Slide for #defcon25 Demo Labs.

1. TRUESEEING:
EFFECTIVE
DATAFLOW
ANALYSIS
OVER DALVIK
OPCODES
Takahiro / Ken-ya Yoshimura
(@alterakey / @ad3liae)

2. WHO WE ARE
➤ alterakey
➤ Security Researcher
➤ iOS/Android Apps
➤ Android System
➤ Network
➤ ad3liae
➤ Security Researcher
➤ iOS Apps
➤ At Monolith Works Inc.

3. MOBILE APP SECURITY
➤ Attack Vectors
➤ Malicious App
➤ Malicious User
➤ Risks
➤ Vulnerabilities
➤ Unwanted Behaviors

4. FINDING VULNERABILITIES
➤ Static Analysis
➤ Reversing the target and deriving its behavior
➤ Reversing data flow is important
➤ Decompilers (such as JD-GUI) are essential tools
➤ Decompiling takes time
➤ Dynamic Analysis
➤ Running the target and seeing its behavior

5. PROBLEMS
➤ Dynamic Analysis
➤ Often unwanted :(
➤ Obfuscation
➤ Common practice
➤ Hinders decompilers
➤ What can we do?

6. RELATED WORKS
➤ Mixing multiple decompilers
(QARK et al.)
➤ Speed: even more time
➤ Fragility
➤ Mixing alone does not answer
the question, IMHO..

7. GO DIRECT
➤ Trueseeing
➤ Capable of
➤ Reversing data flow
➤ Loosely guessing constants/
typesets/…
➤ Manifest analysis (of
course)
➤ Uses no decompilers
➤ Speed
➤ Resiliency

8. DISASSEMBLING
➤ apktool
➤ SQLite3 DB

9. MARKING UP
➤ Constants
➤ Invocations
➤ Stored as tables/views

10. DATAFLOW TRACING (1)
➤ Call tracing
➤ Reading backwards
➤ Climbing call stacks up

11. DATAFLOW TRACING (2)
➤ Static trace
➤ Matching sget/sput
➤ Solving constants in sput

12. DATAFLOW TRACING (3)
➤ Instansic trance
➤ Matching iget/iput
➤ Ignoring instance identity
➤ Solving constants in iput

13. REPORTING
➤ HTML: clarity
➤ gcc-style: CI

14. CAPABILITY
➤ Most of OWASP TOP 10 Mobile
(2015)
➤ M1: Improper Platform Usage
➤ M2: Insecure Data
➤ M3: Insecure Communication
➤ M4: Insecure Authentication
➤ M5: Insufficient Cryptography
➤ M6: Insecure Authorization
➤ M7: Client Code Quality Issues
➤ M8: Code Tampering
➤ M9: Reverse Engineering
➤ M10: Extraneous Functionality

15. FIN.
30.7.2017 Monolith Works Inc.

16. BRING YOUR APK!