decompiling android

DECOMPILING ANDROIDGodfrey Nolan1DevDay 11/5/11

Intro• What is a Decompiler?• Why Android?• Decompilers • Protect Yourself• Raising the Bar

SPAM #1

What is a Decompiler• Reverse Engineers apps into source code • Many languages can be decompiled

• Java, C#, VB.Net., Visual Basic• Others can only be disassembled

• C, C++, Objective-C• Java and .Net particularly at risk

• Because of JVM and CLR design• Why use decompilers?

• Curiosity, Hacking, Learning, Fair Use

Why Java• Exploits JVM Design

• Originally interpreted not compiled • Lots more symbolic information than binaries• Data and method separation• Simple classfile structure• Very few opcodes

Why Java

Why JavaClassfile {

int magic,short minor_version,short major_version,short constant_pool_count,cp_info constant_pool[constant_pool_count],short access_flags,short this_class,short super_class,short interfaces_count,interface_info interfaces[interfaces_count],short fields_count,field_info fields[field_count],short methods_count,method_info methods[methods_count],short attribute_count,attr_info attributes[attributes_count]

}

Why Java

Why Android• Client side code• Easy access to apk’s

• Download apk to sd card using Astro File Mgr• Download from xdadevelopers forum• Download using ‘adb pull’ on jailbroken phone

• Nobody is using obfuscation• 1 out of 20 apks downloaded were protected

• Easy to convert apk to Java to decompile

Why Android

Why Android

java –jar dex2jar.jar com.riis.mobile.apkjd-gui com.riis.mobile.apk.dex2jar

Why Android

• Dex file• Different structure• Different opcodes• Register based not stack based• Multiple JVMs on device

Why Android

Why Android

Why not iPhone?

•Objective-C• Compiled not interpreted• Much less information• Fat binaries approach

•Can still be disassembled• strings and otool unix commands• Other tools like IDA Pro

Why Android• Jailbreak/Root phone

• Use Z4Root• Uses RageAgainstTheCage Trojan exploit• Not available on Android Marketplace ;-)

• Using Android SDK platform tools• Turn on USB debugging• Find apk using adb shell• Download using adb pull

Why Android

Why Android• Even easier is the apk-tool• Install APK-tool

• Download apk • Right click

Decompilers• Jive• Mocha• JAD• SourceAgain• JD-GUI

Possible Exploits• Web Service API keys exposed• Database logins• Credit Card information• Fake apps

Possible Exploits

Possible Exploits

Possible Exploits

public static final String USER_NAME = "BC7E9322-0B6B-4C28B4";public static final String PASSWORD = "waZawuzefrabru96ebeb";

Protect Yourself• Protect code before releasing

• Hard to recover once it’s been made available• Obfuscators

• ProGuard• DashO

• Native Code• Use C++ and JNI• 99.99% of Android devices run on ARM processor• Use digital signature checking to protect lib

Protect Yourself• ProGuard:

• Detects and removes unused classes, fields, methods, and attributes.

• Optimizes bytecode and removes unused instructions. • Renames remaining classes, fields, and methods using

short meaningless names. • Preverifies the processed code for Java.

• Enable in default.properties files• proguard.config=proguard.cfg

Protect Yourself• DashO (basic):

• Improvement over ProGuard's naming by using strange characters and heavily reusing the same names at different scopes.

• Does much more involved control flow obfuscation than ProGuard, reordering code operations to make them very difficult to understand and often breaking decompilers. 

• Supports string encryption to render important string data unreadable to attackers. 

Protect Yourself• DashO (advanced):

• Supports tamper detection, handling, and reporting to prevent users from changing the compiled code, even while debugging, and to alert you if it happens.

• Can automatically inject Preemptive's Runtime Intelligence functionality for remote error reporting.

Protect Yourself• DashO demo

Protect Yourself - Decompiled

Protect Yourself - ProGuard

Protect Yourself – DashO

Protect Yourself – JNI

jstring Java_com_getPassword(JNIEnv* env, jobject thiz){

char *password = “waZawuzefrabru96ebeb”;

return (*env)->NewStringUTF(env, password);}

Protect Yourself – JNI

Protect Yourself – JNI

Links• http://viralpatel.net/blogs/2009/01/tutorial-java-class-file-fo

rmat-revealed.html• http://code.google.com/p/z4root/• http://code.google.com/p/android-apktool/• http://www.dalvikvm.com/

Raising the Bar• APK’s are available• Tools are easy to use• Turn on ProGuard• Investigate other obfuscators• Hide keys using JNI• Don’t put sensitive information unencrypted in APKs

SPAM #2• RIIS LLC

• Southfield, MI• Clients

• Fandango• DTE• Comerica• BCBSM

• Mobile Development• DTE Outage Maps• Broadsoft Front Office Assistant

• Contact Information• godfrey@riis.com