Android Reverse Engineering by Samrat Das
Abstract
• Intro to Reverse Engineering
• Short walkthough with Windows RE
• Introduction to Mobile Security Assessments
• Dalvik Virtual Machine vs JVM
• APK Walkthrough
• Components of Android
• Steps of Reverse Engineering Android Applications
• Hands-on demos on manual reversing of android apps
• Introduction to APPuse VM for droid assessments
• Detecting developer backdoors
• Creating Infected Android Applications
• Anti-Reversing | Obfuscation
Droidcon Greece '15 - Reverse Engineering in Android: Countermeasures and ToolsDario Incalza
Reverse Engineering (RE) is the art of taking an application apart and try to understand the internal mechanisms.
There’s a positive side and a negative side to this approach. The positive side is the fact that RE gives us a means to research and understand malware.
The negative side is that distributed binaries can be torn apart to look at intellectual property or to inject it with malicious code.
The talk will guide you through the Android app build process and learn some countermeasures to make it harder for hackers to reverse engineer your Android code. Further more the talk will cover opensource tools that you can use to reverse engineer Android applications to inspect it for malware.
With growth in app market it is essential to guard our android apps against possible threats, in this presentation we will walk through various tools and techniques which some one can use to reverse engineer an android app, we will see how some one can get access to APP DB, CODE, API, PREFERENCES.
We will also see different tools and techniques to guard our app against possible threats from code obfuscation with tools like dexgaurd to newer methods like verification of api calls using google play services.
This session was taken in Barcamp 13 bangalore http://barcampbangalore.org/bcb/bcb13/reverse-engineering-an-android-app-securing-your-android-apps-against-attacks
and bangalore android user group meetup Jan meetup http://www.meetup.com/blrdroid/events/100360682/
Esta presentación expone las principales herramientas y técnicas a utilizar para llevar a cabo un proceso de ingeniería inversa sobre una aplicación Android, con el objetivo de identificar código malicioso en la misma. En la exposición se presenta, desde el punto de vista de un analista de seguridad y de una forma práctica, el proceso de análisis de una aplicación existente en la Google Play Store.
Droidcon Greece '15 - Reverse Engineering in Android: Countermeasures and ToolsDario Incalza
Reverse Engineering (RE) is the art of taking an application apart and try to understand the internal mechanisms.
There’s a positive side and a negative side to this approach. The positive side is the fact that RE gives us a means to research and understand malware.
The negative side is that distributed binaries can be torn apart to look at intellectual property or to inject it with malicious code.
The talk will guide you through the Android app build process and learn some countermeasures to make it harder for hackers to reverse engineer your Android code. Further more the talk will cover opensource tools that you can use to reverse engineer Android applications to inspect it for malware.
With growth in app market it is essential to guard our android apps against possible threats, in this presentation we will walk through various tools and techniques which some one can use to reverse engineer an android app, we will see how some one can get access to APP DB, CODE, API, PREFERENCES.
We will also see different tools and techniques to guard our app against possible threats from code obfuscation with tools like dexgaurd to newer methods like verification of api calls using google play services.
This session was taken in Barcamp 13 bangalore http://barcampbangalore.org/bcb/bcb13/reverse-engineering-an-android-app-securing-your-android-apps-against-attacks
and bangalore android user group meetup Jan meetup http://www.meetup.com/blrdroid/events/100360682/
Esta presentación expone las principales herramientas y técnicas a utilizar para llevar a cabo un proceso de ingeniería inversa sobre una aplicación Android, con el objetivo de identificar código malicioso en la misma. En la exposición se presenta, desde el punto de vista de un analista de seguridad y de una forma práctica, el proceso de análisis de una aplicación existente en la Google Play Store.
Android applications are an interesting target for
reverse engineering. They are written in Java, which is tradi-
tionally good to decompile and are executed by Google’s custom
Java virtual machine, making them interesting to study. In this
paper we present the basic methods and approaches as well as
the necessary tools to reverse engineer Android applications. We
discuss how to change Android applications and show alternative
approaches including man-in-the-middle attacks and automation.
During one of my personal projects I decided to study the internals of Android and the potential of altering the Dalvik VM (e.g. Xposed framework and Cydia) and application behaviour. Not going into detail about runtime hooking of constructors and classes like these two tools provide, I also explored the possibility of reverse engineering and modifying existing applications.
In the web you can find multiple tutorials on Android reverse engineering of applications but not many that do it with real applications that are often subject to obfuscation or with complex execution flows. So in order to learn I decided to pick a common application such as Skype and do the following:
decompile it
study contents and completely remove some functionality (e.g. ads)
change some resources (not described in presentation bellow)
recompile, sign and install.
Used tools include :
apktool – for (de)compiling android applications
jarsigner – for signing android applications
xposed – for intercepting runtime execution flow (will make public in future)
The following presentation describes the steps taken in order to completely remove the ads from skype. This includes any computation or data plan usage the ads consume. Please note the disclaimer of the presentation as this information is for educational purposes only.
Check my website : www.marioalmeida.eu
(CISC 2013) Real-Time Record and Replay on Android for Malware AnalysisZongXian Shen
1. The assessment for the appropriate record and replay architecture for real time Android malware analysis.
2. The prototype implementation and demonstration.
.Net Hijacking to Defend PowerShell BSidesSF2017 Amanda Rousseau
With the rise of attacks implementing PowerShell in the recent months, there hasn’t been a solid solution for monitoring or prevention. Currently Microsoft released the AMSI solution for PowerShell v5 however this can also be bypassed. This talk will focus on utilizing various stealthy runtime .NET hijacking techniques implemented for blue teamer defenses for PowerShell attacks. The paper will start with a light intro into .NET and PowerShell, then a deeper explanation of various attacker techniques which will be explained in the perspective of the blue teamer. Techniques include assembly modification, class and method injection, compiler profiling, and C based function hooking.
In this article, we discuss the design of an iframe injector used to infect web-hosting software such as cPanel in an automated manner. Several different iframe injector designs exist, but we look at one of the most basic: NiFramer.
ProbeDroid - Crafting Your Own Dynamic Instrument Tool on Android for App Beh...ZongXian Shen
The design memo and hack note of ProbeDroid
A dynamic binary instrumentation kit targeting Android(Lollipop) 5.0 and above
This is the first complete draft.
Improved version will be updated in a few days.
Slides from OWASP AppSec USA 2016.
For over 10 years, Visual Studio has provided basic source code analysis through FxCop and StyleCop. While these code analyzers focus mainly on design conformance, code consistency, and best practices, there is very little support for enforcing secure coding techniques. To address this gap, Microsoft started a project back in 2011 called CAT.NET to help identify secure coding bugs such as XSS, SQL Injection, and XPath Injection. Unfortunately, CAT.NET failed and never made it past the first version. Aside from purchasing expensive commercial static analysis tools, .NET development teams have been left without an easy way to integrate secure code scanning rules into Visual Studio. At least until now...
With the release of Visual Studio 2015, the open-source .NET Compiler Platform (aka “Roslyn”) exposes a set of code analysis APIs capable of querying the source code, identifying a security issue, and reporting it as code is written! In this talk, we will explore the code analysis APIs and show you how to create a live static analysis rule. Come prepared to see demonstrations of Visual Studio static analysis rules in action, and walk away with a static analysis rule pack to run against your organization’s .NET applications.
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...Aditya K Sood
Bot herders deploy Command and Control (C&C) panels for commanding and collecting exfiltrated data from the infected hosts on the Internet. To protect C&C panels, bot herders deploy several built-in (software-centric) protection mechanisms to restrict direct access to these C&C panels. However, there exist fundamental mistakes in the design and deployment of these C&C panels that can be exploited to take complete control. This talk discusses about the methodology of launching reverse attacks on the centralized C&C panels to derive intelligence that can be used to build automated solutions. This research reveals how to detect vulnerabilities and configuration flaws in the remote C&C panels and exploit them by following the path of penetration testing. This talk is derived from the real time research in which several C&C panels were targeted and intelligence was gathered to attack the next set of C&C panels. A number of case studies will be discussed to elaborate step-by-step process of attacking and compromising C&C panels. This talk also demonstrates the use of automated tools authored for making the testing easier for the researchers.
DOWNLOAD from this link : http://secniche.org/blackhat-2014/
TL;DR
Motivation
Dynamic binary instrumentation
FRIDA
DBI without rooting / jailbreaking
Unleash the power of Frida
Case study for runtime exploitation
Countermeasure
References
Android applications are an interesting target for
reverse engineering. They are written in Java, which is tradi-
tionally good to decompile and are executed by Google’s custom
Java virtual machine, making them interesting to study. In this
paper we present the basic methods and approaches as well as
the necessary tools to reverse engineer Android applications. We
discuss how to change Android applications and show alternative
approaches including man-in-the-middle attacks and automation.
During one of my personal projects I decided to study the internals of Android and the potential of altering the Dalvik VM (e.g. Xposed framework and Cydia) and application behaviour. Not going into detail about runtime hooking of constructors and classes like these two tools provide, I also explored the possibility of reverse engineering and modifying existing applications.
In the web you can find multiple tutorials on Android reverse engineering of applications but not many that do it with real applications that are often subject to obfuscation or with complex execution flows. So in order to learn I decided to pick a common application such as Skype and do the following:
decompile it
study contents and completely remove some functionality (e.g. ads)
change some resources (not described in presentation bellow)
recompile, sign and install.
Used tools include :
apktool – for (de)compiling android applications
jarsigner – for signing android applications
xposed – for intercepting runtime execution flow (will make public in future)
The following presentation describes the steps taken in order to completely remove the ads from skype. This includes any computation or data plan usage the ads consume. Please note the disclaimer of the presentation as this information is for educational purposes only.
Check my website : www.marioalmeida.eu
(CISC 2013) Real-Time Record and Replay on Android for Malware AnalysisZongXian Shen
1. The assessment for the appropriate record and replay architecture for real time Android malware analysis.
2. The prototype implementation and demonstration.
.Net Hijacking to Defend PowerShell BSidesSF2017 Amanda Rousseau
With the rise of attacks implementing PowerShell in the recent months, there hasn’t been a solid solution for monitoring or prevention. Currently Microsoft released the AMSI solution for PowerShell v5 however this can also be bypassed. This talk will focus on utilizing various stealthy runtime .NET hijacking techniques implemented for blue teamer defenses for PowerShell attacks. The paper will start with a light intro into .NET and PowerShell, then a deeper explanation of various attacker techniques which will be explained in the perspective of the blue teamer. Techniques include assembly modification, class and method injection, compiler profiling, and C based function hooking.
In this article, we discuss the design of an iframe injector used to infect web-hosting software such as cPanel in an automated manner. Several different iframe injector designs exist, but we look at one of the most basic: NiFramer.
ProbeDroid - Crafting Your Own Dynamic Instrument Tool on Android for App Beh...ZongXian Shen
The design memo and hack note of ProbeDroid
A dynamic binary instrumentation kit targeting Android(Lollipop) 5.0 and above
This is the first complete draft.
Improved version will be updated in a few days.
Slides from OWASP AppSec USA 2016.
For over 10 years, Visual Studio has provided basic source code analysis through FxCop and StyleCop. While these code analyzers focus mainly on design conformance, code consistency, and best practices, there is very little support for enforcing secure coding techniques. To address this gap, Microsoft started a project back in 2011 called CAT.NET to help identify secure coding bugs such as XSS, SQL Injection, and XPath Injection. Unfortunately, CAT.NET failed and never made it past the first version. Aside from purchasing expensive commercial static analysis tools, .NET development teams have been left without an easy way to integrate secure code scanning rules into Visual Studio. At least until now...
With the release of Visual Studio 2015, the open-source .NET Compiler Platform (aka “Roslyn”) exposes a set of code analysis APIs capable of querying the source code, identifying a security issue, and reporting it as code is written! In this talk, we will explore the code analysis APIs and show you how to create a live static analysis rule. Come prepared to see demonstrations of Visual Studio static analysis rules in action, and walk away with a static analysis rule pack to run against your organization’s .NET applications.
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...Aditya K Sood
Bot herders deploy Command and Control (C&C) panels for commanding and collecting exfiltrated data from the infected hosts on the Internet. To protect C&C panels, bot herders deploy several built-in (software-centric) protection mechanisms to restrict direct access to these C&C panels. However, there exist fundamental mistakes in the design and deployment of these C&C panels that can be exploited to take complete control. This talk discusses about the methodology of launching reverse attacks on the centralized C&C panels to derive intelligence that can be used to build automated solutions. This research reveals how to detect vulnerabilities and configuration flaws in the remote C&C panels and exploit them by following the path of penetration testing. This talk is derived from the real time research in which several C&C panels were targeted and intelligence was gathered to attack the next set of C&C panels. A number of case studies will be discussed to elaborate step-by-step process of attacking and compromising C&C panels. This talk also demonstrates the use of automated tools authored for making the testing easier for the researchers.
DOWNLOAD from this link : http://secniche.org/blackhat-2014/
TL;DR
Motivation
Dynamic binary instrumentation
FRIDA
DBI without rooting / jailbreaking
Unleash the power of Frida
Case study for runtime exploitation
Countermeasure
References
In this presentation we will talk about the Microservices approach and how it can be implemented in IoT ecosystem.
The microservice architectural style is an approach to developing a single application as a suite of small services, each running in its own process and communicating with lightweight mechanisms, often an HTTP resource API.
A possible solution to easily control the IoT systems is to create an intelligent platform using a microservices architecture.
A presentation at the 2007 Emerging Trends in Scholarly Publishing seminar, National Press Club, Washington, D.C.
Dean Giustini
UBC Biomedical Branch Librarian
Vancouver General Hospital
April 12th, 2007
The cyber criminal community has evolved from pranksters, lone wolves, and organized
gangs to nation-states and hacktivist groups whose primary results have been increased
costs and lost productivity. As enterprises and governments connect literally everything to
the Internet, the size of their attack surface has grown, opening more opportunities for
cyber criminals. Many of their current exploits are going unnoticed.
(Presentation at HITcon 2011) This talk introduces how to do Android application reverse engineering by real example. And, it covers the advanced topics like optimized DEX and JNI.
This presentation gives detailed overview of Android, Android Architecture, Software Stack, Platform, Database Support, Licensing, File System, Network Connectivity, Security and Permissions, IDE and Tools, Other IDEs Overview, Development Evaluation, Singing your application, Versioning your application, Preparing to publish your application, Publish your App on Android Market. This presentation also includes links to sample exampled.
Note: Few slides from this presentation are taken from internet or slideshare.com as it is or modified little bit. I have no intention of saying someone’s else work as mine. I prepared this presentation to just educate co-workers about android. So I want the best material from internet and slideshare.com.
This slide deck covers the automated & manual static code discovery of Android Application using opensource tools, Reverse engineering of apk file and Secure code review
International Journal of Engineering Research and Applications (IJERA) is an open access online peer reviewed international journal that publishes research and review articles in the fields of Computer Science, Neural Networks, Electrical Engineering, Software Engineering, Information Technology, Mechanical Engineering, Chemical Engineering, Plastic Engineering, Food Technology, Textile Engineering, Nano Technology & science, Power Electronics, Electronics & Communication Engineering, Computational mathematics, Image processing, Civil Engineering, Structural Engineering, Environmental Engineering, VLSI Testing & Low Power VLSI Design etc.
The workshop will also provide a thorough guide on how the mobile applications can be attacked and provide an overview of how some of the most important security checks for the applications are applied and get an in-depth understanding of these security checks.
Course Content:
Android Introduction & Basics
Setting up the Pen testing environment
Reverse engineering & runtime manipulation
Application dynamic runtime analysis
Application Components and security issues
Data and Network interception – manipulation and analysis
Defensive Tools & Techniques for Android application
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfPeter Spielvogel
Building better applications for business users with SAP Fiori.
• What is SAP Fiori and why it matters to you
• How a better user experience drives measurable business benefits
• How to get started with SAP Fiori today
• How SAP Fiori elements accelerates application development
• How SAP Build Code includes SAP Fiori tools and other generative artificial intelligence capabilities
• How SAP Fiori paves the way for using AI in SAP apps
Welocme to ViralQR, your best QR code generator.ViralQR
Welcome to ViralQR, your best QR code generator available on the market!
At ViralQR, we design static and dynamic QR codes. Our mission is to make business operations easier and customer engagement more powerful through the use of QR technology. Be it a small-scale business or a huge enterprise, our easy-to-use platform provides multiple choices that can be tailored according to your company's branding and marketing strategies.
Our Vision
We are here to make the process of creating QR codes easy and smooth, thus enhancing customer interaction and making business more fluid. We very strongly believe in the ability of QR codes to change the world for businesses in their interaction with customers and are set on making that technology accessible and usable far and wide.
Our Achievements
Ever since its inception, we have successfully served many clients by offering QR codes in their marketing, service delivery, and collection of feedback across various industries. Our platform has been recognized for its ease of use and amazing features, which helped a business to make QR codes.
Our Services
At ViralQR, here is a comprehensive suite of services that caters to your very needs:
Static QR Codes: Create free static QR codes. These QR codes are able to store significant information such as URLs, vCards, plain text, emails and SMS, Wi-Fi credentials, and Bitcoin addresses.
Dynamic QR codes: These also have all the advanced features but are subscription-based. They can directly link to PDF files, images, micro-landing pages, social accounts, review forms, business pages, and applications. In addition, they can be branded with CTAs, frames, patterns, colors, and logos to enhance your branding.
Pricing and Packages
Additionally, there is a 14-day free offer to ViralQR, which is an exceptional opportunity for new users to take a feel of this platform. One can easily subscribe from there and experience the full dynamic of using QR codes. The subscription plans are not only meant for business; they are priced very flexibly so that literally every business could afford to benefit from our service.
Why choose us?
ViralQR will provide services for marketing, advertising, catering, retail, and the like. The QR codes can be posted on fliers, packaging, merchandise, and banners, as well as to substitute for cash and cards in a restaurant or coffee shop. With QR codes integrated into your business, improve customer engagement and streamline operations.
Comprehensive Analytics
Subscribers of ViralQR receive detailed analytics and tracking tools in light of having a view of the core values of QR code performance. Our analytics dashboard shows aggregate views and unique views, as well as detailed information about each impression, including time, device, browser, and estimated location by city and country.
So, thank you for choosing ViralQR; we have an offer of nothing but the best in terms of QR code services to meet business diversity!
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Quantum Computing: Current Landscape and the Future Role of APIs
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
1. Headline Verdana Bold
Reverse Engineering | Android Penetration Testing
13th August 2016
Samrat Das
Consultant |Cyber-Security Protection
Deloitte Touche Tohmatsu India LLP.
samratd@deloitte.com
www.deloitte.com
NULL MEET-MUMBAI
13th August , 2016
2. • Introduction to Reverse Engineering
• Why learn reverse engineering?
• Short intro to Reverse Engineering fundamentals and Assembly Language
• Reverse Engineering Windows executables
• What is Dalvik Virtual Machine? | DVM vs JVM
• Reverse Engineering Android Applications- Manual step by step
• Android Emulators
• Reverse engineering android on Windows
• Reverse engineering android on AppUse
• Components in Android Forensics
• Detect Backdoors in Android applications
• How are malicious Android Applications created?
• Proxying android traffic | Burp Suite
• Exploiting Content Provider | Intent Sniffing | Broadcast Receiver | Weak
cryptography
• Tools intro: Apk tool | JD-GUI | Dex2Jar | Drozer | Appuse
Contents
3. Decipher algorithms from exes, identify design construct and loopholes.
Retrieve source and origins of software for advanced analysis and
documentation
Inspect internal workings of an virus/ malware
What is reverse engineering?
4. Applications of RE:
• Security Auditing/Vulnerability Research
• Virus /malware analysis
- Software copy-protection removal (cracking)
- Analyzing binary executables for modifications and comparisons
- Cryptography and Encryption Research
5. There are two broad types in Operating Systems RE:-
1) User level debugging in RE
2) Kernel level debugging in RE
Some important concepts:
1) 32 bit and 64 bit applications:
2) Registers: Small set of data holding places that are part of a
computer processor.
A register may hold a computer instruction, a storage address, or any kind of
data 32-bit data registers: EAX, EBX, ECX, EDX. Lower halves of the 32-bit
registers can be used as four 16-bit data registers: AX, BX, CX and DX.
6. 3) Disassembler:
Translates machine language into assembly language
4) Decompiler:
Takes as input an executable file, and attempts to create a high
level, compilable source file
5) Debugger:
Used to test and debug other programs.
7. 6) Crackmes:
In simple words, a crack-me is a small program designed to test a
programmer's reverse engineering skills.
They are programmed by other reversers as a legal way to "crack"
software, since showing how to crack commercial software is illegal;
Crackmes are a great way to approach the same in legitimate
fashion.
Most of the commercial software is cracked in a similar
fashion, though with recent higher end software, the code is
usually “obfuscated”or “packed”to prevent reversing
(Security-measures applied as anti-reversing)
8. The CPU’s registers
The Intel 32-bit x86 registers:
ESPEAX
EBPEBX
ESIECX
EDIEDX
EIP
accumulator
base
counter
data
instruction pointer
destination index
source index
base pointer
stack pointer
9. Demo for windows exe reversing
Live Example:
•Using Crack-me utility
11. •Weak Server Side Controls
•Insecure Data Storage
•Insufficient Transport Layer Protection
•Unintended Data Leakage
•Poor Authorization and Authentication
•Broken Cryptography
•Client Side Injection
•Security Decisions Via Untrusted Inputs
•Improper Session Handling
•Lack of Binary Protections
Mobile OWASP Top 10 Checklist
13. What’s is an APK file? Anatomy of APK
13
Android applications are distributed in the form of a zipped archive with the file extension of
.apk, which stands for Android Package.
The official mime-type of an Android Package is application/vnd.android.package-archive.
These packages are nothing more than zip files containing the relevant compiled application
code, resources, and application metadata required to define a complete application.
14. Anatomy of Apk
A typical application package contains
Classes.dex (file)
AndroidManifest.xml (file)
META-INF (folder)
resources.arsc (file)
res (folder)
assets (folder)
lib (folder)
15. Assets—Allows the developer to place files in this directory that they would like
bundled with the application.
Res—Contains all the application activity layouts, images used, and any other
files in a structured way. These files are placed in the raw/ subdirectory.
Lib—Contains any native libraries that are bundled with the application. These
are split by architecture under this directory and loaded by the application
according to the detected CPU architecture; for example, x86, ARM, MIPS.
META-INF—This folder contains the certificate of the application and files that
hold an inventory list of all included files in the zip archive and their hashes.
classes.dex—The executable file containing the Dalvik bytecode of the
application. It is the actual code that will run on the Dalvik Virtual Machine.
AndroidManifest.xml—the manifest file containing all configuration
information about the application and defined security parameters. This will be
explored in detail later in this chapter.
Resources.asrc—Resources can be compiled into this file instead of being put
into the res folder. Also contains any application string
16. Steps: Android reverse engineering includes five steps:
1.Extraction
2.Decoding
3.Modifying
4.Encoding and
5.Packing
1. Extraction
Separating an .apk file into multiple files.
2. Decoding
Converting the .dex, dalvik bytecode into java class files, baksmali
files
3. Modification
Altering the application bytecode, AndroidManifest.xml, application
assets, and resources.
17.
18. 4.Encoding
1. Modified .xml files must be covered back into their binary formats.
2.New classes.dex are created from the modified .smali files.
3.Assembled directory is produced with all .smali files into a single .dex file.
5. Packing
All application files such as the assembled .dex files, binary .xml files, and
application assets, must be stored in a Zip archive.
The process to sign an .apk file is based on the JAR signing process.
The jarsigner utility is used to sign .apk files with RSA certificates.
The packing step aligns the contents of the .apk file performed with the zipalign
utility.
19. •Some exploitatation / reverse engineering tools for android
•Dex2jar
•Java decompiler
•Apktool
•Apk Analyser
•Drozer
Apktool Alternate : Virtuous Ten Studio (VTS) GUI Tool
The main advantage of Apktool over JD-GUI, recompile it back using
Apktool, it will recompile perfectly and will generate a new .apk file.
Drozer
drozer is an Android assessment tool created to test each aspect of an Android application in a
dynamic way.
Finding vulnerabilities in applications or devices—It allows you to assume the role of an
installed Android application
and interact with other apps and the underlying operating system in search of vulnerabilities.
Providing exploits and useful payloads for known vulnerabilities—It does this by building
malicious files or web pages that exploit known vulnerabilities to install drozer as a remote
administration tool.
20. How drozer Works
drozer is a distributed system that makes use of some key components:
Agent— A lightweight Android application that runs on the device or emulator being used for
testing. There are two versions of the agent, one that provides a user interface and embedded
server and another that does not contain a graphical interface and can
be used as a Remote Administration Tool on a compromised device.
Console—A command-line interface running on your computer that allows you to interact with
the device through the agent.
Server—Provides a central point where consoles and agents can rendezvous, and routes
sessions between them
20
21. Various components of android:
Activities: The visual screens which a user could interact with.
(buttons, images, TextView etc
Services: Components which run in the background
Broadcast Receivers: Receivers that listen to the incoming broadcast messages by the
Android system. Once they receive a broadcast message, a particular action could be
triggered depending on the predefined conditions.
Shared Preferences: Used by an application in order to save small sets of
data for the application. This data is stored inside a folder named shared_prefs. These small
datasets may include name value pairs such as the user's score in a game and login
credentials.
Intents: Components which are used to bind two or more different Android components
together.
Content Providers: Used to provide access to a structured set of data to be used by the
application. An application can access and query its own data or the data stored in the
phone using the Content Providers.
22. Things we need
Dex2Jar (https://sourceforge.net/projects/dex2jar/)
JD-GUI(https://github.com/java-decompiler/jd-gui)
APK-tool(https://ibotpeaches.github.io/Apktool/)
A intentionally vulnerable application for hands-on
(https://codeload.github.com/dineshshetty/Android-
InsecureBankv2/zip/master)
23. Demo for android reversing
Live Example:
•Decompiling a sample android application
24. Preliminary step of Conversion of Dex file to Jar file:
Open up dex2jar folder
In windows, select the d2j-dex2jar.bat file keeping the apk file
in the same folder for ease.
Alternatively, you can select the dex file directly obtained by
extracting the apk as zip, as show below
24
25. 1) Once you use the d2j-dex2jar.bat InsecureBankv2-dex2jar.jar , the
following jar file will be created
Once you receive the Jar file, we can proceed for getting the
class files and get the source code for class files
26. Next step: Viewing class files from jar file:
26
1)Launch JD-GUI and import the jar file inside it
As you can see, we get the class files from where we can get idea
of the source code!
27.
28. The next step is getting to know the application further by going into the
resource files!
At this point, we can use the powerful apktool for analysing the apk.
Apktool has multiple switches and can be used for decompiling files as well as
recompiling them into modified versions.
d stands for decode
b stands for build
You can look for more info on
https://ibotpeaches.github.io/Apktool/documentation/
29. Here we will use the d option now to decode the apk and analyse its
contents.
Once you do this, we can see the following output:
30. As you can see here, we have got the different files of the apk, the sections of
which I have already describe above.
Analyzing manifest.xml file will give us the information of what all system level
access can the application gather. For example the above application’s
manifest.xml file gives:
31. As you can see above, the application and read your storage memory, write
data, send sms, read your contacts, as well as network state , call logs. From a
hacker’s point of view, backdoor the application and steal complete
information from the users phone!
We till now we have explored the analysis and code-deciphering of apk files,
lets see further what we can do.
32. Detecting Backdoors in Android App
Many a times, malicious developers leave malicious backdoors in applications, by
which they can get access to your machines, inspecting the code can give
you hints as well as the code by which they have done so. The same app
which we are inspecting allows us to use a backdoored credential to perform
a login! Let’s see:
34. Creating infected version of the apps:
1. Decompile the application using apktool
2. Decompile the malicious application to generate the smali
files of the Java classes. Here, we
need to put all the malicious activities in the service.
Eg: We created a malicious service “malware.smali”
3.Copy the malware.smali file to the smali folder inside the
folder in which we have decompiled the legitimate app.
4.Change references of the package name in malware.smali to
the package name of the legitimate application.
35. Useful Hacking Tools
List of additional tools useful in Android Phone Testing:
Android Debug Bridge
• A client-server program .It includes a client (that runs on the
system), a server handling the communication (also running on the
system), and a daemon running on the emulator and devices as a
background process.
Burp Suite
• We will use this in order to intercept and analyze the network traffic.
36. Anti-reverse engineering protection for android
http://proguard.sourceforge.net/
ProGuard is a free Java class file shrinker, optimizer, obfuscator,
and preverifier. It detects and removes unused classes, fields,
methods, and attributes.
It optimizes bytecode and removes unused instructions. It
renames the remaining classes, fields, and methods using short
meaningless names.
It makes much harder to read the decompiled code. For
example, "DescriptiveClassName.descriptiveMethodName()"
becomes "A.b()".
DexProtector is the protector and obfuscator for Android
platform. It helps you secure your Android applications and
Android libraries (AARs) against unauthorized or illegal use,
reverse engineering, and cracking.
https://dexprotector.com/ (trail)
37. Rooting Android
37
Rooting Objectives
A typical objective of rooting an Android device is so that you can put a su binary in a directory on the PATH (for example,
/system/bin or /system/xbin). The job of the su binary is to allow a user to switch security contexts and become another user,
including root
#include <stdio.h>
#include <unistd.h>
int main(int argc, char **argv)
{
if (setgid(0) || setuid(0))
fprintf(stderr, "su: permission deniedn");
else
{
char *args[argc + 1];
args[0] = "sh";
args[argc] = NULL;
int i;
for (i = 1; i < argc; i++)
args[i] = argv[i];
execv("/system/bin/sh", args);
}
} T
Using setuid(0) and setgid(0) to change to the root user’s context, which means that any application that executes su will
receive root context and no checks are performed or prompts shown to the user.
38. Using an Exploit
Android uses the Linux kernel and also contains code added by device manufacturers.
Like most code these implementations could
contain bugs. These bugs could be anything from a simple mistake in the permissions
of a particular file or driver code that does not
handle certain user input securely.
GINGERBREAK—EXPLOITING AOSP KERNEL CODE
The vulnerability exploited by Gingerbreak exists in the Volume Manager (vold) on
Android versions 2.2 (Froyo)—and 3.0 (Honeycomb).
Vold manages the mounting of external storage volumes on Android. The vulnerability
was an out-of-bounds array access that allowed the exploit author to overwrite entries
in the Global Offset Table (GOT) to trick the system into
executing a copy of the sh binary as root
http://c-skills.blogspot.com/2011/04/yummy-yummygingerbreak.html.
38
39. EXYNOS ABUSE—EXPLOITING CUSTOM DRIVERS
Device manufacturers sometimes have to include custom device drivers in order to interface
with included hardware. The standard of the code or configuration in some cases is not of the
highest quality and discovered vulnerabilities can be used to gain root access.
An exploit for an issue discovered in devices using exynos processors, such as the Samsung
Galaxy S3, appeared in the following forum post:
http://forum.xda-developers.com/showthread.php?t=2048511.
The forum post detailed that a block device located at /dev/exynos-mem allowed the mapping
of kernel memory into user space by any user.
The exploitation technique used was to patch a comparison made in the setresuid() function.
This comparison is normally cmp
r0, #0 and was altered to cmp r0,#1 as a result of having complete access to the memory
space, which meant that when
sysresuid(0) was called later on the code, access was granted to change to root context. This
exploit also elegantly bypassed
the kptr_restrict memory protection, which does not allow applications to read /proc/kallsyms
and obtain kernel pointers. It
did so by changing the enforcing flag of this check in live memory
39
40. Intent Sniffing
Intent sniffing is when a broadcast receiver can register to receive
broadcasts that may have been intended for other applications.
This is possible because some applications broadcast intents and do not
define a required permission that a broadcast receiver must
hold in order to receive the intent or do not provide a destination package
for the intent.
You can review the source code of an application in search of intents being
sent using the sendBroadcast() method and then register
a receiver that catches this information from a non-privileged application.
You can catch these intents in drozer using the
app.broadcast.sniff module.
40
41. Fragment Injection attack:
Smaller UI elements named fragments are present in android. A security researcher publicized a
vulnerability that affected all applications with exported activities that extend the PreferenceActivity class.
In the onCreate() method of the PreferenceActivity class, it was discovered to be retrieving an extra named
:android:show_fragment from the user-supplied bundle. This extra can be provided by the application that
sent the intent and the name of a fragment within the target application specified to be loaded.
This allows the loading of any chosen fragment within the activity, which may have only been used inside
non-exported activities under normal use.
All exported activities that extend PreferenceActivity and are running on Android 4.3 or prior are vulnerable.
Performing poor validation on the fragment name supplied to this method or simply returning true in this
method without performing any checks would still result in fragment injection attacks being possible.
41
42. Secure coding for ANDROID
42
Principle of Least Exposure
Application Components
An application should reduce its exported application components down to the
essentials. The fewer exported components, the
better. In the following application only its main activity is exported so that it can be
launched
Data Storage
If the storage of any application data is not absolutely necessary, simply don't store it.
This includes storing data in the application's
private data directory or on the SD card.
Interacting with Untrusted Sources
An application that retrieves information from the SD card, the Internet, Wi-Fi,
Bluetooth, or any other source that is not directly
under the control of the application should be scrutinized for authenticity.
43. Requesting Minimal Permissions
Request the fewest permissions necessary for your application to function
correctly. Performing a task in a way that does not require
an extra permission would generally be considered the most secure option. In
addition to this, requesting as few permissions as
possible helps put more security-minded users at ease.
Doing so also reduces the impact of someone exploiting your application.
Bundling Files Inside the APK
Before releasing your app to the world, take the time to unzip the APK and check
what is inside because you might find other files
unintentionally included inside your APK
44. Task Manager Snooping
Two configurations enable you to avoid having the contents of your application's activities from
appearing in the recent application
list: You can choose to show a blank screen in the Recent list, or remove the entry from the list
altogether. To make an activity show
as a blank screen, implement the following code inside the onCreate()method of the activity:
getWindow().addFlags(WindowManager.LayoutParams.FLAG_SECURE);
The FLAG_SECURE parameter ensures that the contents will not appear in screenshots.
Tapjacking
To ensure that performing tapjacking attacks on sensitive activities within your application is not
possible, you can apply attributes to
a View. You can set the following attribute in the layout file of your activity on each item that inherits
from a View:
android:filterTouchesWhenObscured="true"
Ensuring Secure Trust BoundariesIf your application contains a login screen or any other form of trust
boundary, then take care as to how it is handled. If your login
activity contains a way to start activities that were only intended for trusted users, the authentication
model of the application may
be defeated.