Demos: https://www.youtube.com/playlist?list=PLT5vjvSOpI4QxaidyMBO9cqDm7ww-pIib I am sure you know what is the situation with Android apps today, as you can see from the Mobile Techworld report 100% of top paid apps were hacked or cloned and modified then. Which is pretty sad, for developers and publishers, and also for attractiveness of Android platform. Guys from Apple are also add fuel to the fire telling us that Android platform is the Malware Kingdom. I was amazed that there is no standard EULA for apps placed in Google Play. Take it seriously it is important. Amazon application store has one for example. Lets imagine we have an application with ads. All a potential hacker have do is to disassemble the app, change ad id, assemble it back, do some needed stuff and put it on the market. Whatever p2p, grey markets, official markets, wares sites and so on. Note that if we are using name obfuscation for the app, potential hacker will need an extra minute to hack it.

1. Android applications in the cruel
world
Defence Against the Dark Forces or how
to save an Android application from
threats?
Mikhail Dudarev, Ivan Kinash
Licel, 2014, DroidCon Moscow 2014

2. • Mikhail Dudarev is an old-school java
security guy, co-founder of Licel, founder
of jCardSim, a Java Card simulator, which
has won the 2013 Duke's Choice Award
• Ivan Kinash is a co-founder & CEO at Licel
• Licel creates application protection
solutions for Java and Android platforms
About

3. Report
Mobile Techworld Report:
Looking at a total of 230 apps – the top 100 paid
apps and top 15 free apps for Android and iOS –
Arxan found that 100 percent of the top paid apps
on Android and 56 percent on iOS were being
impersonated in a compromised form on grey
markets.
http://goo.gl/mW1WxZ

4. Android Application Security Model
• There is no standard EULA, each publisher is sole
responsible for one (Google Play)
• Installed APK is stored on a device
• It is signed with a publisher’s signature
• There is a privilege system (users do not take it
seriously, or they simply have no choice)
• APKs stored on devices are accessible even without
root privileges (Jelly Bean Encrypted Containers – root
needed)

5. Android Application Security Model
• Signature is designed to confirm integrity of an
application
• Truth is that it gives you absolutely nothing
• A couple of minutes needed to resign an
application
• Then put it to grey markets, p2p, warez sites… Or
even to the same market where original one is
(was)

6. APK Structure
classes.dex
(dalvik
bytecode)
resources.arsc
(compiled
resources)
META-INF/
(signatures)
res/
(resources)
assets/
(assets)
lib/
(native libs)
AndroidManifest.xml
(name, version, access rights,
referenced libs)

7. Dalvik bytecode
• Is it protected?
• Is it hard to reverse engineer?
No and no once again…

8. Example
• Imagine you have an application with ads
• What malicious person have to do to own your app?
• Apktool disassemble -> change ad id -> Apktool
assemble -> add its own signature -> zipalign ->
distribute (p2p, grey markets, official markets, warez
sites) = 10 mins
• If you are using just name obfuscation technique, it will
require one extra minute to hack…

9. Short funny
demo

11. Existing threats
• Application cloning
• Sensitive information (user) theft
• Licensing system cracking
• Reverse engineering

12. Application cloning
• Illegal publishing on alternative app stores
– App sales revenue loss
• Rerouting of Ad/IAP revenue streams
– Lost revenue from ads and purchases
• Malicious code injection
– Loss of reputation and harm to the app’s users

13. Stealing sensitive information from an
application
• User’s Data
– Logins/Passwords/Keys/Credit
card info…
– IM, Social Network data,…
– Location
• Application Data
– Unique multimedia resources
– Information from embedded
databases
– Business Logic
• Corporate Data
– DBs/Confidential files/…
Cracking tools (free): ApkTool, Androguard, Dex2jar

14. Licensing system cracking. Google Play
LVL
• The main app licensing service in Google Play
• Based on asymmetric cryptography
– Secret keys are stored on the licensing server,
public keys are in an application’s code
Automatic cracking tool: AntiLVL

15. Reverse-engineering
• Analysis of weak/critical places in apps in order to
detect vulnerabilities
• Application’s internal logic analysis
– OTP-generator for a banking solution
http://goo.gl/0Dauve
Cracking tools: ApkTool, Androguard, Dex2jar

16. Reverse engineering my bank's
security token
• Original mobile banking application that
generates OTP (One Time Password) codes
• After decompiling with Dex2Jar
– Detected OTP generation algorithm – TOTP
TOTP = HOTP(SecretKey, TimeCounter)
– Secret key extracted from code
– Arduino clone created 

17. Reverse engineering my bank's
security token

18. Standard protection and licensing
techniques
• Name obfuscation (in particular Proguard)
• Licensing services provided by app store
– Google Play Licensing
– Amazon DRM
• Custom native libraries for license checking, string/class
encryption
• Server-side computation
• Mathematical Jigsaw Puzzle Obfuscation (keep ProGuard
optimizer away from this parts of code)

19. Useful, but do not work…
Active and Strong Integrity Protection
Techniques and set of other great
approaches
They do not work without…

20. Cracking methods
• Automatic
– AntiLVL
• Tools for analysis and modification
– ApkTool
– Androlib
– Dex2Jar
– JD-GUI/JEB/…
• Text editor and grep 

21. Advanced protection techniques
• String Encryption (e.g. whiteboxcrypto)
• Hiding of API calls
• Class Encryption
• Resource Encryption
• Strong and active integrity
protection

22. Protection goal
• Have bytecode (even if it is dumped) as hard
to reverse engineer as possible (strings are
encrypted, valuable algorithms are hidden,
API calls are hidden)
• Have strong integrity protection mechanism in
order to block repackaging ability
• Have unique resources encrypted

23. Protection scheme
APK
Bytecode
• String Encryption
• Class Encryption
• Hide API calls
Resources
• Resource encryption
Signature
• Active Integrity Protection (Repackaging protection)
If an app has
network
abilities, you
can also
change
communicati
on protocol
from version
to version…

24. A few important tips
If you are developing mobile banking/financial/corporate/secure app:
• Device fingerprint
• Device-related One time passwords via second communication channel
(SMS)
• Use secured communication protocols and strong cryptography if it is
possible
• Sensitive information stored on a device should be encrypted (SQLCipher),
keys must be hidden via String Encryption
• Keep in mind that the balance between usability/performance and
security is important
• Think about protection and do protect in advance, BEFORE RELEASE

25. A few important tips #2
After applying strong protection techniques you
might think then about:
• App cert check (just in case)
• Debug mode check
• Rooted device check
• Emulator check

26. DexProtector
• Having a huge expertize we implemented String Encryption,
Class Encryption, Resource Encryption, Hide Access and
Integrity Control mechanisms on a technology leading level
• That is why I would love to recommend DexProtector for
protecting your apps from threats
• If you are applying additional security practices
DexProtector will help you to protect them from being
reverse engineered
• It can be used together with ProGuard

27. Conclusion
• Nobody will give you 100% guarantee that your app
will not be hacked
• Relevance of piracy is increasing day by day as the
Android market growth
• Standard protection techniques are not stand any more
against current methods of analysis and cracking
• Must have a set of protection techniques applied
• Integrity Protection is very important

28. Conclusion #2
• If you applied security measures intelligently you are safe
from more than 90% of potential hackers. It is hoped that
the remaining 10 percent will not be interested in breaking
you app
• Google is in a difficult situation with Android security now.
Definitely there should be some changes, especially in
securing boot-loader, in creating secure app execution
environment and storage also. They tried in Jelly Bean, but
with no luck. On the other hand I see Nexus series has
ability to be legally rooted and do not know what to think

29. Contacts
Email: dudarev@licelus.com, kinash@licelus.com
Twitter: @MikhailDudarev, @ivan_kinash
Web: http://dexprotector.com, http://licelus.com