This document discusses how mobile apps can be hacked and provides tips to develop more secure apps. It notes that apps are hackable if users have root access to their devices. Various tools for hacking apps like apktool, dex2jar, and jadx are listed. The document recommends techniques like using an obfuscator, encrypting data and resources, implementing integrity protection, and detecting tampering to make apps harder to reverse engineer and repackage. It emphasizes moving critical logic to native code, using SSL, minimizing stored data, and not trusting apps.

1. is your app
hackable?
from dexprotector.com team for droidcon berlin 2015.

2. hot topic🔥

3. is your app
hackable?
- yes.

6. users with root

7. the fun part
how to hack apps?

8. quick check
1. unzip your app_1.2.3.apk from
2. copy some picture.png to assets
3. zip & sign it back
4. works?
- yes.

9. tools
u apktool
https://code.google.com/p/android-apktool/
u dex2jar
https://github.com/pxb1988/dex2jar
u jadx
https://github.com/skylot/jadx
u Java Decompiler
https://github.com/java-decompiler/jd-gui
u Androguard
https://github.com/androguard/androguard
u adb

11. 11

14. the boring part
how to develop more secure apps?

15. don’t trust your app
u process on the backend as web developers do
u move critical business logic to native code
u use SSL
u no plain text data
u minimize data stored on the device

16. proguard is essential
open source
http://proguard.sourceforge.net/
u shrinks and optimizes the code
u renames classes, methods, etc

18. Security and Design, http://developer.android.com/google/play/billing/billing_best_practices.html

19. Looks like you need an obfuscator…

20. protection goals
u Have bytecode as hard to reverse engineer as possible.
u Have strong integrity protection mechanism in order to block
repackaging ability.
u Have data and resources encrypted.

21. API_SECRET = "gamu".replace("g", "s")
.concat("rai") + "v" + "bilit".replace("i", "o").concat("e");
use cryptography standards

22. mobile security market
u
u class encryption
u resource encryption
u hiding of API calls
u integrity protection
u tamper detection
u clone protection
u root detection
u mobile
application/device
management
u rich policy control
u custom business
requirements
u fingerprinting
u integration with fraud
monitoring systems
u …
basic professional enterprise

24. 1. unzip your app_1.2.3.apk from
2. copy some picture.png to assets
3. zip & sign it back
4. works?
quick check

25. next steps
u include security into your development workflow
u do not trust your own app
u use cryptography standards
u stay informed: books, sessions, hacker tools
contacts
@dexprotector
dexprotector@licelus.com
// And my own
@kalabro
marshalkina@licelus.com