Transcript Decompiling Android - 1DevDay Detroit 2012

DECOMPILING
ANDROID
Godfrey Nolan
1DevDay 11/5/11
Intro
• What is a Decompiler?
• Why Android?
• Decompilers
• Protect Yourself
• Raising the Bar
SPAM #1
What is a Decompiler
• Reverse Engineers apps into source code
• Many languages can be decompiled
• Java, C#, VB.Net., Visual Basic
• Others can only be disassembled
• C, C++, Objective-C
• Java and .Net particularly at risk
• Because of JVM and CLR design
• Why use decompilers?
• Curiosity, Hacking, Learning, Fair Use
Why Java
• Exploits JVM Design
• Originally interpreted not compiled
• Lots more symbolic information than binaries
• Data and method separation
• Simple classfile structure
• Very few opcodes
Why Java
Why Java
Classfile {
int
short
short
short
cp_info
short
short
short
short
interface_info
short
field_info
short
method_info
short
attr_info
}
magic,
minor_version,
major_version,
constant_pool_count,
constant_pool[constant_pool_count],
access_flags,
this_class,
super_class,
interfaces_count,
interfaces[interfaces_count],
fields_count,
fields[field_count],
methods_count,
methods[methods_count],
attribute_count,
attributes[attributes_count]
Why Java
Why Android
• Client side code
• Easy access to apk’s
• Download apk to sd card using Astro File Mgr
• Download from xdadevelopers forum
• Download using ‘adb pull’ on jailbroken phone
• Nobody is using obfuscation
• 1 out of 20 apks downloaded were protected
• Easy to convert apk to Java to decompile
Why Android
Why Android
java –jar dex2jar.jar com.riis.mobile.apk
jd-gui com.riis.mobile.apk.dex2jar
Why Android
• Dex file
• Different structure
• Different opcodes
• Register based not stack based
• Multiple JVMs on device
Why Android
Why Android
Why not iPhone?
• Objective-C
• Compiled not interpreted
• Much less information
• Fat binaries approach
• Can still be disassembled
• strings and otool unix commands
• Other tools like IDA Pro
Why Android
• Jailbreak/Root phone
• Use Z4Root
• Uses RageAgainstTheCage Trojan exploit
• Not available on Android Marketplace ;-)
• Using Android SDK platform tools
• Turn on USB debugging
• Find apk using adb shell
• Download using adb pull
Why Android
Why Android
• Even easier is the apk-tool
• Install APK-tool
• Download apk
• Right click
Decompilers
• Jive
• Mocha
• JAD
• SourceAgain
• JD-GUI
Possible Exploits
• Web Service API keys exposed
• Database logins
• Credit Card information
• Fake apps
Possible Exploits
Possible Exploits
Possible Exploits
public static final String USER_NAME = "BC7E9322-0B6B-4C28B4";
public static final String PASSWORD = "waZawuzefrabru96ebeb";
Protect Yourself
• Protect code before releasing
• Hard to recover once it’s been made available
• Obfuscators
• ProGuard
• DashO
• Native Code
• Use C++ and JNI
• 99.99% of Android devices run on ARM processor
• Use digital signature checking to protect lib
Protect Yourself
• ProGuard:
• Detects and removes unused classes, fields, methods,
and attributes.
• Optimizes bytecode and removes unused instructions.
• Renames remaining classes, fields, and methods using
short meaningless names.
• Preverifies the processed code for Java.
• Enable in default.properties files
• proguard.config=proguard.cfg
Protect Yourself
• DashO (basic):
• Improvement over ProGuard's naming by using strange
characters and heavily reusing the same names at
different scopes.
• Does much more involved control flow obfuscation than
ProGuard, reordering code operations to make them
very difficult to understand and often breaking
decompilers.
• Supports string encryption to render important string
data unreadable to attackers.
Protect Yourself
• DashO (advanced):
• Supports tamper detection, handling, and reporting to
prevent users from changing the compiled code, even
while debugging, and to alert you if it happens.
• Can automatically inject Preemptive's Runtime
Intelligence functionality for remote error reporting.
Protect Yourself
• DashO demo
Protect Yourself - Decompiled
Protect Yourself - ProGuard
Protect Yourself – DashO
Protect Yourself – JNI
jstring Java_com_getPassword(JNIEnv* env, jobject thiz)
{
char *password = “waZawuzefrabru96ebeb”;
return (*env)->NewStringUTF(env, password);
}
Protect Yourself – JNI
Protect Yourself – JNI
Links
• http://viralpatel.net/blogs/2009/01/tutorial-java-class-file-
format-revealed.html
• http://code.google.com/p/z4root/
• http://code.google.com/p/android-apktool/
• http://www.dalvikvm.com/
Raising the Bar
• APK’s are available
• Tools are easy to use
• Turn on ProGuard
• Investigate other obfuscators
• Hide keys using JNI
• Don’t put sensitive information unencrypted in APKs
SPAM #2
• RIIS LLC
• Southfield, MI
• Clients
• Fandango
• DTE
• Comerica
• BCBSM
• Mobile Development
• DTE Outage Maps
• Broadsoft Front Office Assistant
• Contact Information
• [email protected]