Slides of the presentation at the AnDevCon: Android Reverse Engineering

2. Agenda:
-Intro
-Purpose
-Tools
-APK Structure
-Obtaining APKs
-Decompiling
-Manipulation
-Repackage/signing
-Examples
-Prevention
!

3. Ego slide
Mobile Developer @ Sixt
M. Sc. UCM/RWTH
CS Teacher at Alcalá University
!
!
!
+EnriqueLópezMañas
@eenriquelopez

4. Reverse Engineering
Obtaining source code
from a compiled source
!

5. Why Java?
-Java code is partially compiled
and then interpreted
-JVM and opcodes are fixed
-Few instructions
-No real protection

6. Why Android?
-APKs are easily downloadable
-Obfuscation does not happen by
default
- APK to JAR translation is easy

7. Legal issues
Small set:
!
- Don’t decompile, recompile and
pass it off as your own
- Don’t try to sell it as your own
- If License Agreement forbids
decompiling, do not decompile
-Don’t decompile to remove
protection mechanisms

8. Legal issues
US
!
- Precedents allowing
decompilation
!
(Sega vs. Acolade, http://digitallaw-online.info/cases/
24PQ2D1561.htm)

9. Legal issues
EU (Directive on the Legal
Protection of Computer Programs
)
- Allows decompilation
!
(if you need access to internal
calls and authors refuse to divulge
API)
!
BUT:
!
-Only to interface your program
-Only if they are not protected

10. Generally
YES:
!
- Understand interoperatibility
- Create a program interface
!
NO:
!
- Create a copy and sell it.

11. Privacy
leaks
Cheating
Code injection
Passwords
Score
manipulation
Download from obscure
sources
Personal
data
Asset
manipulation
Unrequested data
collection/steal
Ads
Malware

12. Educational
Interfacing
Protection
Learning code
Creating
interfaces
Checking our
own mistakes!
Researching bugs
Improving
existing
resources

13. Dex2Jar

14. JD-GUI

15. JAD

16. apktool

17. Eclipse

18. Java
programming
(SDK/NDK)
Distribution
(freely,
Google Play
or other)
Compiling to
DEX, running
in DVM
Package
signed as APK

19. Obtaining
APK
Converting
DEX to Jar
Decompiling
Java

20. How to obtain APKs
1.2.3.4.-
Pulling from device
Using GooglePlay Python API
Alternative sources
Sniffer transfer

21. Pulling from device:
Connect with USB cable
ADB
Root

22. Alternative Sources:

23. Sniffer:

24. Google Play Python API:

25. First unzip

26. Using dex2jar to create a Jar

27. Using a Java Decompiler

28. Some tips:
•Look for known strings
•Not only code: also XML and
resources
•Be aware of obfuscation

29. •Edit and modify resources
•Change essential code
•SMALI

30. •Create certificate with JDK
Keytool
•Sign Jar with JDK jarsigner

31. •HelloWorld
•Crackme
•Code injection

32. Protecting your source
[We want] to protect [the] code by making
reverse engineering so technically difficult
that it becomes impossible or at the very
least economically inviable.
!
-Christian Collberg,

33. Idea #1
Writing two versions of the app

34. Idea #2
Obfuscation
When obfu scation is outlawed, only outlaw
s will sifj difdm wofiefiemf eifm.

35. Idea #3
WebServices

36. Idea #4
FingerPrinting our code

37. Idea #5
Native methods

39. Thank you
!
+ Enrique López Mañas
@eenriquelopez