SlideShare une entreprise Scribd logo

Cracking the Mobile Application Code

Télécharger en tant que PPTX, PDF
c0c0n - International Cyber Security and Policing Conference
c0c0n - International Cyber Security and Policing Conference

Cracking the Mobile Application Code by Sreenarayan A. at c0c0n - International Cyber Security and Policing Conference http://is-ra.org/c0c0n/speakers.html

Technologie
1  sur  24
Cracking the Mobile Application Code - Sreenarayan A Paladion Mobile Security Team
Take Away for the day • Purpose of Decompiling Mobile Applications • Methodology of Decompilation • Live Demo’s: – Android App – iOS (iPhone / iPad App) – Blackberry Apps / Nokia App
Why is security relevant for Mobile Platform? • 400% Increase in the number for Organizations Developing Mobile Platform based applications. • 300% Increase in the no of Mobile Banking Applications. • 500% Increase in the number of people using the Mobile Phones for their day to day transactions. • 82% Chances of end users not using their Mobile Phones with proper caution. • 79% Chances of Mobile Phone users Jail Breaking their Phones. • 65% Chances of Mobile Phone users not installing Anti-virus on their Mobile Phones. • 71% Chances of any application to get misused. • 57% Chances of a user losing his sensitive credentials to a hacker.
Market Statistics of Mobile Users
Mobile Market Trends
Different Types of Mobile Applications • WAP Mobile Applications • Native Mobile Applications • Hybrid Mobile Applications
Different Types of Mobile Applications
Different Types of Mobile Architecture
Why did we learn the above types?? • Which applications can be Decompiled? – WAP Mobile Applications ? – Native Mobile Applications ? – Hybrid Mobile Applications ? • We have to get to know of the basics!
Cracking the Mobile Application Code
Cracking the Mobile Application Code •What do you mean by Reverse Engineering? •What do you mean by Decompilation? -> What is Compilation? Questions to be answered: •What are the goals/purpose of Cracking the code? •What is the methodology of Decompilation? •What the tools which can be used to Decompile? •Can Decompilation be done on all platforms? 1. ANDROID ? 2. iPHONE / iPAD ? 3. BLACKBERRY ? 4. NOKIA ?
Goal of cracking the Mobile Application Code
Goals of Cracking the Source Code •“UNDERSTAND THE WORKING OF THE APPLICATION AND TO FIGURE OUT THE LOOPHOLES!” •To find Treasure Key Words (password , keys , sql, algo, AES, DES, Base64, etc) •Figure out the Algorithms Used and their keys. •By-passing the client side checks by rebuilding the app. •E.g. Password in Banking Application (Sensitive Information) •E.g. Angry Birds Malware (Stealing Data) •E.g. Zitmo Malware (Sending SMS) •We have understood the goals, how to achieve them? Methodology.
Methodology of Cracking
Methodology / Study S1: Gaining access to the executable S2: Understanding the Technology used to code the application. S3: Finding out ways to derive the Object Code from the Executable. S4: Figuring out a way to derive the Class Files from the Object Code. S5: Figuring out a way to derive the Function Definitions from the Object Code
JUMP TO DEMO’s
Demo - Reverse Engineer the Android Application •Tools used: -De-compresser (Winrar / Winzip / 7zip) -Dex2jar -Jar Decompiler •Steps 1. .apk -> .dex 2. .dex -> .jar 3. .jar -> .java • Demo • Limitations
Demo - Reverse Engineer the iOS Application •Tools used: -iExplorer -Windows Explorer -oTool -Classdumpz •Steps 1. .app -> Garbage (Object Code) (DVM) 2. Object Code -> .Class • Demo • Limitations
Demo - Reverse Engineer the Blackberry Application •Tools used: -JD – GUI (Java Decompiler) -Notepad •There are two types of Application files found in Blackberry: 1. .Jar (.jad -> .jar) 2. .Cod (.jad -> .cod (Blackberry Code Files) •Steps 1. .jar -> .java (JD-GUI) Or 1. Notepad to open .cod (No luck!) • Demo • Limitation
Tip - Reverse Engineer the Windows Phone Application •Tools used: -.net decompiler -Visual Studio with Windows Phone SDK
Palisade Articles • iOS vs Android Testing • Mobile Data Encryption • Mobile Application Security Testing • Demystifying the Android • And … • Website link: palpapers.paladion.net
• Questions and Answers • Quiz • Feedback
Thank You Sreenarayan.india@gmail.com Sreenarayan.a@paladion.net Twitter: Ace_Sree

Recommandé

Mobile testing. Tips and Tricks
Mobile testing. Tips and TricksMobile testing. Tips and Tricks
Mobile testing. Tips and TricksArtem Pinchuk
 
Attacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesAttacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesTom Eston
 
CrikeyCon 2015 - iOS Runtime Hacking Crash Course
CrikeyCon 2015 - iOS Runtime Hacking Crash CourseCrikeyCon 2015 - iOS Runtime Hacking Crash Course
CrikeyCon 2015 - iOS Runtime Hacking Crash Courseeightbit
 
Security Best Practices for Mobile Development
Security Best Practices for Mobile DevelopmentSecurity Best Practices for Mobile Development
Security Best Practices for Mobile DevelopmentSalesforce Developers
 
OWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration TestingOWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration Testingeightbit
 
Malware could steal data from i phones using siri
Malware could steal data from i phones using siriMalware could steal data from i phones using siri
Malware could steal data from i phones using siriEdward Perea
 
Penetrating Android Aapplications
Penetrating Android AapplicationsPenetrating Android Aapplications
Penetrating Android AapplicationsRoshan Thomas
 
The Password Is Dead: An Argument for Multifactor Biometric Authentication
The Password Is Dead: An Argument for Multifactor Biometric AuthenticationThe Password Is Dead: An Argument for Multifactor Biometric Authentication
The Password Is Dead: An Argument for Multifactor Biometric AuthenticationVeridium
 

Recommandé

Mobile testing. Tips and Tricks
Mobile testing. Tips and TricksMobile testing. Tips and Tricks
Mobile testing. Tips and TricksArtem Pinchuk
 
Attacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesAttacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesTom Eston
 
CrikeyCon 2015 - iOS Runtime Hacking Crash Course
CrikeyCon 2015 - iOS Runtime Hacking Crash CourseCrikeyCon 2015 - iOS Runtime Hacking Crash Course
CrikeyCon 2015 - iOS Runtime Hacking Crash Courseeightbit
 
Security Best Practices for Mobile Development
Security Best Practices for Mobile DevelopmentSecurity Best Practices for Mobile Development
Security Best Practices for Mobile DevelopmentSalesforce Developers
 
OWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration TestingOWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration Testingeightbit
 
Malware could steal data from i phones using siri
Malware could steal data from i phones using siriMalware could steal data from i phones using siri
Malware could steal data from i phones using siriEdward Perea
 
Penetrating Android Aapplications
Penetrating Android AapplicationsPenetrating Android Aapplications
Penetrating Android AapplicationsRoshan Thomas
 
The Password Is Dead: An Argument for Multifactor Biometric Authentication
The Password Is Dead: An Argument for Multifactor Biometric AuthenticationThe Password Is Dead: An Argument for Multifactor Biometric Authentication
The Password Is Dead: An Argument for Multifactor Biometric AuthenticationVeridium
 
iOS 6 Exploitation: 280 days later
iOS 6 Exploitation: 280 days lateriOS 6 Exploitation: 280 days later
iOS 6 Exploitation: 280 days laterSeguridad Apple
 
Team 3 status report#4
Team 3 status report#4Team 3 status report#4
Team 3 status report#4Joaquim Jaime
 
iOS Developer Concept introduction
iOS Developer Concept introductioniOS Developer Concept introduction
iOS Developer Concept introductionBanyapon Poolsawas
 
Tech savvy seniors term 4 introduction
Tech savvy seniors term 4 introductionTech savvy seniors term 4 introduction
Tech savvy seniors term 4 introductionMarni3Bridges
 
Introduction to Mobile Apps
Introduction to Mobile Apps Introduction to Mobile Apps
Introduction to Mobile Apps Shahryar Khan
 
Ios forensics
Ios forensicsIos forensics
Ios forensicsKamal Patel
 
Android malware analysis
Android malware analysisAndroid malware analysis
Android malware analysisJason Ross
 
Dynamic Security Analysis & Static Security Analysis for Android Apps.
Dynamic Security Analysis & Static Security Analysis for Android Apps.Dynamic Security Analysis & Static Security Analysis for Android Apps.
Dynamic Security Analysis & Static Security Analysis for Android Apps.VodqaBLR
 
UI-Redressing Attacks - The Process & Exploitation
UI-Redressing Attacks - The Process & ExploitationUI-Redressing Attacks - The Process & Exploitation
UI-Redressing Attacks - The Process & Exploitationc0c0n - International Cyber Security and Policing Conference
 
Web Application Security 101 - 02 The Basics
Web Application Security 101 - 02 The BasicsWeb Application Security 101 - 02 The Basics
Web Application Security 101 - 02 The BasicsWebsecurify
 
Leveraging mobile & wireless technology for Law and Order
Leveraging mobile & wireless technology for Law and OrderLeveraging mobile & wireless technology for Law and Order
Leveraging mobile & wireless technology for Law and Orderc0c0n - International Cyber Security and Policing Conference
 
Marine and Freshwater Ecology Revision
Marine and Freshwater Ecology RevisionMarine and Freshwater Ecology Revision
Marine and Freshwater Ecology Revisionanigvanderanal
 
OWASP A1 - Injection | The art of manipulation
OWASP A1 - Injection | The art of manipulationOWASP A1 - Injection | The art of manipulation
OWASP A1 - Injection | The art of manipulationPavan M
 
Hacker's jargons
Hacker's jargonsHacker's jargons
Hacker's jargonsPavan M
 
OWASP A7 and A8
OWASP A7 and A8OWASP A7 and A8
OWASP A7 and A8Pavan M
 
Web-App Remote Code Execution Via Scripting Engines
Web-App Remote Code Execution Via Scripting EnginesWeb-App Remote Code Execution Via Scripting Engines
Web-App Remote Code Execution Via Scripting Enginesc0c0n - International Cyber Security and Policing Conference
 
Cracking the mobile application code
Cracking the mobile application codeCracking the mobile application code
Cracking the mobile application codeSreenarayan A
 
Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2drewz lin
 
I haz you and pwn your maal
I haz you and pwn your maalI haz you and pwn your maal
I haz you and pwn your maalc0c0n - International Cyber Security and Policing Conference
 
I haz you and pwn your maal
I haz you and pwn your maalI haz you and pwn your maal
I haz you and pwn your maalHarsimran Walia
 
SmartDevCon - Katowice - 2013
SmartDevCon - Katowice - 2013SmartDevCon - Katowice - 2013
SmartDevCon - Katowice - 2013Petr Dvorak
 
михаил дударев
михаил дударевмихаил дударев
михаил дударевapps4allru
 

Contenu connexe

Tendances

iOS 6 Exploitation: 280 days later
iOS 6 Exploitation: 280 days lateriOS 6 Exploitation: 280 days later
iOS 6 Exploitation: 280 days laterSeguridad Apple
 
Team 3 status report#4
Team 3 status report#4Team 3 status report#4
Team 3 status report#4Joaquim Jaime
 
iOS Developer Concept introduction
iOS Developer Concept introductioniOS Developer Concept introduction
iOS Developer Concept introductionBanyapon Poolsawas
 
Tech savvy seniors term 4 introduction
Tech savvy seniors term 4 introductionTech savvy seniors term 4 introduction
Tech savvy seniors term 4 introductionMarni3Bridges
 
Introduction to Mobile Apps
Introduction to Mobile Apps Introduction to Mobile Apps
Introduction to Mobile Apps Shahryar Khan
 
Android malware analysis
Android malware analysisAndroid malware analysis
Android malware analysisJason Ross
 
Dynamic Security Analysis & Static Security Analysis for Android Apps.
Dynamic Security Analysis & Static Security Analysis for Android Apps.Dynamic Security Analysis & Static Security Analysis for Android Apps.
Dynamic Security Analysis & Static Security Analysis for Android Apps.VodqaBLR
 

Tendances (8)

iOS 6 Exploitation: 280 days later
iOS 6 Exploitation: 280 days lateriOS 6 Exploitation: 280 days later
iOS 6 Exploitation: 280 days later
 
Team 3 status report#4
Team 3 status report#4Team 3 status report#4
Team 3 status report#4
 
iOS Developer Concept introduction
iOS Developer Concept introductioniOS Developer Concept introduction
iOS Developer Concept introduction
 
Tech savvy seniors term 4 introduction
Tech savvy seniors term 4 introductionTech savvy seniors term 4 introduction
Tech savvy seniors term 4 introduction
 
Introduction to Mobile Apps
Introduction to Mobile Apps Introduction to Mobile Apps
Introduction to Mobile Apps
 
Ios forensics
Ios forensicsIos forensics
Ios forensics
 
Android malware analysis
Android malware analysisAndroid malware analysis
Android malware analysis
 
Dynamic Security Analysis & Static Security Analysis for Android Apps.
Dynamic Security Analysis & Static Security Analysis for Android Apps.Dynamic Security Analysis & Static Security Analysis for Android Apps.
Dynamic Security Analysis & Static Security Analysis for Android Apps.
 

En vedette

Web Application Security 101 - 02 The Basics
Web Application Security 101 - 02 The BasicsWeb Application Security 101 - 02 The Basics
Web Application Security 101 - 02 The BasicsWebsecurify
 
Marine and Freshwater Ecology Revision
Marine and Freshwater Ecology RevisionMarine and Freshwater Ecology Revision
Marine and Freshwater Ecology Revisionanigvanderanal
 
OWASP A1 - Injection | The art of manipulation
OWASP A1 - Injection | The art of manipulationOWASP A1 - Injection | The art of manipulation
OWASP A1 - Injection | The art of manipulationPavan M
 
Hacker's jargons
Hacker's jargonsHacker's jargons
Hacker's jargonsPavan M
 
OWASP A7 and A8
OWASP A7 and A8OWASP A7 and A8
OWASP A7 and A8Pavan M
 

En vedette (8)

UI-Redressing Attacks - The Process & Exploitation
UI-Redressing Attacks - The Process & ExploitationUI-Redressing Attacks - The Process & Exploitation
UI-Redressing Attacks - The Process & Exploitation
 
Web Application Security 101 - 02 The Basics
Web Application Security 101 - 02 The BasicsWeb Application Security 101 - 02 The Basics
Web Application Security 101 - 02 The Basics
 
Leveraging mobile & wireless technology for Law and Order
Leveraging mobile & wireless technology for Law and OrderLeveraging mobile & wireless technology for Law and Order
Leveraging mobile & wireless technology for Law and Order
 
Marine and Freshwater Ecology Revision
Marine and Freshwater Ecology RevisionMarine and Freshwater Ecology Revision
Marine and Freshwater Ecology Revision
 
OWASP A1 - Injection | The art of manipulation
OWASP A1 - Injection | The art of manipulationOWASP A1 - Injection | The art of manipulation
OWASP A1 - Injection | The art of manipulation
 
Hacker's jargons
Hacker's jargonsHacker's jargons
Hacker's jargons
 
OWASP A7 and A8
OWASP A7 and A8OWASP A7 and A8
OWASP A7 and A8
 
Web-App Remote Code Execution Via Scripting Engines
Web-App Remote Code Execution Via Scripting EnginesWeb-App Remote Code Execution Via Scripting Engines
Web-App Remote Code Execution Via Scripting Engines
 

Similaire à Cracking the Mobile Application Code

Cracking the mobile application code
Cracking the mobile application codeCracking the mobile application code
Cracking the mobile application codeSreenarayan A
 
Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2drewz lin
 
I haz you and pwn your maal
I haz you and pwn your maalI haz you and pwn your maal
I haz you and pwn your maalHarsimran Walia
 
SmartDevCon - Katowice - 2013
SmartDevCon - Katowice - 2013SmartDevCon - Katowice - 2013
SmartDevCon - Katowice - 2013Petr Dvorak
 
михаил дударев
михаил дударевмихаил дударев
михаил дударевapps4allru
 
Software quality and mobile apps
Software quality and mobile appsSoftware quality and mobile apps
Software quality and mobile appsPrawesh Shrestha
 
Outsmarting SmartPhones
Outsmarting SmartPhonesOutsmarting SmartPhones
Outsmarting SmartPhonessaurabhharit
 
[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101OWASP
 
Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)ClubHack
 
Reading Group Presentation: Why Eve and Mallory Love Android
Reading Group Presentation: Why Eve and Mallory Love AndroidReading Group Presentation: Why Eve and Mallory Love Android
Reading Group Presentation: Why Eve and Mallory Love AndroidMichael Rushanan
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Blueinfy Solutions
 
Virtue Security - The Art of Mobile Security 2013
Virtue Security - The Art of Mobile Security 2013Virtue Security - The Art of Mobile Security 2013
Virtue Security - The Art of Mobile Security 2013Virtue Security
 
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationDEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationFelipe Prado
 
How to Test Security and Vulnerability of Your Android and iOS Apps
How to Test Security and Vulnerability of Your Android and iOS AppsHow to Test Security and Vulnerability of Your Android and iOS Apps
How to Test Security and Vulnerability of Your Android and iOS AppsBitbar
 
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud XiaoFruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud XiaoShakacon
 
Yow connected developing secure i os applications
Yow connected developing secure i os applicationsYow connected developing secure i os applications
Yow connected developing secure i os applicationsmgianarakis
 
Hacking your Droid (Aditya Gupta)
Hacking your Droid (Aditya Gupta)Hacking your Droid (Aditya Gupta)
Hacking your Droid (Aditya Gupta)ClubHack
 
Barcode scanning on Android
Barcode scanning on AndroidBarcode scanning on Android
Barcode scanning on AndroidPietro F. Maggi
 
Android Penetration testing - Day 2
Android Penetration testing - Day 2 Android Penetration testing - Day 2
Android Penetration testing - Day 2Mohammed Adam
 

Similaire à Cracking the Mobile Application Code (20)

Cracking the mobile application code
Cracking the mobile application codeCracking the mobile application code
Cracking the mobile application code
 
Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2
 
I haz you and pwn your maal
I haz you and pwn your maalI haz you and pwn your maal
I haz you and pwn your maal
 
I haz you and pwn your maal
I haz you and pwn your maalI haz you and pwn your maal
I haz you and pwn your maal
 
SmartDevCon - Katowice - 2013
SmartDevCon - Katowice - 2013SmartDevCon - Katowice - 2013
SmartDevCon - Katowice - 2013
 
михаил дударев
михаил дударевмихаил дударев
михаил дударев
 
Software quality and mobile apps
Software quality and mobile appsSoftware quality and mobile apps
Software quality and mobile apps
 
Outsmarting SmartPhones
Outsmarting SmartPhonesOutsmarting SmartPhones
Outsmarting SmartPhones
 
[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101
 
Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)
 
Reading Group Presentation: Why Eve and Mallory Love Android
Reading Group Presentation: Why Eve and Mallory Love AndroidReading Group Presentation: Why Eve and Mallory Love Android
Reading Group Presentation: Why Eve and Mallory Love Android
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013
 
Virtue Security - The Art of Mobile Security 2013
Virtue Security - The Art of Mobile Security 2013Virtue Security - The Art of Mobile Security 2013
Virtue Security - The Art of Mobile Security 2013
 
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationDEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
 
How to Test Security and Vulnerability of Your Android and iOS Apps
How to Test Security and Vulnerability of Your Android and iOS AppsHow to Test Security and Vulnerability of Your Android and iOS Apps
How to Test Security and Vulnerability of Your Android and iOS Apps
 
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud XiaoFruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
 
Yow connected developing secure i os applications
Yow connected developing secure i os applicationsYow connected developing secure i os applications
Yow connected developing secure i os applications
 
Hacking your Droid (Aditya Gupta)
Hacking your Droid (Aditya Gupta)Hacking your Droid (Aditya Gupta)
Hacking your Droid (Aditya Gupta)
 
Barcode scanning on Android
Barcode scanning on AndroidBarcode scanning on Android
Barcode scanning on Android
 
Android Penetration testing - Day 2
Android Penetration testing - Day 2 Android Penetration testing - Day 2
Android Penetration testing - Day 2
 

Dernier

The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 

Dernier (20)

The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 

Cracking the Mobile Application Code

  • 1. Cracking the Mobile Application Code - Sreenarayan A Paladion Mobile Security Team
  • 2. Take Away for the day • Purpose of Decompiling Mobile Applications • Methodology of Decompilation • Live Demo’s: – Android App – iOS (iPhone / iPad App) – Blackberry Apps / Nokia App
  • 3. Why is security relevant for Mobile Platform? • 400% Increase in the number for Organizations Developing Mobile Platform based applications. • 300% Increase in the no of Mobile Banking Applications. • 500% Increase in the number of people using the Mobile Phones for their day to day transactions. • 82% Chances of end users not using their Mobile Phones with proper caution. • 79% Chances of Mobile Phone users Jail Breaking their Phones. • 65% Chances of Mobile Phone users not installing Anti-virus on their Mobile Phones. • 71% Chances of any application to get misused. • 57% Chances of a user losing his sensitive credentials to a hacker.
  • 4. Market Statistics of Mobile Users
  • 6. Different Types of Mobile Applications • WAP Mobile Applications • Native Mobile Applications • Hybrid Mobile Applications
  • 7. Different Types of Mobile Applications
  • 8. Different Types of Mobile Architecture
  • 9.
  • 10. Why did we learn the above types?? • Which applications can be Decompiled? – WAP Mobile Applications ? – Native Mobile Applications ? – Hybrid Mobile Applications ? • We have to get to know of the basics!
  • 11. Cracking the Mobile Application Code
  • 12. Cracking the Mobile Application Code •What do you mean by Reverse Engineering? •What do you mean by Decompilation? -> What is Compilation? Questions to be answered: •What are the goals/purpose of Cracking the code? •What is the methodology of Decompilation? •What the tools which can be used to Decompile? •Can Decompilation be done on all platforms? 1. ANDROID ? 2. iPHONE / iPAD ? 3. BLACKBERRY ? 4. NOKIA ?
  • 13. Goal of cracking the Mobile Application Code
  • 14. Goals of Cracking the Source Code •“UNDERSTAND THE WORKING OF THE APPLICATION AND TO FIGURE OUT THE LOOPHOLES!” •To find Treasure Key Words (password , keys , sql, algo, AES, DES, Base64, etc) •Figure out the Algorithms Used and their keys. •By-passing the client side checks by rebuilding the app. •E.g. Password in Banking Application (Sensitive Information) •E.g. Angry Birds Malware (Stealing Data) •E.g. Zitmo Malware (Sending SMS) •We have understood the goals, how to achieve them? Methodology.
  • 16. Methodology / Study S1: Gaining access to the executable S2: Understanding the Technology used to code the application. S3: Finding out ways to derive the Object Code from the Executable. S4: Figuring out a way to derive the Class Files from the Object Code. S5: Figuring out a way to derive the Function Definitions from the Object Code
  • 18. Demo - Reverse Engineer the Android Application •Tools used: -De-compresser (Winrar / Winzip / 7zip) -Dex2jar -Jar Decompiler •Steps 1. .apk -> .dex 2. .dex -> .jar 3. .jar -> .java • Demo • Limitations
  • 19. Demo - Reverse Engineer the iOS Application •Tools used: -iExplorer -Windows Explorer -oTool -Classdumpz •Steps 1. .app -> Garbage (Object Code) (DVM) 2. Object Code -> .Class • Demo • Limitations
  • 20. Demo - Reverse Engineer the Blackberry Application •Tools used: -JD – GUI (Java Decompiler) -Notepad •There are two types of Application files found in Blackberry: 1. .Jar (.jad -> .jar) 2. .Cod (.jad -> .cod (Blackberry Code Files) •Steps 1. .jar -> .java (JD-GUI) Or 1. Notepad to open .cod (No luck!) • Demo • Limitation
  • 21. Tip - Reverse Engineer the Windows Phone Application •Tools used: -.net decompiler -Visual Studio with Windows Phone SDK
  • 22. Palisade Articles • iOS vs Android Testing • Mobile Data Encryption • Mobile Application Security Testing • Demystifying the Android • And … • Website link: palpapers.paladion.net
  • 23. • Questions and Answers • Quiz • Feedback