukhy
 
PDF
20260212 Security-JAWS activity results for 2025 and activity goals for 2026
byTyphon 666
 
PDF
GDG Cloud Southlake #49: Pradeep R Kumar: Implications of Agentic AI for Iden...
byJames Anderson
 
PDF
How AI Can Help Platform Engineers Build Better Platforms
byAll Things Open
 
PPTX
Celonis Optimizing your future with process
bydevjeremyappleyard
 
HOW TO OVERCOME THE THREATS OF ARTIFICIAL INTELLIGENCE AGAINST HUMANITY.pdf
byFaga1939
 
Workflow and decision Automation with Flowable
bychakib ch
 
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
 
Microsoft Azure News - February 2026 - BAUG
byDaniel Toomey
 
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 
Tech Trends 2026: AI Agents, Quantum Computing, Robotics & Cybersecurity
byridwansassman
 
final~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.pdf
byomarbishtawi04
 
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
GenerationAI_Paris_2025_Architecting_Intelligence.pdf
byapidays
 
Odoo Implementation Checklist: A Strategic ERP Blueprint for Business-Ready D...
byBANIBRO IT SOLUTION
 
Preserve workload integrity during cross-architecture migration
byPrincipled Technologies
 
PPTX game guess the logo with a twistppt
byAdrianAnig
 
Explaining specific examples of purpose-specific BOM
byakipii ogaoga
 
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
Constraint Collapse and Fidelity Decay in Scaled Language Models
bySemantic Fidelity Lab | A. Jacobs
 
Do You Control the AI, or Does the AI Control You?
bymedhateltoukhy
 
20260212 Security-JAWS activity results for 2025 and activity goals for 2026
byTyphon 666
 
GDG Cloud Southlake #49: Pradeep R Kumar: Implications of Agentic AI for Iden...
byJames Anderson
 
How AI Can Help Platform Engineers Build Better Platforms
byAll Things Open
 
Celonis Optimizing your future with process
bydevjeremyappleyard
 

Introduction to mobile reversing

  • 1.
    Introduction to mobile reversing tora@pandas.es jose.duart@zynamics.com
  • 2.
    Who are you? •Reverse engineer since late 90s • Malware analysis, binary auditing and behaviour analysis • Mobile and embedded systems reversing as a hobby • Working at Zynamics GmbH
  • 3.
    Summary • Windows Mobile •Android • Dalvik VM • Decompilation • iPhone • AppStore DRM • Reversing Objective-C code
  • 4.
    Why mobile reversing? •Few years ago: • Lots of java-based mobileOS • Only Symbian and PalmOS were “interesting” • But not much development community • First? mobile malware developed for Symbian, codename Caribe/Cabir, author Vallez/29A • Now: • Android, iPhoneOS, Windows Mobile, Bada...
  • 5.
    Why mobile reversing? •More SDK’s, more developers... more interesting stuff
  • 6.
    Why mobile reversing? •... and evil stuff
  • 7.
    Windows Mobile Reversing a banking app: BBVA
  • 8.
    WM: First Steps •Executable file format: PE • Architecture: ARM • Language: C++ • API: Windows-like
  • 9.
    WM: Target • Spanish“banking app”: BBVA • https://www.bbva.es/TLBS/ BBVA_MobiDesc.htm • Versions for Java, RIM, Windows Mobile, iPhone and Android
  • 10.
  • 11.
    WM: Thoughts • ARMcan look a bit hard at first, but is much easier than x86!! • The API is a piece of cake for people with experience in Windows XP/Vista development/reversing. • Easy to debug the targets, emulate the OS and patch apps.
  • 12.
    Google Android Reversinga banking app: Wells Fargo
  • 13.
    Android: First Steps •Architecture: ARM • API: Dalvik VM based • Two ways of delevolment (SDK/NDK) • Executable file format: Dex/ELF • Language: Java/C++
  • 14.
  • 15.
  • 16.
    Android: First Steps Android Java Source .java .java Binary .dex .class Binary .odex N/A Optimized Packages .apk .jar Reversing DeDexer, Baksmali, JAD, DJ Java Tools DeoDexerant Decompiler, JD-GUI...
  • 17.
  • 18.
    Android: Analysis • DeDexer way .method public onCreate(Landroid/os/Bundle;)V .limit registers 4 ; this: v2 (Lcom/example/android/helloactivity/HelloActivity;) ; parameter[0] : v3 (Landroid/os/Bundle;) .line 36 invoke-super {v2,v3},android/app/Activity/ onCreate ; onCreate(Landroid/os/Bundle;)V .line 40 const/high16 v1,32514 invoke-virtual {v2,v1},com/example/android/ helloactivity/HelloActivity/setContentView ; setContentView (I)V
  • 19.
    Android: Analysis • Baksmali way .method public onCreate(Landroid/os/Bundle;)V .registers 4 .parameter "savedInstanceState" .prologue .line 36 invoke-super {p0, p1}, Landroid/app/Activity;->onCreate (Landroid/os/Bundle;)V .line 40 const/high16 v1, 0x7f02 invoke-virtual {p0, v1}, Lcom/example/android/ helloactivity/HelloActivity;->setContentView(I)V
  • 20.
    Android: Target • USbanking app: Wells Fargo • Downloaded from androlib.com • Also available for iPhone
  • 21.
    Android: Analysis II .classpublic Ldroidheaven/app/wellsfargo/Main; .super Landroid/app/Activity; .source "Main.java" # annotations .annotation system Ldalvik/annotation/MemberClasses; value = { Ldroidheaven/app/wellsfargo/Main$HelloWebViewClient; } .end annotation # instance fields .field webview:Landroid/webkit/WebView;
  • 22.
    Android: Thoughts • Decompilersare not ready yet • In the future, it will be similar to Java-reversing • Free emulator: • It’s possible to install apk’s • No access to Android Market :(
  • 23.
    Apple iPhone Reversing abanking app: HanaBank
  • 24.
    iPhone: First Steps •Executable file format: Mach-O • Architecture: ARM • Language: Objective-C • API: iPhone SDK Framework and libc
  • 25.
    iPhone: First Steps •Apps come in IPA packages • ZIP files with executables and resources (images, package info, config files...) • iPhone Simulator works with i386 • Tricky to setup a debug environment • enable ssh access • iphonedbg/gdb
  • 26.
    iPhone: First Steps •AppStore • Apps are encrypted, iPhone Mach-O loader is in charge of decryption • GDB and a little understanding of Mach-O headers (otool) can help • Objective-C • 80% calls to msgSend() == lots of fun :)
  • 27.
    iPhone: First Steps Typical objective-C callgraph
  • 28.
    iPhone: First Steps Callgraph after script (in blue new “msg” subs)
  • 29.
    iPhone: Target • Koreanbanking app: HanaBank • Downloaded from AppStore
  • 30.
    iPhone: Analysis • RemovingAppStore encryption • Playing with FLIRT signatures • Reversing Objective-C code
  • 31.
    iPhone: Thoughts • AppStoreDRM is not a big problem • Objective-C can be quite painful • Debug using GDB: • Well known tool, but you need delevoper account or a jailbroken device. • Simulator is not useful for reversing
  • 32.