SlideShare a Scribd company logo

Steelcon 2015 Reverse-Engineering Obfuscated Android Applications

Download as PPT, PDF
T
Tom Keetch

Reverse-Engineering Obfuscated Android Applications, presented at SteelCon in Sheffield (2015).

Software
1 of 58
Reverse Engineering Obfuscated Android Applications Tom Keetch, IntrinSec SSA Ltd. SteelCon – Sheffield – 4th July 2015
About Me • Independent Software Security Consultant in London • IntrinSec SSA Ltd. • All forms of software security consultancy • Process / SDLC • Architecture / Design Review • Code Review (white-box) • Reverse Engineering / Penetration Testing (black-box) • Interested in: reverse engineering, sandboxes/container/virtualization, low-level software, cryptographic protocols • Contact: @tkeetch, tom@intrinsec.co.uk
Contents • Introduction • Reverse Engineering • Android Application Runtime Environment • Android Reverse Engineering Tools • Standard Tools & Techniques • Reverse Engineering Obfuscated Applications • More advanced material • Conclusions
Reverse Engineering
Reverse Engineering • The process of decomposition an object or system to discover it’s internal operation or construction. • With software, we usually have a full description of the program in a machine readable form, but we want it in a human understandable form. • Techniques fall into two main groups: • Static Analysis • Runtime Analysis • The focus of this presentation is static analysis
Reverse Engineering Inputs • Compiled object code • Dynamic application behaviour • Static Resources – configuration files etc. • Associated systems e.g. server for a client • Similar applications /systems • Public Documentation / Standards • Open source code (i.e. libraries, LGPL components) • Patents • Company Structure & History • Mergers, Acquisitions, Licensing Deals • Open Source Intelligence (i.e. LinkedIn, Leaked Documents)
Static vs. Dynamic Analysis • Typically want to combine both approaches • Sometimes static analysis is required first to: • Remove anti-debugging functionality • Bypass root/jailbreak detection • Identify hidden functionality • Disable certificate pinning • Dynamic analysis can be faster if app is heavily obfuscated • Dependent on the app, and what you want to find out • Normally fastest way to identify attack surface
Reverse Engineering - Legality (Note: IANAL)
Reverse Engineering – Legal Impediments • End User License Agreements (EULAs) • Anti-Circumvention Legislation (e.g. DMCA) • Non-Disclosure Agreements (NDAs) • Trade Secrets / Law of Confidence (UK) • Copyright • Future: Wassenar Arrangement (?!#?) • Esp. Dual-use technologies. • Computer Misuse Act (!) More Background: http://www.computing.co.uk/ctg/analysis/2373094/trade-secrets-and-reverse-engineering-the-legal-view
The Android Runtimes
Android Applications - Platforms ?????
Dalvik Runtime • The original Android Runtime (Android 1.0, 2008) • An application virtual machine similar to the JVM • Just In Time compilation (JIT) of bytecode • Optimised for mobile devices • DEX (Dalvik Executable) => ODEX (Optimised DEX) • ODEX files don’t need to be portable, so optimisations can be OS/device/platform specific.
ART • New Android Runtime • Previewed in KitKat (Android 4.4, 2013) • Now default runtime in Lollipop (Android 5.0, 2014) • Compiles DEX files to native ELF executables at install-time • Uses Ahead Of Time (AOT) compilation • Instead of Just In Time (JIT) compilation
Source: https://commons.wikimedia.org/wiki/File:ART_view.png DEX files are common to both the Dalvik and ART runtimes. Packaged in an APK
Let’s Reverse an Android App!
First we need an APK… 1) Download from App Store • Web Application: http://apps.evozi.com/apk-downloader/ • Firefox plugin: https://addons.mozilla.org/en-US/firefox/addon/apk-downloader/ • Chrome plugin: https://chrome.google.com/webstore/detail/apk- downloader/cgihflhdpokeobcfimliamffejfnmfii 2) Copy from the device • adb shell pm list packages • adb pull “/data/apps/<package_name>.apk” 3) Download from a 3rd Party AppStore • Not always a good idea…
Inside the APK An APK is just a ZIP archive, containing: •/assets/ •/lib/ •/META-INF/ •/res/ •AndroidManifest.xml •classes.dex •resources.arsc
APK Analysis Process APK DEX Bytecode Smali Disassembly Java Source Code Understandable Code
Reversing an APK APK DEX Bytecode Smali Disassembly Java Source Code Understandable Code java –jar apktool.jar decode in.apk java –jar apktool.jar build in.apk
APK Analysis Tools – apktool & baksmali APK DEX Bytecode Smali Disassembly Java Source Code Understandable Code java –jar apktool.jar decode –s in.apk java –jar baksmali.jar classes.dex
APK Analysis Tools –smali & apktool APK DEX Bytecode Smali Disassembly Java Source Code Understandable Code java –jar apktool.jar build <app_path> java –jar smali.jar *.smali
APK Analysis Tools – dex2jar & jd-gui APK DEX Bytecode Java ARchive (JAR) Java Source Code Understandable Code Windows: d2j-dex2jar.bat –o out.jar in.apkclasses.dex Linux: d2j-dex2jar.sh –o out.jar in.apkclasses.dex JD-GUI – Java Decompiler
Reversing an APK – JEB Decompiler APK DEX Bytecode Smali Disassembly Java Source Code Understandable Code JEB Decompiler – a[n expensive] commercial tool
Detour: Modifying the APK • Put the Android device in development mode. • Alter the Smali code (not covered in this presentation) • Assemble the modified code using smali • Re-package the APK using apktool or Zip (depending on unpacking) • Sign the APK package with jarsigner.jar • Instructions: http://developer.android.com/tools/publishing/app- signing.html#signing-manually • Use the keystore located at: <HOME>.androiddebug.keystore • Keystore password “android” • Install the new APK with adb: • adb install modified.apk
Java Source Code? • After running jd-gui or JEB, we will have Java Source code! • It may be easily readable, or it could be ()BfuSc4t3d….
Overcoming Obfuscation
Obfuscated Java Code • All classes, methods, variables renamed to single Unicode characters, “semantically meaningless names”…
It’s Not All Bad… • Some code can’t be obfuscated: • Primitive types • Standard Java API calls • Exported/Public APIs • Code relying on Java Reflection
Identifying Classes (1) Class B Class A Object Class C
Identifying Classes (2) Class B Service Object Class C
Identifying Classes (3) Class B Class A Object Class C ISerializable
Identifying Classes (4) Class B Class A Object Class C IOtherInterface ISomeInterface
Android Manifest • The manifest cannot be obfuscated • It needs to be readable by Android OS • Encoded in a Binary Format called Android XML (AXML) • Decode contents using AXMLPrinter2.jar or aapt (from the SDK): • java -jar AXMLPrinter2.jar .in.apkAndroidManifest.xml • aapt dump xmltree in.apk AndroidManifest.xml
Android Manifest Contents • Statically Registered Broadcast Receivers • For notifications of system events, or broadcast messages • Public/Private Activities • Especially Browsable Activities • Public/Private Content Providers • Permissions • Requested Permissions • Custom Permissions • Public/Private Services
Where to Start? • Identify classes associated with application entry-points. For example: • android.app.Activity • android.content.BroadcastReciever • android.content.ContentProvider • android.content.Intent • android.content.IntentFilter • android.app.Service • Other interesting functionality: • References to the Cipher class, encryption classes, or large arrays • Reflection API methods such as getMethod() and invoke()
Some Common Obfuscations Improve/retain Performance • Dead code removal • Class/method/fields/variable renaming • Remove logging code • Peephole optimisations Degrade Performance • String encryption* • Call-hiding with reflection* • Resource/asset encryption • Control flow obfuscation • Junk code insertion • Data Flow obfuscation
DexGuard String Encryption
ProGuard & DexGuard • Proguard ships for free with the Android SDK • DexGuard is a paid version by the same author
Example: DexGuard String Encryption public void LoadObfuscatedAsset() { … InputStream obfAsset = OsAppContext.getAssets().open( ObfuscatedAppConfig.Lookup( ObfuscatedAppConfig.LookupTable[12], 52, ObfuscatedAppConfig.LookupTable[67] - 1));
ObfuscatedAppConfig.Lookup • Let’s reverse the ‘Lookup’ method used by the “configuration” class • It takes 3 integers and returns a String. • I’ve simplified the Java a little first • We’ll go step by step through the reasoning • Don’t worry about following the code, just the logic. • We could just copy and paste the code to get the decrypted string.
private static String Lookup(int arg6, int arg7, int arg8) { int v3; int v2; arg7 = 62 - arg7; arg8 += 2; short[] Lookup = Deobfuscate.LookupTable; int v1 = 0; arg6 += 65; byte[] b = new byte[arg8]; --arg8; while(true){ ++arg7; b[i] = ((byte)arg6); if(v1 == arg8) { return new String(b); } else { ++v1; v2 = arg6; v3 = Lookup[arg7]; } arg6 = v2 + v3 - 29; }
private static String Lookup(int arg6, int arg7, int arg8) { int v3; int v2; arg7 = 62 - arg7; arg8 += 2; short[] Lookup = Deobfuscate.LookupTable; int v1 = 0; arg6 += 65; byte[] outBuffer = new byte[arg8]; --arg8; while(true){ ++arg7; outBuffer[i] = ((byte)arg6); if(v1 == arg8) { return new String(outBuffer); } else { ++v1; v2 = arg6; v3 = Lookup[arg7]; } arg6 = v2 + v3 - 29; }
private static String Lookup(int arg6, int arg7, int arg8) { int v3; int v2; arg7 = 62 - arg7; arg8 += 2; short[] Lookup = Deobfuscate.LookupTable; int i = 0; arg6 += 65; byte[] outBuffer = new byte[arg8]; --arg8; while(true){ ++arg7; outBuffer[i] = ((byte)arg6); if(i == arg8) { return new String(outBuffer); } else { ++i; v2 = arg6; v3 = Lookup[arg7]; } arg6 = v2 + v3 - 29; }
private static String Lookup(int arg6, int arg7, int len) { int v3; int v2; arg7 = 62 - arg7; len += 2; short[] Lookup = Deobfuscate.LookupTable; int i = 0; arg6 += 65; byte[] outBuffer = new byte[len]; --len; while(true){ ++arg7; outBuffer[i] = ((byte)arg6); if(i == len) { return new String(outBuffer); } else { ++i; v2 = arg6; v3 = Lookup[arg7]; } arg6 = v2 + v3 - 29; }
private static String Lookup(int char_val, int arg7, int len) { int v3; int v2; arg7 = 62 - arg7; len += 2; short[] Lookup = Deobfuscate.LookupTable; int i = 0; char_val += 65; byte[] outBuffer = new byte[len]; --len; while(true){ ++arg7; outBuffer[i] = ((byte)char_val); if(i == len) { return new String(outBuffer); } else { ++i; v2 = char_val; v3 = Lookup[arg7]; } char_val = v2 + v3 - 29; }
private static String Lookup(int char_val, int key_ptr, int len) { int v3; int v2; key_ptr = 62 – key_ptr; len += 2; short[] Lookup = Deobfuscate.LookupTable; int i = 0; char_val += 65; byte[] outBuffer = new byte[len]; --len; while(true){ ++key_ptr; outBuffer[i] = ((byte)char_val); if(i == len) { return new String(outBuffer); } else { ++i; v2 = char_val; v3 = Lookup[key_ptr]; } char_val = v2 + v3 - 29; }
private static String Lookup(int char_val, int key_ptr, int len) { int v3; int v2; key_ptr = 62 – key_ptr; len += 2; short[] Lookup = Deobfuscate.LookupTable; int i = 0; char_val += 65; byte[] outBuffer = new byte[len]; --len; while(true){ ++key_ptr; outBuffer[i] = ((byte)char_val); if(i == len) { return new String(outBuffer); } else { ++i; char_val2 = char_val; differential_key_value = Lookup[key_ptr]; } char_val = char_val2 + differential_key_value - 29; }
String Encryption Summary • Array of Bytes, differences between adjacent characters • Arg 1: Starting character value • Arg 2: Starting key index • Arg 3: String length • Start Value = “b”, start Index = 1, length = 3 • Array: { 20, 1, -2, 19, 5 } • Result: “cat” (b + 1 = c), (c - 2 = a), ( a + 19 = t)
Call Hiding Using Reflection UnknownObject1 = String.class.getMethod( ObfuscatedAppConfig.Lookup( ObfuscatedAppConfig.LookupTable[40] - 1, ObfuscatedAppConfig.LookupTable[2] - 1, 6), String.class).invoke(string1, string0);
Native Code
Android Native Code • APKs can contain native code in the /lib/ directory • One sub-directory for each supported architecture (or ABI) • E.g. armeabi, armeabi-v7a, x86 • Android Java interfaces with native code using the Java Native Interface (JNI) • Standardised by Oracle: https://docs.oracle.com/javase/7/docs/technotes/guides/jni/spec/jniTOC.htm l • Java: System.loadLibrary(“foo”) // Loads ./lib/libfoo.so
JNI Exports JNIEXPORT void JNICALL Java_ClassName_FunctionName ( JNIEnv *jniEnv, jobject classInstancePointer, <…args…>);
Conclusions
Conclusions • Obfuscators slow down attackers • Arms-race between attackers & defenders • Both apply to legitimate software & malware • Obfuscators don’t fix vulnerabilities • Just makes them harder to find using static techniques • Effective security assessments should be done with source code.
Recommended Further Reading
Tool References • Android Studio and SDK – https://developer.android.com/sdk/index.html • Apktool – http://ibotpeaches.github.io/Apktool/ • smali/backsmali – https://bitbucket.org/JesusFreke/smali/downloads • jd-gui - http://jd.benow.ca/ • APK Studio - https://apkstudio.codeplex.com/ • JEB Decompiler (Commercial) – https://www.pnfsoftware.com/ Not Covered in this presentation: • Radare2 – http://www.radare.org/r/down.html • Androguard – https://github.com/androguard/androguard
Any Questions? Twitter: @tkeetch Email: tom@intrinsec.co.uk

Recommended

Android reverse engineering: understanding third-party applications. OWASP EU...
Android reverse engineering: understanding third-party applications. OWASP EU...Android reverse engineering: understanding third-party applications. OWASP EU...
Android reverse engineering: understanding third-party applications. OWASP EU...Internet Security Auditors
 
Reverse Engineering Android Application
Reverse Engineering Android ApplicationReverse Engineering Android Application
Reverse Engineering Android Applicationn|u - The Open Security Community
 
Droidcon Greece '15 - Reverse Engineering in Android: Countermeasures and Tools
Droidcon Greece '15 - Reverse Engineering in Android: Countermeasures and ToolsDroidcon Greece '15 - Reverse Engineering in Android: Countermeasures and Tools
Droidcon Greece '15 - Reverse Engineering in Android: Countermeasures and ToolsDario Incalza
 
Reverse engineering android apps
Reverse engineering android appsReverse engineering android apps
Reverse engineering android appsPranay Airan
 
How to reverse engineer Android applications
How to reverse engineer Android applicationsHow to reverse engineer Android applications
How to reverse engineer Android applicationshubx
 
Practice of Android Reverse Engineering
Practice of Android Reverse EngineeringPractice of Android Reverse Engineering
Practice of Android Reverse EngineeringNational Cheng Kung University
 
Reverse engineering and instrumentation of android apps
Reverse engineering and instrumentation of android appsReverse engineering and instrumentation of android apps
Reverse engineering and instrumentation of android appsGaurav Lochan
 
Android reverse engineering - Analyzing skype
Android reverse engineering - Analyzing skypeAndroid reverse engineering - Analyzing skype
Android reverse engineering - Analyzing skypeMário Almeida
 

Recommended

Android reverse engineering: understanding third-party applications. OWASP EU...
Android reverse engineering: understanding third-party applications. OWASP EU...Android reverse engineering: understanding third-party applications. OWASP EU...
Android reverse engineering: understanding third-party applications. OWASP EU...Internet Security Auditors
 
Reverse Engineering Android Application
Reverse Engineering Android ApplicationReverse Engineering Android Application
Reverse Engineering Android Applicationn|u - The Open Security Community
 
Droidcon Greece '15 - Reverse Engineering in Android: Countermeasures and Tools
Droidcon Greece '15 - Reverse Engineering in Android: Countermeasures and ToolsDroidcon Greece '15 - Reverse Engineering in Android: Countermeasures and Tools
Droidcon Greece '15 - Reverse Engineering in Android: Countermeasures and ToolsDario Incalza
 
Reverse engineering android apps
Reverse engineering android appsReverse engineering android apps
Reverse engineering android appsPranay Airan
 
How to reverse engineer Android applications
How to reverse engineer Android applicationsHow to reverse engineer Android applications
How to reverse engineer Android applicationshubx
 
Practice of Android Reverse Engineering
Practice of Android Reverse EngineeringPractice of Android Reverse Engineering
Practice of Android Reverse EngineeringNational Cheng Kung University
 
Reverse engineering and instrumentation of android apps
Reverse engineering and instrumentation of android appsReverse engineering and instrumentation of android apps
Reverse engineering and instrumentation of android appsGaurav Lochan
 
Android reverse engineering - Analyzing skype
Android reverse engineering - Analyzing skypeAndroid reverse engineering - Analyzing skype
Android reverse engineering - Analyzing skypeMário Almeida
 
IEEE Day 2013 - Reverse Engineering an Android Application
IEEE Day 2013 - Reverse Engineering an Android ApplicationIEEE Day 2013 - Reverse Engineering an Android Application
IEEE Day 2013 - Reverse Engineering an Android ApplicationRufatet Babakishiyev
 
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat DasNull Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat Dasnullowaspmumbai
 
Toward dynamic analysis of obfuscated android malware
Toward dynamic analysis of obfuscated android malwareToward dynamic analysis of obfuscated android malware
Toward dynamic analysis of obfuscated android malwareZongXian Shen
 
Improving DroidBox
Improving DroidBoxImproving DroidBox
Improving DroidBoxKelwin Yang
 
ProbeDroid - Crafting Your Own Dynamic Instrument Tool on Android for App Beh...
ProbeDroid - Crafting Your Own Dynamic Instrument Tool on Android for App Beh...ProbeDroid - Crafting Your Own Dynamic Instrument Tool on Android for App Beh...
ProbeDroid - Crafting Your Own Dynamic Instrument Tool on Android for App Beh...ZongXian Shen
 
Android Native Development Kit
Android Native Development KitAndroid Native Development Kit
Android Native Development KitPeter R. Egli
 
Android ndk: Entering the native world
Android ndk: Entering the native worldAndroid ndk: Entering the native world
Android ndk: Entering the native worldEduardo Carrara de Araujo
 
How to implement a simple dalvik virtual machine
How to implement a simple dalvik virtual machineHow to implement a simple dalvik virtual machine
How to implement a simple dalvik virtual machineChun-Yu Wang
 
Introduction to the Android NDK
Introduction to the Android NDKIntroduction to the Android NDK
Introduction to the Android NDKSebastian Mauer
 
Extending Java EE with CDI and JBoss Forge
Extending Java EE with CDI and JBoss ForgeExtending Java EE with CDI and JBoss Forge
Extending Java EE with CDI and JBoss ForgeAntoine Sabot-Durand
 
Introduction to the Android NDK
Introduction to the Android NDKIntroduction to the Android NDK
Introduction to the Android NDKBeMyApp
 
CDI 2.0 is coming
CDI 2.0 is comingCDI 2.0 is coming
CDI 2.0 is comingAntoine Sabot-Durand
 
Introduction to Frida
Introduction to FridaIntroduction to Frida
Introduction to FridaAbhishekJaiswal270
 
Native development kit (ndk) introduction
Native development kit (ndk) introductionNative development kit (ndk) introduction
Native development kit (ndk) introductionRakesh Jha
 
NDK Programming in Android
NDK Programming in AndroidNDK Programming in Android
NDK Programming in AndroidArvind Devaraj
 
CDI 2.0 is upon us Devoxx
CDI 2.0 is upon us DevoxxCDI 2.0 is upon us Devoxx
CDI 2.0 is upon us DevoxxAntoine Sabot-Durand
 
Android ndk
Android ndkAndroid ndk
Android ndkKhiem-Kim Ho Xuan
 
FRIDA 101 Android
FRIDA 101 AndroidFRIDA 101 Android
FRIDA 101 AndroidTony Thomas
 
Android NDK
Android NDKAndroid NDK
Android NDKSentinel Solutions Ltd
 
Writing Android Libraries
Writing Android LibrariesWriting Android Libraries
Writing Android Librariesemanuelez
 
Automated malware analysis
Automated malware analysisAutomated malware analysis
Automated malware analysisIbrahim Baliç
 
Webinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical AppsWebinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical AppsSynopsys Software Integrity Group
 

More Related Content

What's hot

IEEE Day 2013 - Reverse Engineering an Android Application
IEEE Day 2013 - Reverse Engineering an Android ApplicationIEEE Day 2013 - Reverse Engineering an Android Application
IEEE Day 2013 - Reverse Engineering an Android ApplicationRufatet Babakishiyev
 
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat DasNull Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat Dasnullowaspmumbai
 
Toward dynamic analysis of obfuscated android malware
Toward dynamic analysis of obfuscated android malwareToward dynamic analysis of obfuscated android malware
Toward dynamic analysis of obfuscated android malwareZongXian Shen
 
Improving DroidBox
Improving DroidBoxImproving DroidBox
Improving DroidBoxKelwin Yang
 
ProbeDroid - Crafting Your Own Dynamic Instrument Tool on Android for App Beh...
ProbeDroid - Crafting Your Own Dynamic Instrument Tool on Android for App Beh...ProbeDroid - Crafting Your Own Dynamic Instrument Tool on Android for App Beh...
ProbeDroid - Crafting Your Own Dynamic Instrument Tool on Android for App Beh...ZongXian Shen
 
Android Native Development Kit
Android Native Development KitAndroid Native Development Kit
Android Native Development KitPeter R. Egli
 
How to implement a simple dalvik virtual machine
How to implement a simple dalvik virtual machineHow to implement a simple dalvik virtual machine
How to implement a simple dalvik virtual machineChun-Yu Wang
 
Introduction to the Android NDK
Introduction to the Android NDKIntroduction to the Android NDK
Introduction to the Android NDKSebastian Mauer
 
Extending Java EE with CDI and JBoss Forge
Extending Java EE with CDI and JBoss ForgeExtending Java EE with CDI and JBoss Forge
Extending Java EE with CDI and JBoss ForgeAntoine Sabot-Durand
 
Introduction to the Android NDK
Introduction to the Android NDKIntroduction to the Android NDK
Introduction to the Android NDKBeMyApp
 
Native development kit (ndk) introduction
Native development kit (ndk) introductionNative development kit (ndk) introduction
Native development kit (ndk) introductionRakesh Jha
 
NDK Programming in Android
NDK Programming in AndroidNDK Programming in Android
NDK Programming in AndroidArvind Devaraj
 
FRIDA 101 Android
FRIDA 101 AndroidFRIDA 101 Android
FRIDA 101 AndroidTony Thomas
 
Writing Android Libraries
Writing Android LibrariesWriting Android Libraries
Writing Android Librariesemanuelez
 

What's hot (20)

IEEE Day 2013 - Reverse Engineering an Android Application
IEEE Day 2013 - Reverse Engineering an Android ApplicationIEEE Day 2013 - Reverse Engineering an Android Application
IEEE Day 2013 - Reverse Engineering an Android Application
 
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat DasNull Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
 
Toward dynamic analysis of obfuscated android malware
Toward dynamic analysis of obfuscated android malwareToward dynamic analysis of obfuscated android malware
Toward dynamic analysis of obfuscated android malware
 
Improving DroidBox
Improving DroidBoxImproving DroidBox
Improving DroidBox
 
ProbeDroid - Crafting Your Own Dynamic Instrument Tool on Android for App Beh...
ProbeDroid - Crafting Your Own Dynamic Instrument Tool on Android for App Beh...ProbeDroid - Crafting Your Own Dynamic Instrument Tool on Android for App Beh...
ProbeDroid - Crafting Your Own Dynamic Instrument Tool on Android for App Beh...
 
Android Native Development Kit
Android Native Development KitAndroid Native Development Kit
Android Native Development Kit
 
Android ndk: Entering the native world
Android ndk: Entering the native worldAndroid ndk: Entering the native world
Android ndk: Entering the native world
 
How to implement a simple dalvik virtual machine
How to implement a simple dalvik virtual machineHow to implement a simple dalvik virtual machine
How to implement a simple dalvik virtual machine
 
Introduction to the Android NDK
Introduction to the Android NDKIntroduction to the Android NDK
Introduction to the Android NDK
 
Extending Java EE with CDI and JBoss Forge
Extending Java EE with CDI and JBoss ForgeExtending Java EE with CDI and JBoss Forge
Extending Java EE with CDI and JBoss Forge
 
Introduction to the Android NDK
Introduction to the Android NDKIntroduction to the Android NDK
Introduction to the Android NDK
 
CDI 2.0 is coming
CDI 2.0 is comingCDI 2.0 is coming
CDI 2.0 is coming
 
Introduction to Frida
Introduction to FridaIntroduction to Frida
Introduction to Frida
 
Native development kit (ndk) introduction
Native development kit (ndk) introductionNative development kit (ndk) introduction
Native development kit (ndk) introduction
 
NDK Programming in Android
NDK Programming in AndroidNDK Programming in Android
NDK Programming in Android
 
CDI 2.0 is upon us Devoxx
CDI 2.0 is upon us DevoxxCDI 2.0 is upon us Devoxx
CDI 2.0 is upon us Devoxx
 
Android ndk
Android ndkAndroid ndk
Android ndk
 
FRIDA 101 Android
FRIDA 101 AndroidFRIDA 101 Android
FRIDA 101 Android
 
Android NDK
Android NDKAndroid NDK
Android NDK
 
Writing Android Libraries
Writing Android LibrariesWriting Android Libraries
Writing Android Libraries
 

Similar to Steelcon 2015 Reverse-Engineering Obfuscated Android Applications

Automated malware analysis
Automated malware analysisAutomated malware analysis
Automated malware analysisIbrahim Baliç
 
Webinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical AppsWebinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical AppsSynopsys Software Integrity Group
 
Outsmarting SmartPhones
Outsmarting SmartPhonesOutsmarting SmartPhones
Outsmarting SmartPhonessaurabhharit
 
Eric Lafortune - Fighting application size with ProGuard and beyond
Eric Lafortune - Fighting application size with ProGuard and beyondEric Lafortune - Fighting application size with ProGuard and beyond
Eric Lafortune - Fighting application size with ProGuard and beyondGuardSquare
 
Eric Lafortune - Fighting application size with ProGuard and beyond
Eric Lafortune - Fighting application size with ProGuard and beyondEric Lafortune - Fighting application size with ProGuard and beyond
Eric Lafortune - Fighting application size with ProGuard and beyondGuardSquare
 
Android Penetration testing - Day 2
Android Penetration testing - Day 2 Android Penetration testing - Day 2
Android Penetration testing - Day 2Mohammed Adam
 
Null mumbai-Android-Insecure-Data-Storage-Exploitation
Null mumbai-Android-Insecure-Data-Storage-ExploitationNull mumbai-Android-Insecure-Data-Storage-Exploitation
Null mumbai-Android-Insecure-Data-Storage-ExploitationNitesh Malviya
 
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...Area41
 
Android Malware and Machine Learning
Android Malware and Machine LearningAndroid Malware and Machine Learning
Android Malware and Machine Learningcaleb194331
 
Hacking your Droid (Aditya Gupta)
Hacking your Droid (Aditya Gupta)Hacking your Droid (Aditya Gupta)
Hacking your Droid (Aditya Gupta)ClubHack
 
Outsmarting smartphones
Outsmarting smartphonesOutsmarting smartphones
Outsmarting smartphonesSensePost
 
Android application analyzer
Android application analyzerAndroid application analyzer
Android application analyzerSanjay Gondaliya
 
IstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
IstSec'14 - İbrahim BALİÇ - Automated Malware AnalysisIstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
IstSec'14 - İbrahim BALİÇ - Automated Malware AnalysisBGA Cyber Security
 
Hacking & Securing of iOS Apps by Saurabh Mishra
Hacking & Securing of iOS Apps by Saurabh MishraHacking & Securing of iOS Apps by Saurabh Mishra
Hacking & Securing of iOS Apps by Saurabh MishraOWASP Delhi
 
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...Ajin Abraham
 
михаил дударев
михаил дударевмихаил дударев
михаил дударевapps4allru
 
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS appsDmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS appsDefconRussia
 
SANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptx
SANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptxSANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptx
SANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptxJasonOstrom1
 
Droidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensicsDroidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensicsviaForensics
 
MobSecCon 2015 - Dynamic Analysis of Android Apps
MobSecCon 2015 - Dynamic Analysis of Android AppsMobSecCon 2015 - Dynamic Analysis of Android Apps
MobSecCon 2015 - Dynamic Analysis of Android AppsRon Munitz
 

Similar to Steelcon 2015 Reverse-Engineering Obfuscated Android Applications (20)

Automated malware analysis
Automated malware analysisAutomated malware analysis
Automated malware analysis
 
Webinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical AppsWebinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical Apps
 
Outsmarting SmartPhones
Outsmarting SmartPhonesOutsmarting SmartPhones
Outsmarting SmartPhones
 
Eric Lafortune - Fighting application size with ProGuard and beyond
Eric Lafortune - Fighting application size with ProGuard and beyondEric Lafortune - Fighting application size with ProGuard and beyond
Eric Lafortune - Fighting application size with ProGuard and beyond
 
Eric Lafortune - Fighting application size with ProGuard and beyond
Eric Lafortune - Fighting application size with ProGuard and beyondEric Lafortune - Fighting application size with ProGuard and beyond
Eric Lafortune - Fighting application size with ProGuard and beyond
 
Android Penetration testing - Day 2
Android Penetration testing - Day 2 Android Penetration testing - Day 2
Android Penetration testing - Day 2
 
Null mumbai-Android-Insecure-Data-Storage-Exploitation
Null mumbai-Android-Insecure-Data-Storage-ExploitationNull mumbai-Android-Insecure-Data-Storage-Exploitation
Null mumbai-Android-Insecure-Data-Storage-Exploitation
 
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
 
Android Malware and Machine Learning
Android Malware and Machine LearningAndroid Malware and Machine Learning
Android Malware and Machine Learning
 
Hacking your Droid (Aditya Gupta)
Hacking your Droid (Aditya Gupta)Hacking your Droid (Aditya Gupta)
Hacking your Droid (Aditya Gupta)
 
Outsmarting smartphones
Outsmarting smartphonesOutsmarting smartphones
Outsmarting smartphones
 
Android application analyzer
Android application analyzerAndroid application analyzer
Android application analyzer
 
IstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
IstSec'14 - İbrahim BALİÇ - Automated Malware AnalysisIstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
IstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
 
Hacking & Securing of iOS Apps by Saurabh Mishra
Hacking & Securing of iOS Apps by Saurabh MishraHacking & Securing of iOS Apps by Saurabh Mishra
Hacking & Securing of iOS Apps by Saurabh Mishra
 
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
 
михаил дударев
михаил дударевмихаил дударев
михаил дударев
 
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS appsDmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
 
SANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptx
SANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptxSANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptx
SANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptx
 
Droidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensicsDroidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensics
 
MobSecCon 2015 - Dynamic Analysis of Android Apps
MobSecCon 2015 - Dynamic Analysis of Android AppsMobSecCon 2015 - Dynamic Analysis of Android Apps
MobSecCon 2015 - Dynamic Analysis of Android Apps
 

Recently uploaded

Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company OdishaBalasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odishasmiwainfosol
 
SpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at RuntimeSpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at Runtimeandrehoraa
 
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanySuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanyChristoph Pohl
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...Technogeeks
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsAhmed Mohamed
 
Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmSujith Sukumaran
 
CRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceCRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceBrainSell Technologies
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based projectAnoyGreter
 
Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Hr365.us smith
 
Introduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfIntroduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfFerryKemperman
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaHanief Utama
 
What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....kzayra69
 
Unveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesUnveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesŁukasz Chruściel
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEOrtus Solutions, Corp
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)OPEN KNOWLEDGE GmbH
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...Christina Lin
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...soniya singh
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Andreas Granig
 
How to Track Employee Performance A Comprehensive Guide.pdf
How to Track Employee Performance A Comprehensive Guide.pdfHow to Track Employee Performance A Comprehensive Guide.pdf
How to Track Employee Performance A Comprehensive Guide.pdfLivetecs LLC
 

Recently uploaded (20)

Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company OdishaBalasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
 
SpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at RuntimeSpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at Runtime
 
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanySuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML Diagrams
 
Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalm
 
CRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceCRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. Salesforce
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based project
 
Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)
 
Introduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfIntroduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdf
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief Utama
 
What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....
 
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort ServiceHot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
 
Unveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesUnveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New Features
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024
 
How to Track Employee Performance A Comprehensive Guide.pdf
How to Track Employee Performance A Comprehensive Guide.pdfHow to Track Employee Performance A Comprehensive Guide.pdf
How to Track Employee Performance A Comprehensive Guide.pdf
 

Steelcon 2015 Reverse-Engineering Obfuscated Android Applications

  • 1. Reverse Engineering Obfuscated Android Applications Tom Keetch, IntrinSec SSA Ltd. SteelCon – Sheffield – 4th July 2015
  • 2. About Me • Independent Software Security Consultant in London • IntrinSec SSA Ltd. • All forms of software security consultancy • Process / SDLC • Architecture / Design Review • Code Review (white-box) • Reverse Engineering / Penetration Testing (black-box) • Interested in: reverse engineering, sandboxes/container/virtualization, low-level software, cryptographic protocols • Contact: @tkeetch, tom@intrinsec.co.uk
  • 3. Contents • Introduction • Reverse Engineering • Android Application Runtime Environment • Android Reverse Engineering Tools • Standard Tools & Techniques • Reverse Engineering Obfuscated Applications • More advanced material • Conclusions
  • 5. Reverse Engineering • The process of decomposition an object or system to discover it’s internal operation or construction. • With software, we usually have a full description of the program in a machine readable form, but we want it in a human understandable form. • Techniques fall into two main groups: • Static Analysis • Runtime Analysis • The focus of this presentation is static analysis
  • 6. Reverse Engineering Inputs • Compiled object code • Dynamic application behaviour • Static Resources – configuration files etc. • Associated systems e.g. server for a client • Similar applications /systems • Public Documentation / Standards • Open source code (i.e. libraries, LGPL components) • Patents • Company Structure & History • Mergers, Acquisitions, Licensing Deals • Open Source Intelligence (i.e. LinkedIn, Leaked Documents)
  • 7. Static vs. Dynamic Analysis • Typically want to combine both approaches • Sometimes static analysis is required first to: • Remove anti-debugging functionality • Bypass root/jailbreak detection • Identify hidden functionality • Disable certificate pinning • Dynamic analysis can be faster if app is heavily obfuscated • Dependent on the app, and what you want to find out • Normally fastest way to identify attack surface
  • 9. Reverse Engineering – Legal Impediments • End User License Agreements (EULAs) • Anti-Circumvention Legislation (e.g. DMCA) • Non-Disclosure Agreements (NDAs) • Trade Secrets / Law of Confidence (UK) • Copyright • Future: Wassenar Arrangement (?!#?) • Esp. Dual-use technologies. • Computer Misuse Act (!) More Background: http://www.computing.co.uk/ctg/analysis/2373094/trade-secrets-and-reverse-engineering-the-legal-view
  • 11. Android Applications - Platforms ?????
  • 12. Dalvik Runtime • The original Android Runtime (Android 1.0, 2008) • An application virtual machine similar to the JVM • Just In Time compilation (JIT) of bytecode • Optimised for mobile devices • DEX (Dalvik Executable) => ODEX (Optimised DEX) • ODEX files don’t need to be portable, so optimisations can be OS/device/platform specific.
  • 13. ART • New Android Runtime • Previewed in KitKat (Android 4.4, 2013) • Now default runtime in Lollipop (Android 5.0, 2014) • Compiles DEX files to native ELF executables at install-time • Uses Ahead Of Time (AOT) compilation • Instead of Just In Time (JIT) compilation
  • 14. Source: https://commons.wikimedia.org/wiki/File:ART_view.png DEX files are common to both the Dalvik and ART runtimes. Packaged in an APK
  • 15. Let’s Reverse an Android App!
  • 16. First we need an APK… 1) Download from App Store • Web Application: http://apps.evozi.com/apk-downloader/ • Firefox plugin: https://addons.mozilla.org/en-US/firefox/addon/apk-downloader/ • Chrome plugin: https://chrome.google.com/webstore/detail/apk- downloader/cgihflhdpokeobcfimliamffejfnmfii 2) Copy from the device • adb shell pm list packages • adb pull “/data/apps/<package_name>.apk” 3) Download from a 3rd Party AppStore • Not always a good idea…
  • 17. Inside the APK An APK is just a ZIP archive, containing: •/assets/ •/lib/ •/META-INF/ •/res/ •AndroidManifest.xml •classes.dex •resources.arsc
  • 18. APK Analysis Process APK DEX Bytecode Smali Disassembly Java Source Code Understandable Code
  • 19. Reversing an APK APK DEX Bytecode Smali Disassembly Java Source Code Understandable Code java –jar apktool.jar decode in.apk java –jar apktool.jar build in.apk
  • 20. APK Analysis Tools – apktool & baksmali APK DEX Bytecode Smali Disassembly Java Source Code Understandable Code java –jar apktool.jar decode –s in.apk java –jar baksmali.jar classes.dex
  • 21. APK Analysis Tools –smali & apktool APK DEX Bytecode Smali Disassembly Java Source Code Understandable Code java –jar apktool.jar build <app_path> java –jar smali.jar *.smali
  • 22. APK Analysis Tools – dex2jar & jd-gui APK DEX Bytecode Java ARchive (JAR) Java Source Code Understandable Code Windows: d2j-dex2jar.bat –o out.jar in.apkclasses.dex Linux: d2j-dex2jar.sh –o out.jar in.apkclasses.dex JD-GUI – Java Decompiler
  • 23. Reversing an APK – JEB Decompiler APK DEX Bytecode Smali Disassembly Java Source Code Understandable Code JEB Decompiler – a[n expensive] commercial tool
  • 24. Detour: Modifying the APK • Put the Android device in development mode. • Alter the Smali code (not covered in this presentation) • Assemble the modified code using smali • Re-package the APK using apktool or Zip (depending on unpacking) • Sign the APK package with jarsigner.jar • Instructions: http://developer.android.com/tools/publishing/app- signing.html#signing-manually • Use the keystore located at: <HOME>.androiddebug.keystore • Keystore password “android” • Install the new APK with adb: • adb install modified.apk
  • 25. Java Source Code? • After running jd-gui or JEB, we will have Java Source code! • It may be easily readable, or it could be ()BfuSc4t3d….
  • 27. Obfuscated Java Code • All classes, methods, variables renamed to single Unicode characters, “semantically meaningless names”…
  • 28. It’s Not All Bad… • Some code can’t be obfuscated: • Primitive types • Standard Java API calls • Exported/Public APIs • Code relying on Java Reflection
  • 29.
  • 30. Identifying Classes (1) Class B Class A Object Class C
  • 31. Identifying Classes (2) Class B Service Object Class C
  • 32. Identifying Classes (3) Class B Class A Object Class C ISerializable
  • 33. Identifying Classes (4) Class B Class A Object Class C IOtherInterface ISomeInterface
  • 34. Android Manifest • The manifest cannot be obfuscated • It needs to be readable by Android OS • Encoded in a Binary Format called Android XML (AXML) • Decode contents using AXMLPrinter2.jar or aapt (from the SDK): • java -jar AXMLPrinter2.jar .in.apkAndroidManifest.xml • aapt dump xmltree in.apk AndroidManifest.xml
  • 35. Android Manifest Contents • Statically Registered Broadcast Receivers • For notifications of system events, or broadcast messages • Public/Private Activities • Especially Browsable Activities • Public/Private Content Providers • Permissions • Requested Permissions • Custom Permissions • Public/Private Services
  • 36. Where to Start? • Identify classes associated with application entry-points. For example: • android.app.Activity • android.content.BroadcastReciever • android.content.ContentProvider • android.content.Intent • android.content.IntentFilter • android.app.Service • Other interesting functionality: • References to the Cipher class, encryption classes, or large arrays • Reflection API methods such as getMethod() and invoke()
  • 37. Some Common Obfuscations Improve/retain Performance • Dead code removal • Class/method/fields/variable renaming • Remove logging code • Peephole optimisations Degrade Performance • String encryption* • Call-hiding with reflection* • Resource/asset encryption • Control flow obfuscation • Junk code insertion • Data Flow obfuscation
  • 39. ProGuard & DexGuard • Proguard ships for free with the Android SDK • DexGuard is a paid version by the same author
  • 40. Example: DexGuard String Encryption public void LoadObfuscatedAsset() { … InputStream obfAsset = OsAppContext.getAssets().open( ObfuscatedAppConfig.Lookup( ObfuscatedAppConfig.LookupTable[12], 52, ObfuscatedAppConfig.LookupTable[67] - 1));
  • 41. ObfuscatedAppConfig.Lookup • Let’s reverse the ‘Lookup’ method used by the “configuration” class • It takes 3 integers and returns a String. • I’ve simplified the Java a little first • We’ll go step by step through the reasoning • Don’t worry about following the code, just the logic. • We could just copy and paste the code to get the decrypted string.
  • 42. private static String Lookup(int arg6, int arg7, int arg8) { int v3; int v2; arg7 = 62 - arg7; arg8 += 2; short[] Lookup = Deobfuscate.LookupTable; int v1 = 0; arg6 += 65; byte[] b = new byte[arg8]; --arg8; while(true){ ++arg7; b[i] = ((byte)arg6); if(v1 == arg8) { return new String(b); } else { ++v1; v2 = arg6; v3 = Lookup[arg7]; } arg6 = v2 + v3 - 29; }
  • 43. private static String Lookup(int arg6, int arg7, int arg8) { int v3; int v2; arg7 = 62 - arg7; arg8 += 2; short[] Lookup = Deobfuscate.LookupTable; int v1 = 0; arg6 += 65; byte[] outBuffer = new byte[arg8]; --arg8; while(true){ ++arg7; outBuffer[i] = ((byte)arg6); if(v1 == arg8) { return new String(outBuffer); } else { ++v1; v2 = arg6; v3 = Lookup[arg7]; } arg6 = v2 + v3 - 29; }
  • 44. private static String Lookup(int arg6, int arg7, int arg8) { int v3; int v2; arg7 = 62 - arg7; arg8 += 2; short[] Lookup = Deobfuscate.LookupTable; int i = 0; arg6 += 65; byte[] outBuffer = new byte[arg8]; --arg8; while(true){ ++arg7; outBuffer[i] = ((byte)arg6); if(i == arg8) { return new String(outBuffer); } else { ++i; v2 = arg6; v3 = Lookup[arg7]; } arg6 = v2 + v3 - 29; }
  • 45. private static String Lookup(int arg6, int arg7, int len) { int v3; int v2; arg7 = 62 - arg7; len += 2; short[] Lookup = Deobfuscate.LookupTable; int i = 0; arg6 += 65; byte[] outBuffer = new byte[len]; --len; while(true){ ++arg7; outBuffer[i] = ((byte)arg6); if(i == len) { return new String(outBuffer); } else { ++i; v2 = arg6; v3 = Lookup[arg7]; } arg6 = v2 + v3 - 29; }
  • 46. private static String Lookup(int char_val, int arg7, int len) { int v3; int v2; arg7 = 62 - arg7; len += 2; short[] Lookup = Deobfuscate.LookupTable; int i = 0; char_val += 65; byte[] outBuffer = new byte[len]; --len; while(true){ ++arg7; outBuffer[i] = ((byte)char_val); if(i == len) { return new String(outBuffer); } else { ++i; v2 = char_val; v3 = Lookup[arg7]; } char_val = v2 + v3 - 29; }
  • 47. private static String Lookup(int char_val, int key_ptr, int len) { int v3; int v2; key_ptr = 62 – key_ptr; len += 2; short[] Lookup = Deobfuscate.LookupTable; int i = 0; char_val += 65; byte[] outBuffer = new byte[len]; --len; while(true){ ++key_ptr; outBuffer[i] = ((byte)char_val); if(i == len) { return new String(outBuffer); } else { ++i; v2 = char_val; v3 = Lookup[key_ptr]; } char_val = v2 + v3 - 29; }
  • 48. private static String Lookup(int char_val, int key_ptr, int len) { int v3; int v2; key_ptr = 62 – key_ptr; len += 2; short[] Lookup = Deobfuscate.LookupTable; int i = 0; char_val += 65; byte[] outBuffer = new byte[len]; --len; while(true){ ++key_ptr; outBuffer[i] = ((byte)char_val); if(i == len) { return new String(outBuffer); } else { ++i; char_val2 = char_val; differential_key_value = Lookup[key_ptr]; } char_val = char_val2 + differential_key_value - 29; }
  • 49. String Encryption Summary • Array of Bytes, differences between adjacent characters • Arg 1: Starting character value • Arg 2: Starting key index • Arg 3: String length • Start Value = “b”, start Index = 1, length = 3 • Array: { 20, 1, -2, 19, 5 } • Result: “cat” (b + 1 = c), (c - 2 = a), ( a + 19 = t)
  • 50. Call Hiding Using Reflection UnknownObject1 = String.class.getMethod( ObfuscatedAppConfig.Lookup( ObfuscatedAppConfig.LookupTable[40] - 1, ObfuscatedAppConfig.LookupTable[2] - 1, 6), String.class).invoke(string1, string0);
  • 52. Android Native Code • APKs can contain native code in the /lib/ directory • One sub-directory for each supported architecture (or ABI) • E.g. armeabi, armeabi-v7a, x86 • Android Java interfaces with native code using the Java Native Interface (JNI) • Standardised by Oracle: https://docs.oracle.com/javase/7/docs/technotes/guides/jni/spec/jniTOC.htm l • Java: System.loadLibrary(“foo”) // Loads ./lib/libfoo.so
  • 53. JNI Exports JNIEXPORT void JNICALL Java_ClassName_FunctionName ( JNIEnv *jniEnv, jobject classInstancePointer, <…args…>);
  • 55. Conclusions • Obfuscators slow down attackers • Arms-race between attackers & defenders • Both apply to legitimate software & malware • Obfuscators don’t fix vulnerabilities • Just makes them harder to find using static techniques • Effective security assessments should be done with source code.
  • 57. Tool References • Android Studio and SDK – https://developer.android.com/sdk/index.html • Apktool – http://ibotpeaches.github.io/Apktool/ • smali/backsmali – https://bitbucket.org/JesusFreke/smali/downloads • jd-gui - http://jd.benow.ca/ • APK Studio - https://apkstudio.codeplex.com/ • JEB Decompiler (Commercial) – https://www.pnfsoftware.com/ Not Covered in this presentation: • Radare2 – http://www.radare.org/r/down.html • Androguard – https://github.com/androguard/androguard