trueseeing: effective dataflow analysis over dalvik opcodes
TRANSCRIPT
![Page 1: Trueseeing: Effective Dataflow Analysis over Dalvik Opcodes](https://reader034.vdocuments.us/reader034/viewer/2022051301/5a65dd757f8b9a8c538b48b7/html5/thumbnails/1.jpg)
TRUESEEING: EFFECTIVE DATAFLOW ANALYSIS
OVER DALVIK OPCODES
Takahiro / Ken-ya Yoshimura (@alterakey / @ad3liae)
![Page 2: Trueseeing: Effective Dataflow Analysis over Dalvik Opcodes](https://reader034.vdocuments.us/reader034/viewer/2022051301/5a65dd757f8b9a8c538b48b7/html5/thumbnails/2.jpg)
WHO WE ARE
➤ alterakey
➤ Security Researcher
➤ iOS/Android Apps
➤ Android System
➤ Network
➤ ad3liae
➤ Security Researcher
➤ iOS Apps
➤ At Monolith Works Inc.
![Page 3: Trueseeing: Effective Dataflow Analysis over Dalvik Opcodes](https://reader034.vdocuments.us/reader034/viewer/2022051301/5a65dd757f8b9a8c538b48b7/html5/thumbnails/3.jpg)
MOBILE APP SECURITY
➤ Attack Vectors
➤ Malicious App
➤ Malicious User
➤ Risks
➤ Vulnerabilities
➤ Unwanted Behaviors
![Page 4: Trueseeing: Effective Dataflow Analysis over Dalvik Opcodes](https://reader034.vdocuments.us/reader034/viewer/2022051301/5a65dd757f8b9a8c538b48b7/html5/thumbnails/4.jpg)
FINDING VULNERABILITIES
➤ Static Analysis
➤ Reversing the target and deriving its behavior
➤ Reversing data flow is important
➤ Decompilers (such as JD-GUI) are essential tools
➤ Decompiling takes time
➤ Dynamic Analysis
➤ Running the target and seeing its behavior
![Page 5: Trueseeing: Effective Dataflow Analysis over Dalvik Opcodes](https://reader034.vdocuments.us/reader034/viewer/2022051301/5a65dd757f8b9a8c538b48b7/html5/thumbnails/5.jpg)
PROBLEMS
➤ Dynamic Analysis
➤ Often unwanted :(
➤ Obfuscation
➤ Common practice
➤ Hinders decompilers
➤ What can we do?
![Page 6: Trueseeing: Effective Dataflow Analysis over Dalvik Opcodes](https://reader034.vdocuments.us/reader034/viewer/2022051301/5a65dd757f8b9a8c538b48b7/html5/thumbnails/6.jpg)
RELATED WORKS
➤ Mixing multiple decompilers(QARK et al.)
➤ Speed: even more time
➤ Fragility
➤ Mixing alone does not answer the question, IMHO..
![Page 7: Trueseeing: Effective Dataflow Analysis over Dalvik Opcodes](https://reader034.vdocuments.us/reader034/viewer/2022051301/5a65dd757f8b9a8c538b48b7/html5/thumbnails/7.jpg)
GO DIRECT
➤ Trueseeing
➤ Capable of
➤ Reversing data flow
➤ Loosely guessing constants/typesets/…
➤ Manifest analysis (of course)
➤ Uses no decompilers
➤ Speed
➤ Resiliency
![Page 8: Trueseeing: Effective Dataflow Analysis over Dalvik Opcodes](https://reader034.vdocuments.us/reader034/viewer/2022051301/5a65dd757f8b9a8c538b48b7/html5/thumbnails/8.jpg)
DISASSEMBLING
➤ apktool
➤ SQLite3 DB
![Page 9: Trueseeing: Effective Dataflow Analysis over Dalvik Opcodes](https://reader034.vdocuments.us/reader034/viewer/2022051301/5a65dd757f8b9a8c538b48b7/html5/thumbnails/9.jpg)
MARKING UP
➤ Constants
➤ Invocations
➤ Stored as tables/views
![Page 10: Trueseeing: Effective Dataflow Analysis over Dalvik Opcodes](https://reader034.vdocuments.us/reader034/viewer/2022051301/5a65dd757f8b9a8c538b48b7/html5/thumbnails/10.jpg)
DATAFLOW TRACING (1)
➤ Call tracing
➤ Reading backwards
➤ Climbing call stacks up
![Page 11: Trueseeing: Effective Dataflow Analysis over Dalvik Opcodes](https://reader034.vdocuments.us/reader034/viewer/2022051301/5a65dd757f8b9a8c538b48b7/html5/thumbnails/11.jpg)
DATAFLOW TRACING (2)
➤ Static trace
➤ Matching sget/sput
➤ Solving constants in sput
![Page 12: Trueseeing: Effective Dataflow Analysis over Dalvik Opcodes](https://reader034.vdocuments.us/reader034/viewer/2022051301/5a65dd757f8b9a8c538b48b7/html5/thumbnails/12.jpg)
DATAFLOW TRACING (3)
➤ Instansic trance
➤ Matching iget/iput
➤ Ignoring instance identity
➤ Solving constants in iput
![Page 13: Trueseeing: Effective Dataflow Analysis over Dalvik Opcodes](https://reader034.vdocuments.us/reader034/viewer/2022051301/5a65dd757f8b9a8c538b48b7/html5/thumbnails/13.jpg)
REPORTING
➤ HTML: clarity
➤ gcc-style: CI
![Page 14: Trueseeing: Effective Dataflow Analysis over Dalvik Opcodes](https://reader034.vdocuments.us/reader034/viewer/2022051301/5a65dd757f8b9a8c538b48b7/html5/thumbnails/14.jpg)
CAPABILITY
➤ Most of OWASP TOP 10 Mobile (2015)
➤ M1: Improper Platform Usage
➤ M2: Insecure Data
➤ M3: Insecure Communication
➤ M4: Insecure Authentication
➤ M5: Insufficient Cryptography
➤ M6: Insecure Authorization
➤ M7: Client Code Quality Issues
➤ M8: Code Tampering
➤ M9: Reverse Engineering
➤ M10: Extraneous Functionality
![Page 15: Trueseeing: Effective Dataflow Analysis over Dalvik Opcodes](https://reader034.vdocuments.us/reader034/viewer/2022051301/5a65dd757f8b9a8c538b48b7/html5/thumbnails/15.jpg)
FIN.30.7.2017 Monolith Works Inc.
![Page 16: Trueseeing: Effective Dataflow Analysis over Dalvik Opcodes](https://reader034.vdocuments.us/reader034/viewer/2022051301/5a65dd757f8b9a8c538b48b7/html5/thumbnails/16.jpg)
BRING YOUR APK!