Pranay Airan, profile picture
Uploaded byPranay Airan
8,819 views

Reverse engineering android apps

This document discusses ways to secure Android applications against threats such as unauthorized code access and malware. It covers tools for code protection, including ProGuard and DexGuard, as well as methods for disassembling apps and implementing API protections. The author emphasizes that while various techniques can enhance security, no method is entirely foolproof.

Technology
Related topics:
Reverse Engineering

Embed presentation

Securing Your Android Apps By Pranay Airan @pranayairan
Pranay Airan Web application developer @Intuit Android Developer by choice  Assistant organizer Blrdroid @pranayairan
Current Threats Code Protection Tools Code Analysis Tools Android App Build Process How to disassemble Different protection techniques
Current Threats Stealing App Stealing App Unauthorized Code Assets API Access Stealing App Repackaging Malwares DB and selling and viruses Piracy
Code Protectors Progaurd Dexgaurd Java obfuscators
Code Analysis Tools Dex2jar Smali IDA Pro Dexdump
Android Application Build Process Java .java files .class files Compiler Obfuscator Jar .so Dx tool resource Signer files Obfuscator .apk files APK Builder .dex files Ref: http://net.cs.uni-bonn.de/fileadmin/user_upload/plohmann/2012-Schulz-Code_Protection_in_Android.pdf
Reverse Engineering An App
Use this methods This can be used on Federal Offence ethically your apps
Lets disassemble App on phone Apk Extractor .apk files Extract APK Images DB AAPT Readable resource .dex files Manifest asset XML etc dex -> class (dex2jar) .class files Class -> java Java files
Code Protection Obfuscation Shrinker Optimization Progaurd Using Progaurd in Android
Reversed APK with Progaurd
Reversed APK with Dexgaurd
Other Techniques junk byte insertion Dynamic Code loading Self Modifying code Obfuscation at dex level Ref: http://net.cs.uni-bonn.de/fileadmin/user_upload/plohmann/2012-Schulz-Code_Protection_in_Android.pdf
API Protection Google Play Service Token + Your Verify Google Client id Your Token Authutil Parameters Backend Fields Access Token Verify Token Signature Google audience:server:client_id:9414861317621.apps.googleusercontent.com
API Protection Hiding url & Use HTTPS parameters (self signed will work) Use time & Use User encoding in Agent parameters Identifier
DB Protection Hash your data 3rd Party DB encryption like SQLCipher String Encryption
To Sum Up Nothing is full proof Don’t give away your code just like that Use progaurd to protect your code Use Google Api Verification for Sensitive backend calls
Questions ??
Thank You Pranay.airan@iiitb.net @pranayairan http://goo.gl/okiJp
Useful Links • http://www.honeynet.org/downloads/Android.tar.gz • http://proguard.sourceforge.net/index.html#manual/examples. html • http://code.google.com/p/dex2jar/ • http://code.google.com/p/android-apktool/ • http://android-developers.blogspot.in/2013/01/verifying-back- end-calls-from-android.html • http://sqlcipher.net/sqlcipher-for-android/

More Related Content

PPTX
Introduction to Android and Android Studio
bySuyash Srijan
 
PDF
Android reverse engineering: understanding third-party applications. OWASP EU...
byInternet Security Auditors
 
PPT
Reverse Engineering Android Application
byn|u - The Open Security Community
 
PDF
8. Software Development Security
bySam Bowne
 
PPTX
Symantec Endpoint Protection
byMindRiver Group
 
PDF
Microservices with Spring Boot Tutorial | Edureka
byEdureka!
 
PDF
Application Security - Your Success Depends on it
byWSO2
 
PPTX
Iphone vs android
byxomo
 
Introduction to Android and Android Studio
bySuyash Srijan
 
Android reverse engineering: understanding third-party applications. OWASP EU...
byInternet Security Auditors
 
Reverse Engineering Android Application
byn|u - The Open Security Community
 
8. Software Development Security
bySam Bowne
 
Symantec Endpoint Protection
byMindRiver Group
 
Microservices with Spring Boot Tutorial | Edureka
byEdureka!
 
Application Security - Your Success Depends on it
byWSO2
 
Iphone vs android
byxomo
 

What's hot

PDF
An Introduction to the Android Framework -- a core architecture view from app...
byWilliam Liang
 
PPTX
Classification of vulnerabilities
byMayur Mehta
 
PDF
ASVS 5.0 – The rise of the Security Verification Standard - AppSec Global San...
byTuynNguyn819213
 
PPTX
CyberSecurity Best Practices for the IIoT
byCreekside Marketing Group, LLC
 
PPT
Angular App Presentation
byElizabeth Long
 
PPTX
Mobile application development ppt
bytirupathinews
 
PPTX
Angular tutorial
byRohit Gupta
 
PPT
Android Button
bybhavin joshi
 
PPT
Android Architecture
bydeepakshare
 
PPTX
Secure Software Development Life Cycle
byMaurice Dawson
 
PPTX
Digital Preservation with Archivematica
byArtefactual Systems - Archivematica
 
PPTX
Secure SDLC Framework
byRishi Kant
 
PPTX
Patch Management Best Practices
byIvanti
 
PPTX
Network Security ppt
bySAIKAT BISWAS
 
PDF
Борьба с фишингом. Пошаговая инструкция
byAleksey Lukatskiy
 
PPTX
Android Operating System Architecture
byDINESH KUMAR ARIVARASAN
 
PPTX
Basic android-ppt
bySrijib Roy
 
PDF
Network Security Presentation
byAllan Pratt MBA
 
PPTX
Cloud Security Fundamentals Webinar
byJoseph Holbrook, Chief Learning Officer (CLO)
 
PDF
Json
bykrishnapriya Tadepalli
 
An Introduction to the Android Framework -- a core architecture view from app...
byWilliam Liang
 
Classification of vulnerabilities
byMayur Mehta
 
ASVS 5.0 – The rise of the Security Verification Standard - AppSec Global San...
byTuynNguyn819213
 
CyberSecurity Best Practices for the IIoT
byCreekside Marketing Group, LLC
 
Angular App Presentation
byElizabeth Long
 
Mobile application development ppt
bytirupathinews
 
Angular tutorial
byRohit Gupta
 
Android Button
bybhavin joshi
 
Android Architecture
bydeepakshare
 
Secure Software Development Life Cycle
byMaurice Dawson
 
Digital Preservation with Archivematica
byArtefactual Systems - Archivematica
 
Secure SDLC Framework
byRishi Kant
 
Patch Management Best Practices
byIvanti
 
Network Security ppt
bySAIKAT BISWAS
 
Борьба с фишингом. Пошаговая инструкция
byAleksey Lukatskiy
 
Android Operating System Architecture
byDINESH KUMAR ARIVARASAN
 
Basic android-ppt
bySrijib Roy
 
Network Security Presentation
byAllan Pratt MBA
 
Cloud Security Fundamentals Webinar
byJoseph Holbrook, Chief Learning Officer (CLO)
 
Json
bykrishnapriya Tadepalli
 

Viewers also liked

PDF
Practice of Android Reverse Engineering
byNational Cheng Kung University
 
PDF
Understanding the Dalvik Virtual Machine
byNational Cheng Kung University
 
PDF
Understanding the Dalvik bytecode with the Dedexer tool
byGabor Paller
 
PDF
Learning by hacking - android application hacking tutorial
byLandice Fu
 
PPTX
Dancing with dalvik
byThomas Richards
 
PDF
AnDevCon: Android Reverse Engineering
byEnrique López Mañas
 
DOCX
Smali语法
byxiaoshan8743
 
PDF
Hacking your Droid (Aditya Gupta)
byClubHack
 
PPTX
Toward Reverse Engineering of VBA Based Excel Spreadsheets Applications
byREvERSE University of Naples Federico II
 
PPTX
Let's talk about jni
byYongqiang Li
 
PDF
LinkedIn - Disassembling Dalvik Bytecode
byAlain Leon
 
PPTX
Reverse Engineering .NET and Java
byJoe Kuemerle
 
PDF
Android reverse engineering - Analyzing skype
byMário Almeida
 
PPT
Steelcon 2015 Reverse-Engineering Obfuscated Android Applications
byTom Keetch
 
PDF
How to reverse engineer Android applications—using a popular word game as an ...
byChristoph Matthies
 
PDF
Android internals 05 - Dalvik VM (rev_1.1)
byEgor Elizarov
 
PPT
IEEE Day 2013 - Reverse Engineering an Android Application
byRufatet Babakishiyev
 
PPTX
How to implement a simple dalvik virtual machine
byChun-Yu Wang
 
Practice of Android Reverse Engineering
byNational Cheng Kung University
 
Understanding the Dalvik Virtual Machine
byNational Cheng Kung University
 
Understanding the Dalvik bytecode with the Dedexer tool
byGabor Paller
 
Learning by hacking - android application hacking tutorial
byLandice Fu
 
Dancing with dalvik
byThomas Richards
 
AnDevCon: Android Reverse Engineering
byEnrique López Mañas
 
Smali语法
byxiaoshan8743
 
Hacking your Droid (Aditya Gupta)
byClubHack
 
Toward Reverse Engineering of VBA Based Excel Spreadsheets Applications
byREvERSE University of Naples Federico II
 
Let's talk about jni
byYongqiang Li
 
LinkedIn - Disassembling Dalvik Bytecode
byAlain Leon
 
Reverse Engineering .NET and Java
byJoe Kuemerle
 
Android reverse engineering - Analyzing skype
byMário Almeida
 
Steelcon 2015 Reverse-Engineering Obfuscated Android Applications
byTom Keetch
 
How to reverse engineer Android applications—using a popular word game as an ...
byChristoph Matthies
 
Android internals 05 - Dalvik VM (rev_1.1)
byEgor Elizarov
 
IEEE Day 2013 - Reverse Engineering an Android Application
byRufatet Babakishiyev
 
How to implement a simple dalvik virtual machine
byChun-Yu Wang
 

Similar to Reverse engineering android apps

PPTX
Decompiling Android
byGodfrey Nolan
 
PDF
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
byArea41
 
PDF
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
bynullowaspmumbai
 
PDF
Droidcon Greece '15 - Reverse Engineering in Android: Countermeasures and Tools
byDario Incalza
 
PDF
Jaime Blasco & Pablo Rincón - Lost in translation: WTF is happening inside m...
byRootedCON
 
PDF
Wtf is happening_inside_my_android_phone_public
byJaime Blasco
 
PPTX
Eclispe daytoulouse combining the power of eclipse with android_fr_1024_768_s...
byMathias Seguy
 
PPTX
Fabrizio Cornelli - Securing Android Apps by Reversing - Codemotion Milan 2018
byCodemotion
 
PPTX
Security Vulnerabilities in Mobile Applications (Kristaps Felzenbergs)
byTestDevLab
 
PDF
DexGuard
byTopher Jordan
 
PDF
Eric Lafortune - Fighting application size with ProGuard and beyond
byGuardSquare
 
PDF
Eric Lafortune - Fighting application size with ProGuard and beyond
byGuardSquare
 
PDF
Cracking the mobile application code
bySreenarayan A
 
PDF
Testing Android Security - Jose Manuel Ortega Candel - Codemotion Amsterdam 2016
byCodemotion
 
PDF
Testing Android Security Codemotion Amsterdam edition
byJose Manuel Ortega Candel
 
PDF
Android talks #08 decompiling android applications
byInfinum
 
KEY
Scala on androids
bythoraage
 
PPTX
Android village @nullcon 2012
byhakersinfo
 
PDF
OWF12/PAUG Conf Days Pro guard optimizer and obfuscator for android, eric l...
byParis Open Source Summit
 
PPTX
Hacking for fun and for profit
bydavtbaum
 
Decompiling Android
byGodfrey Nolan
 
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
byArea41
 
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
bynullowaspmumbai
 
Droidcon Greece '15 - Reverse Engineering in Android: Countermeasures and Tools
byDario Incalza
 
Jaime Blasco & Pablo Rincón - Lost in translation: WTF is happening inside m...
byRootedCON
 
Wtf is happening_inside_my_android_phone_public
byJaime Blasco
 
Eclispe daytoulouse combining the power of eclipse with android_fr_1024_768_s...
byMathias Seguy
 
Fabrizio Cornelli - Securing Android Apps by Reversing - Codemotion Milan 2018
byCodemotion
 
Security Vulnerabilities in Mobile Applications (Kristaps Felzenbergs)
byTestDevLab
 
DexGuard
byTopher Jordan
 
Eric Lafortune - Fighting application size with ProGuard and beyond
byGuardSquare
 
Eric Lafortune - Fighting application size with ProGuard and beyond
byGuardSquare
 
Cracking the mobile application code
bySreenarayan A
 
Testing Android Security - Jose Manuel Ortega Candel - Codemotion Amsterdam 2016
byCodemotion
 
Testing Android Security Codemotion Amsterdam edition
byJose Manuel Ortega Candel
 
Android talks #08 decompiling android applications
byInfinum
 
Scala on androids
bythoraage
 
Android village @nullcon 2012
byhakersinfo
 
OWF12/PAUG Conf Days Pro guard optimizer and obfuscator for android, eric l...
byParis Open Source Summit
 
Hacking for fun and for profit
bydavtbaum
 

Recently uploaded

PDF
Igniting the Future: Copilot trends, agentic transformation and product roadm...
byUni Systems S.M.S.A.
 
PDF
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
PDF
Digit Expo 2025 - EICC Edinburgh 27th November
byRay Bugg
 
PDF
Eredità digitale sugli smartphone: cosa resta di noi nei dispositivi mobili
bySpeck&Tech
 
PDF
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
PDF
Is It Possible to Have Wi-Fi Without an Internet Provider
bySidra Jefferi
 
PPTX
Ethics in AI - Artificial Intelligence Fundamentals.pptx
byemenyiblessing
 
PPT
software-security-intro in information security.ppt
byismaeelsahib032
 
DOCX
Introduction to the World of Computers (Hardware & Software)
byALIABBAS ABASOV
 
PDF
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
PDF
Recursive Self Improvement vs Continuous Learning
byBob Marcus
 
PDF
MuleSoft Vibes is an AI-powered assistant
byVikalp Bhalia
 
PPTX
The Landscape of Computer Software Development Companies
byYash Singh
 
PPTX
cybercrime in Information security .pptx
byismaeelsahib032
 
PPTX
Cybersecurity Best Practices - Step by Step guidelines
byYasir Naveed Riaz
 
PPTX
From Backup to Resilience: How MSPs Are Preparing for 2026
byMSP360
 
PDF
API206-S: Transforming Supply Chains with Amazon Bedrock AgentCore - AWS re:I...
byChris Bingham
 
PDF
December Patch Tuesday
byIvanti
 
PPTX
Chapter 3 Introduction to number system.pptx
byGetachewAbera9
 
PDF
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
Igniting the Future: Copilot trends, agentic transformation and product roadm...
byUni Systems S.M.S.A.
 
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
Digit Expo 2025 - EICC Edinburgh 27th November
byRay Bugg
 
Eredità digitale sugli smartphone: cosa resta di noi nei dispositivi mobili
bySpeck&Tech
 
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
Is It Possible to Have Wi-Fi Without an Internet Provider
bySidra Jefferi
 
Ethics in AI - Artificial Intelligence Fundamentals.pptx
byemenyiblessing
 
software-security-intro in information security.ppt
byismaeelsahib032
 
Introduction to the World of Computers (Hardware & Software)
byALIABBAS ABASOV
 
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
Recursive Self Improvement vs Continuous Learning
byBob Marcus
 
MuleSoft Vibes is an AI-powered assistant
byVikalp Bhalia
 
The Landscape of Computer Software Development Companies
byYash Singh
 
cybercrime in Information security .pptx
byismaeelsahib032
 
Cybersecurity Best Practices - Step by Step guidelines
byYasir Naveed Riaz
 
From Backup to Resilience: How MSPs Are Preparing for 2026
byMSP360
 
API206-S: Transforming Supply Chains with Amazon Bedrock AgentCore - AWS re:I...
byChris Bingham
 
December Patch Tuesday
byIvanti
 
Chapter 3 Introduction to number system.pptx
byGetachewAbera9
 
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 

Reverse engineering android apps

  • 1.
    Securing Your AndroidApps By Pranay Airan @pranayairan
  • 2.
    Pranay Airan Web application developer @Intuit Android Developer by choice  Assistant organizer Blrdroid @pranayairan
  • 3.
    Current Threats Code Protection Tools Code Analysis Tools Android App Build Process How to disassemble Different protection techniques
  • 4.
    Current Threats Stealing App Stealing App Unauthorized Code Assets API Access Stealing App Repackaging Malwares DB and selling and viruses Piracy
  • 5.
    Code Protectors Progaurd Dexgaurd Java obfuscators
  • 6.
    Code Analysis Tools Dex2jar Smali IDA Pro Dexdump
  • 7.
    Android Application Build Process Java .java files .class files Compiler Obfuscator Jar .so Dx tool resource Signer files Obfuscator .apk files APK Builder .dex files Ref: http://net.cs.uni-bonn.de/fileadmin/user_upload/plohmann/2012-Schulz-Code_Protection_in_Android.pdf
  • 8.
  • 9.
    Use this methods This can be used on Federal Offence ethically your apps
  • 10.
    Lets disassemble App on phone Apk Extractor .apk files Extract APK Images DB AAPT Readable resource .dex files Manifest asset XML etc dex -> class (dex2jar) .class files Class -> java Java files
  • 11.
    Code Protection Obfuscation Shrinker Optimization Progaurd Using Progaurd in Android
  • 12.
  • 13.
  • 14.
    Other Techniques junk byte insertion Dynamic Code loading Self Modifying code Obfuscation at dex level Ref: http://net.cs.uni-bonn.de/fileadmin/user_upload/plohmann/2012-Schulz-Code_Protection_in_Android.pdf
  • 15.
    API Protection Google Play Service Token + Your Verify Google Client id Your Token Authutil Parameters Backend Fields Access Token Verify Token Signature Google audience:server:client_id:9414861317621.apps.googleusercontent.com
  • 16.
    API Protection Hiding url& Use HTTPS parameters (self signed will work) Use time & Use User encoding in Agent parameters Identifier
  • 17.
    DB Protection Hash yourdata 3rd Party DB encryption like SQLCipher String Encryption
  • 18.
    To Sum Up Nothingis full proof Don’t give away your code just like that Use progaurd to protect your code Use Google Api Verification for Sensitive backend calls
  • 19.
  • 20.
    Thank You Pranay.airan@iiitb.net @pranayairan http://goo.gl/okiJp
  • 21.
    Useful Links • http://www.honeynet.org/downloads/Android.tar.gz •http://proguard.sourceforge.net/index.html#manual/examples. html • http://code.google.com/p/dex2jar/ • http://code.google.com/p/android-apktool/ • http://android-developers.blogspot.in/2013/01/verifying-back- end-calls-from-android.html • http://sqlcipher.net/sqlcipher-for-android/

Editor's Notes

  • #5 Piracy is being address by google play licensing services but not that effective to stop piracyStealing you IP/Code
  • #6 Progaurd is free and comes bundle with android SDKDexgaurd by same author of progaurdAllatori is paid
  • #7 All Free tool except IDA PROAPK Tool internally uses SmaliAndroid Guard is python based tool with GUI which internally uses dex2gaurd smalietcIt works only on linux, difficult to install, A VM with fully configured android guard is available on http://www.honeynet.org/downloads/Android.tar.gz
  • #8 AAPT (Android application packaging tool) converts resources reference into R.Java and compiled resources (Manifest)Java Compiler takes, R.java, Application Source code and java interfaces to generate class fileDx tool takes this .class files and 3rd party libraries and .class files to convert into dex files.so = System Objectshttp://developer.android.com/tools/building/index.html#detailed-build
  • #9 Lets Reverse engineer an android app
  • #10 Federal offence in some countriesUse this tools for securing your own apps
  • #11 ReadSmali when de-compilation fails (Dex to smali)Multiple methods to extract APK1 pulling from device – Connect USB-Cable– Use ADB (Android Debug Bridge) from SDK– No Google Play on emulator (AVD)2. Directly downloading via googleplaypythonapi from Google Play– Configured Google Account with connected https://github.com/egirault/googleplay-apiAndroid ID3. Download from Web– Alternative source– Capture transfer to
  • #12 Progaurd is simple protection tool available in android SDKIt not only acts as obfuscator but it is also a Shrinker and optimizer You can reduce size of your APK with progaurd.It is free to use and effectiveNo String encryption and advance obfuscation techniquesProgaurd can be configured to run in android during build process when you generate APKLets see how we can enable progaurd
  • #13 Lets see a sample APK With progaurd enabled
  • #14 Commercial tool by creator of progaurdAll features of progaurdAdvance obfuscation techniques with String encryption api hiding tamper detection etcLets see a apk obfuscated with dexgaurd
  • #15 Other techniques to protect your Android App Code
  • #16 New method for verifying backend calls by google play serviceVery easy to integrate works on all phones running google play services with android 2.2 and aboveNo prompting for asking anything with user runs in background Register your android app in googleapi console make client id for web application and one for android application, give your APK Signing key MD5 to protect unauthorized accessIn Android app call GoogleAuthUtil.getToken() method passing scope argument value as audience:server:client_id:X.apps.googleusercontent.com(where X is client id of your web app)User will not be prompted as system looks your server client id and since you are in the same app it gives you the token. Send this token along with your api parameters In your backend verify Access token signature with google public keyFrom the token (JSON PayLoad) get field name audazp and emailVerify from AUD if it’s the same client id as of your appOptional verification with AZP and emailSample code http://android-developers.blogspot.in/2013/01/verifying-back-end-calls-from-android.html
  • #17 Simple API protection if you don’t want to use google play services
  • #18 Encrypt string this will increase the time for understanding the codesEncrypt dbShare preference is also accessibleStore credentials only in encrypted formathttp://android-developers.blogspot.in/2013/02/using-cryptography-to-store-credentials.html