SlideShare a Scribd company logo
1 of 25
is your app
hackable?
from dexprotector.com team for droidcon berlin 2015.
hot topic🔥
is your app
hackable?
- yes.
users with root
the fun part
how to hack apps?
quick check
1. unzip your app_1.2.3.apk from
2. copy some picture.png to assets
3. zip & sign it back
4. works?
- yes.
tools
u apktool
https://code.google.com/p/android-apktool/
u dex2jar
https://github.com/pxb1988/dex2jar
u jadx
https://github.com/skylot/jadx
u Java Decompiler
https://github.com/java-decompiler/jd-gui
u Androguard
https://github.com/androguard/androguard
u adb
11
the boring part
how to develop more secure apps?
don’t trust your app
u process on the backend as web developers do
u move critical business logic to native code
u use SSL
u no plain text data
u minimize data stored on the device
proguard is essential
open source
http://proguard.sourceforge.net/
u shrinks and optimizes the code
u renames classes, methods, etc
Security and Design, http://developer.android.com/google/play/billing/billing_best_practices.html
Looks like you need an obfuscator…
protection goals
u Have bytecode as hard to reverse engineer as possible.
u Have strong integrity protection mechanism in order to block
repackaging ability.
u Have data and resources encrypted.
API_SECRET = "gamu".replace("g", "s")
.concat("rai") + "v" + "bilit".replace("i", "o").concat("e");
use cryptography standards
mobile security market
u
u class encryption
u resource encryption
u hiding of API calls
u integrity protection
u tamper detection
u clone protection
u root detection
u mobile
application/device
management
u rich policy control
u custom business
requirements
u fingerprinting
u integration with fraud
monitoring systems
u …
basic professional enterprise
1. unzip your app_1.2.3.apk from
2. copy some picture.png to assets
3. zip & sign it back
4. works?
quick check
next steps
u include security into your development workflow
u do not trust your own app
u use cryptography standards
u stay informed: books, sessions, hacker tools
contacts
@dexprotector
dexprotector@licelus.com
// And my own
@kalabro
marshalkina@licelus.com

More Related Content

What's hot

PhoneGap, Backbone & Javascript
PhoneGap, Backbone & JavascriptPhoneGap, Backbone & Javascript
PhoneGap, Backbone & Javascript
natematias
 
Jakob Holderbaum - Managing Shared secrets using basic Unix tools
Jakob Holderbaum - Managing Shared secrets using basic Unix toolsJakob Holderbaum - Managing Shared secrets using basic Unix tools
Jakob Holderbaum - Managing Shared secrets using basic Unix tools
DevSecCon
 

What's hot (8)

Real case: migrate from Web Forms to ASP.NET Core gradually
Real case: migrate from Web Forms to ASP.NET Core graduallyReal case: migrate from Web Forms to ASP.NET Core gradually
Real case: migrate from Web Forms to ASP.NET Core gradually
 
Security Testing
Security TestingSecurity Testing
Security Testing
 
Solucion bano unisex
Solucion bano unisexSolucion bano unisex
Solucion bano unisex
 
Ecosystem session: Sensu + Puppet
Ecosystem session: Sensu + PuppetEcosystem session: Sensu + Puppet
Ecosystem session: Sensu + Puppet
 
LicensePlist - A license list generator of all your dependencies for iOS appl...
LicensePlist - A license list generator of all your dependencies for iOS appl...LicensePlist - A license list generator of all your dependencies for iOS appl...
LicensePlist - A license list generator of all your dependencies for iOS appl...
 
PhoneGap, Backbone & Javascript
PhoneGap, Backbone & JavascriptPhoneGap, Backbone & Javascript
PhoneGap, Backbone & Javascript
 
Jakob Holderbaum - Managing Shared secrets using basic Unix tools
Jakob Holderbaum - Managing Shared secrets using basic Unix toolsJakob Holderbaum - Managing Shared secrets using basic Unix tools
Jakob Holderbaum - Managing Shared secrets using basic Unix tools
 
Python Visual Studio | Edureka
Python Visual Studio | EdurekaPython Visual Studio | Edureka
Python Visual Studio | Edureka
 

Viewers also liked

REAL TIME OPERATING SYSTEM
REAL TIME OPERATING SYSTEMREAL TIME OPERATING SYSTEM
REAL TIME OPERATING SYSTEM
prakrutijsh
 
Real Time Operating System
Real Time Operating SystemReal Time Operating System
Real Time Operating System
vivek223
 

Viewers also liked (20)

Intoduction to uml
Intoduction to umlIntoduction to uml
Intoduction to uml
 
Embedded Software Development
Embedded Software DevelopmentEmbedded Software Development
Embedded Software Development
 
Embedded software development using BDD
Embedded software development using BDDEmbedded software development using BDD
Embedded software development using BDD
 
Writing code you won't hate tomorrow
Writing code you won't hate tomorrowWriting code you won't hate tomorrow
Writing code you won't hate tomorrow
 
Top 8 Trends in Performance Engineering
Top 8 Trends in Performance EngineeringTop 8 Trends in Performance Engineering
Top 8 Trends in Performance Engineering
 
Real Time Operating Systems
Real Time Operating SystemsReal Time Operating Systems
Real Time Operating Systems
 
Embedded systems ppt
Embedded systems pptEmbedded systems ppt
Embedded systems ppt
 
1 sugestii pentru amenajarea gradinii
1 sugestii pentru amenajarea gradinii1 sugestii pentru amenajarea gradinii
1 sugestii pentru amenajarea gradinii
 
Write Once, Run Everywhere
Write Once, Run EverywhereWrite Once, Run Everywhere
Write Once, Run Everywhere
 
The Micro-Sociology of Networks
The Micro-Sociology of NetworksThe Micro-Sociology of Networks
The Micro-Sociology of Networks
 
Real-Time Scheduling Algorithms
Real-Time Scheduling AlgorithmsReal-Time Scheduling Algorithms
Real-Time Scheduling Algorithms
 
REAL TIME OPERATING SYSTEM
REAL TIME OPERATING SYSTEMREAL TIME OPERATING SYSTEM
REAL TIME OPERATING SYSTEM
 
E.s unit 6
E.s unit 6E.s unit 6
E.s unit 6
 
Programming != Writing Code
Programming != Writing CodeProgramming != Writing Code
Programming != Writing Code
 
Emerging technology trends for libraries for 2017
Emerging technology trends for libraries for 2017Emerging technology trends for libraries for 2017
Emerging technology trends for libraries for 2017
 
The world without internet:
The world without internet:The world without internet:
The world without internet:
 
Real Time Operating System
Real Time Operating SystemReal Time Operating System
Real Time Operating System
 
Visual Computing: The Road Ahead, NVIDIA CEO Jen-Hsun Huang at CES 2015
Visual Computing: The Road Ahead, NVIDIA CEO Jen-Hsun Huang at CES 2015 Visual Computing: The Road Ahead, NVIDIA CEO Jen-Hsun Huang at CES 2015
Visual Computing: The Road Ahead, NVIDIA CEO Jen-Hsun Huang at CES 2015
 
Rtos Concepts
Rtos ConceptsRtos Concepts
Rtos Concepts
 
What Is the Future of Data Sharing? - Consumer Mindsets and the Power of Brands
What Is the Future of Data Sharing? - Consumer Mindsets and the Power of BrandsWhat Is the Future of Data Sharing? - Consumer Mindsets and the Power of Brands
What Is the Future of Data Sharing? - Consumer Mindsets and the Power of Brands
 

Similar to Is Your App Hackable for droidcon Berlin 2015

Codebits 2014 - Secure Coding - Gamification and automation for the win
Codebits 2014 - Secure Coding - Gamification and automation for the winCodebits 2014 - Secure Coding - Gamification and automation for the win
Codebits 2014 - Secure Coding - Gamification and automation for the win
Tiago Henriques
 
Android SDK and PhoneGap
Android SDK and PhoneGapAndroid SDK and PhoneGap
Android SDK and PhoneGap
Doncho Minkov
 
Cloud Apps - Running Fully Distributed on Mobile Devices - Dominik Rüttimann
Cloud Apps - Running Fully Distributed on Mobile Devices - Dominik RüttimannCloud Apps - Running Fully Distributed on Mobile Devices - Dominik Rüttimann
Cloud Apps - Running Fully Distributed on Mobile Devices - Dominik Rüttimann
distributed matters
 

Similar to Is Your App Hackable for droidcon Berlin 2015 (20)

Pwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreakPwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreak
 
Code Obfuscation for Android & WP7
Code Obfuscation for Android & WP7Code Obfuscation for Android & WP7
Code Obfuscation for Android & WP7
 
Android application penetration testing
Android application penetration testingAndroid application penetration testing
Android application penetration testing
 
MobSecCon 2015 - Dynamic Analysis of Android Apps
MobSecCon 2015 - Dynamic Analysis of Android AppsMobSecCon 2015 - Dynamic Analysis of Android Apps
MobSecCon 2015 - Dynamic Analysis of Android Apps
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android Applications
 
FRIDA 101 Android
FRIDA 101 AndroidFRIDA 101 Android
FRIDA 101 Android
 
Droidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensicsDroidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensics
 
Boquet manager
Boquet managerBoquet manager
Boquet manager
 
Phonegap Development & Debugging
Phonegap Development & DebuggingPhonegap Development & Debugging
Phonegap Development & Debugging
 
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentestingNull Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
 
Ionic - Revolutionizing Hybrid Mobile Application Development
Ionic - Revolutionizing Hybrid Mobile Application DevelopmentIonic - Revolutionizing Hybrid Mobile Application Development
Ionic - Revolutionizing Hybrid Mobile Application Development
 
Codebits 2014 - Secure Coding - Gamification and automation for the win
Codebits 2014 - Secure Coding - Gamification and automation for the winCodebits 2014 - Secure Coding - Gamification and automation for the win
Codebits 2014 - Secure Coding - Gamification and automation for the win
 
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat DasNull Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
 
Mobile backends with Google Cloud Platform (MBLTDev'14)
Mobile backends with Google Cloud Platform (MBLTDev'14)Mobile backends with Google Cloud Platform (MBLTDev'14)
Mobile backends with Google Cloud Platform (MBLTDev'14)
 
Android SDK and PhoneGap
Android SDK and PhoneGapAndroid SDK and PhoneGap
Android SDK and PhoneGap
 
Voxxed days Vilnius 2015 - Android Reverse Engineering Lab
Voxxed days Vilnius 2015 - Android Reverse Engineering LabVoxxed days Vilnius 2015 - Android Reverse Engineering Lab
Voxxed days Vilnius 2015 - Android Reverse Engineering Lab
 
Cloud Apps - Running Fully Distributed on Mobile Devices - Dominik Rüttimann
Cloud Apps - Running Fully Distributed on Mobile Devices - Dominik RüttimannCloud Apps - Running Fully Distributed on Mobile Devices - Dominik Rüttimann
Cloud Apps - Running Fully Distributed on Mobile Devices - Dominik Rüttimann
 
Moderne Android Builds mit Gradle
Moderne Android Builds mit GradleModerne Android Builds mit Gradle
Moderne Android Builds mit Gradle
 
Rooted con 2020 - from the heaven to hell in the CI - CD
Rooted con 2020 - from the heaven to hell in the CI - CDRooted con 2020 - from the heaven to hell in the CI - CD
Rooted con 2020 - from the heaven to hell in the CI - CD
 
Which android app development tools deserve your attention this year
Which android app development tools deserve your attention this year  Which android app development tools deserve your attention this year
Which android app development tools deserve your attention this year
 

Recently uploaded

Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...
Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...
Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...
drm1699
 

Recently uploaded (20)

Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit MilanWorkshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan
 
A Deep Dive into Secure Product Development Frameworks.pdf
A Deep Dive into Secure Product Development Frameworks.pdfA Deep Dive into Secure Product Development Frameworks.pdf
A Deep Dive into Secure Product Development Frameworks.pdf
 
Abortion Clinic In Pretoria ](+27832195400*)[ 🏥 Safe Abortion Pills in Pretor...
Abortion Clinic In Pretoria ](+27832195400*)[ 🏥 Safe Abortion Pills in Pretor...Abortion Clinic In Pretoria ](+27832195400*)[ 🏥 Safe Abortion Pills in Pretor...
Abortion Clinic In Pretoria ](+27832195400*)[ 🏥 Safe Abortion Pills in Pretor...
 
Modern binary build systems - PyCon 2024
Modern binary build systems - PyCon 2024Modern binary build systems - PyCon 2024
Modern binary build systems - PyCon 2024
 
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdf
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdfThe Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdf
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdf
 
Evolving Data Governance for the Real-time Streaming and AI Era
Evolving Data Governance for the Real-time Streaming and AI EraEvolving Data Governance for the Real-time Streaming and AI Era
Evolving Data Governance for the Real-time Streaming and AI Era
 
CERVED e Neo4j su una nuvola, migrazione ed evoluzione di un grafo mission cr...
CERVED e Neo4j su una nuvola, migrazione ed evoluzione di un grafo mission cr...CERVED e Neo4j su una nuvola, migrazione ed evoluzione di un grafo mission cr...
CERVED e Neo4j su una nuvola, migrazione ed evoluzione di un grafo mission cr...
 
Novo Nordisk: When Knowledge Graphs meet LLMs
Novo Nordisk: When Knowledge Graphs meet LLMsNovo Nordisk: When Knowledge Graphs meet LLMs
Novo Nordisk: When Knowledge Graphs meet LLMs
 
Workshop - Architecting Innovative Graph Applications- GraphSummit Milan
Workshop -  Architecting Innovative Graph Applications- GraphSummit MilanWorkshop -  Architecting Innovative Graph Applications- GraphSummit Milan
Workshop - Architecting Innovative Graph Applications- GraphSummit Milan
 
Effective Strategies for Wix's Scaling challenges - GeeCon
Effective Strategies for Wix's Scaling challenges - GeeConEffective Strategies for Wix's Scaling challenges - GeeCon
Effective Strategies for Wix's Scaling challenges - GeeCon
 
From Knowledge Graphs via Lego Bricks to scientific conversations.pptx
From Knowledge Graphs via Lego Bricks to scientific conversations.pptxFrom Knowledge Graphs via Lego Bricks to scientific conversations.pptx
From Knowledge Graphs via Lego Bricks to scientific conversations.pptx
 
Transformer Neural Network Use Cases with Links
Transformer Neural Network Use Cases with LinksTransformer Neural Network Use Cases with Links
Transformer Neural Network Use Cases with Links
 
Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...
Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...
Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...
 
Test Automation Design Patterns_ A Comprehensive Guide.pdf
Test Automation Design Patterns_ A Comprehensive Guide.pdfTest Automation Design Patterns_ A Comprehensive Guide.pdf
Test Automation Design Patterns_ A Comprehensive Guide.pdf
 
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
 
Abortion Pill Prices Jane Furse ](+27832195400*)[ 🏥 Women's Abortion Clinic i...
Abortion Pill Prices Jane Furse ](+27832195400*)[ 🏥 Women's Abortion Clinic i...Abortion Pill Prices Jane Furse ](+27832195400*)[ 🏥 Women's Abortion Clinic i...
Abortion Pill Prices Jane Furse ](+27832195400*)[ 🏥 Women's Abortion Clinic i...
 
Optimizing Operations by Aligning Resources with Strategic Objectives Using O...
Optimizing Operations by Aligning Resources with Strategic Objectives Using O...Optimizing Operations by Aligning Resources with Strategic Objectives Using O...
Optimizing Operations by Aligning Resources with Strategic Objectives Using O...
 
Encryption Recap: A Refresher on Key Concepts
Encryption Recap: A Refresher on Key ConceptsEncryption Recap: A Refresher on Key Concepts
Encryption Recap: A Refresher on Key Concepts
 
From Theory to Practice: Utilizing SpiraPlan's REST API
From Theory to Practice: Utilizing SpiraPlan's REST APIFrom Theory to Practice: Utilizing SpiraPlan's REST API
From Theory to Practice: Utilizing SpiraPlan's REST API
 
Community is Just as Important as Code by Andrea Goulet
Community is Just as Important as Code by Andrea GouletCommunity is Just as Important as Code by Andrea Goulet
Community is Just as Important as Code by Andrea Goulet
 

Is Your App Hackable for droidcon Berlin 2015