decompiling android
DESCRIPTION
Decompiling Android. Godfrey Nolan 1DevDay 11/5/11. Intro. What is a D ecompiler ? Wh y Android? Decompilers Protect Yourself Raising the Bar. SPAM #1. What is a Decompiler. Revers e Engineers apps into source code Many languages can be decompiled - PowerPoint PPT PresentationTRANSCRIPT
DECOMPILING ANDROIDGodfrey Nolan1DevDay 11/5/11
Intro• What is a Decompiler?• Why Android?• Decompilers • Protect Yourself• Raising the Bar
SPAM #1
What is a Decompiler• Reverse Engineers apps into source code • Many languages can be decompiled
• Java, C#, VB.Net., Visual Basic• Others can only be disassembled
• C, C++, Objective-C• Java and .Net particularly at risk
• Because of JVM and CLR design• Why use decompilers?
• Curiosity, Hacking, Learning, Fair Use
Why Java• Exploits JVM Design
• Originally interpreted not compiled • Lots more symbolic information than binaries• Data and method separation• Simple classfile structure• Very few opcodes
Why Java
Why JavaClassfile {
int magic,short minor_version,short major_version,short constant_pool_count,cp_info constant_pool[constant_pool_count],short access_flags,short this_class,short super_class,short interfaces_count,interface_info interfaces[interfaces_count],short fields_count,field_info fields[field_count],short methods_count,method_info methods[methods_count],short attribute_count,attr_info attributes[attributes_count]
}
Why Java
Why Android• Client side code• Easy access to apk’s
• Download apk to sd card using Astro File Mgr• Download from xdadevelopers forum• Download using ‘adb pull’ on jailbroken phone
• Nobody is using obfuscation• 1 out of 20 apks downloaded were protected
• Easy to convert apk to Java to decompile
Why Android
Why Android
java –jar dex2jar.jar com.riis.mobile.apkjd-gui com.riis.mobile.apk.dex2jar
Why Android
• Dex file• Different structure• Different opcodes• Register based not stack based• Multiple JVMs on device
Why Android
Why Android
Why not iPhone?
•Objective-C• Compiled not interpreted• Much less information• Fat binaries approach
•Can still be disassembled• strings and otool unix commands• Other tools like IDA Pro
Why Android• Jailbreak/Root phone
• Use Z4Root• Uses RageAgainstTheCage Trojan exploit• Not available on Android Marketplace ;-)
• Using Android SDK platform tools• Turn on USB debugging• Find apk using adb shell• Download using adb pull
Why Android
Why Android• Even easier is the apk-tool• Install APK-tool
• Download apk • Right click
Decompilers• Jive• Mocha• JAD• SourceAgain• JD-GUI
Possible Exploits• Web Service API keys exposed• Database logins• Credit Card information• Fake apps
Possible Exploits
Possible Exploits
Possible Exploits
public static final String USER_NAME = "BC7E9322-0B6B-4C28B4";public static final String PASSWORD = "waZawuzefrabru96ebeb";
Protect Yourself• Protect code before releasing
• Hard to recover once it’s been made available• Obfuscators
• ProGuard• DashO
• Native Code• Use C++ and JNI• 99.99% of Android devices run on ARM processor• Use digital signature checking to protect lib
Protect Yourself• ProGuard:
• Detects and removes unused classes, fields, methods, and attributes.
• Optimizes bytecode and removes unused instructions. • Renames remaining classes, fields, and methods using
short meaningless names. • Preverifies the processed code for Java.
• Enable in default.properties files• proguard.config=proguard.cfg
Protect Yourself• DashO (basic):
• Improvement over ProGuard's naming by using strange characters and heavily reusing the same names at different scopes.
• Does much more involved control flow obfuscation than ProGuard, reordering code operations to make them very difficult to understand and often breaking decompilers.
• Supports string encryption to render important string data unreadable to attackers.
Protect Yourself• DashO (advanced):
• Supports tamper detection, handling, and reporting to prevent users from changing the compiled code, even while debugging, and to alert you if it happens.
• Can automatically inject Preemptive's Runtime Intelligence functionality for remote error reporting.
Protect Yourself• DashO demo
Protect Yourself - Decompiled
Protect Yourself - ProGuard
Protect Yourself – DashO
Protect Yourself – JNI
jstring Java_com_getPassword(JNIEnv* env, jobject thiz){
char *password = “waZawuzefrabru96ebeb”;
return (*env)->NewStringUTF(env, password);}
Protect Yourself – JNI
Protect Yourself – JNI
Links• http://viralpatel.net/blogs/2009/01/tutorial-java-class-file-fo
rmat-revealed.html• http://code.google.com/p/z4root/• http://code.google.com/p/android-apktool/• http://www.dalvikvm.com/
Raising the Bar• APK’s are available• Tools are easy to use• Turn on ProGuard• Investigate other obfuscators• Hide keys using JNI• Don’t put sensitive information unencrypted in APKs
SPAM #2• RIIS LLC
• Southfield, MI• Clients
• Fandango• DTE• Comerica• BCBSM
• Mobile Development• DTE Outage Maps• Broadsoft Front Office Assistant
• Contact Information• [email protected]