4. What is a Decompiler
• Reverse Engineers apps into source code
• Many languages can be decompiled
• Java, C#, VB.Net., Visual Basic
• Others can only be disassembled
• C, C++, Objective-C
• Java and .Net particularly at risk
• Because of JVM and CLR design
• Why use decompilers?
• Curiosity, Hacking, Learning, Fair Use
5. Why Java
• Exploits JVM Design
• Originally interpreted not compiled
• Lots more symbolic information than binaries
• Data and method separation
• Simple classfile structure
• Very few opcodes
7. Why Java
Classfile {
int magic,
short minor_version,
short major_version,
short constant_pool_count,
cp_info constant_pool[constant_pool_count],
short access_flags,
short this_class,
short super_class,
short interfaces_count,
interface_info interfaces[interfaces_count],
short fields_count,
field_info fields[field_count],
short methods_count,
method_info methods[methods_count],
short attribute_count,
attr_info attributes[attributes_count]
}
9. Why Android
• Client side code
• Easy access to apk’s
• Download apk to sd card using Astro File Mgr
• Download from xdadevelopers forum
• Download using ‘adb pull’ on jailbroken phone
• Nobody is using obfuscation
• 1 out of 20 apks downloaded were protected
• Easy to convert apk to Java to decompile
15. Why not iPhone?
• Objective-C
• Compiled not interpreted
• Much less information
• Fat binaries approach
• Can still be disassembled
• strings and otool unix commands
• Other tools like IDA Pro
16. Why Android
• Jailbreak/Root phone
• Use Z4Root
• Uses RageAgainstTheCage Trojan exploit
• Not available on Android Marketplace ;-)
• Using Android SDK platform tools
• Turn on USB debugging
• Find apk using adb shell
• Download using adb pull
23. Possible Exploits
public static final String USER_NAME = "BC7E9322-0B6B-4C28B4";
public static final String PASSWORD = "waZawuzefrabru96ebeb";
24. Protect Yourself
• Protect code before releasing
• Hard to recover once it’s been made available
• Obfuscators
• ProGuard
• DashO
• Native Code
• Use C++ and JNI
• 99.99% of Android devices run on ARM processor
• Use digital signature checking to protect lib
25. Protect Yourself
• ProGuard:
• Detects and removes unused
classes, fields, methods, and attributes.
• Optimizes bytecode and removes unused instructions.
• Renames remaining classes, fields, and methods using
short meaningless names.
• Preverifies the processed code for Java.
• Enable in default.properties files
• proguard.config=proguard.cfg
26. Protect Yourself
• DashO (basic):
• Improvement over ProGuard's naming by using strange
characters and heavily reusing the same names at
different scopes.
• Does much more involved control flow obfuscation than
ProGuard, reordering code operations to make them
very difficult to understand and often breaking
decompilers.
• Supports string encryption to render important string
data unreadable to attackers.
27. Protect Yourself
• DashO (advanced):
• Supports tamper detection, handling, and reporting to
prevent users from changing the compiled code, even
while debugging, and to alert you if it happens.
• Can automatically inject Preemptive's Runtime
Intelligence functionality for remote error reporting.
36. Raising the Bar
• APK’s are available
• Tools are easy to use
• Turn on ProGuard
• Investigate other obfuscators
• Hide keys using JNI
• Don’t put sensitive information unencrypted in APKs
37. SPAM #2
• RIIS LLC
• Southfield, MI
• Clients
• Fandango
• DTE
• Comerica
• BCBSM
• Mobile Development
• DTE Outage Maps
• Broadsoft Front Office Assistant
• Contact Information
• godfrey@riis.com
Notes de l'éditeur
Gave similar talk last year – not such a big issueDid it more as a favor for DavidThis year couldn’t be more different
Decompiling Android – coming in the Spring 2012 also from ApressDecompiling Java will also be translated into another languageNot very high selling book, expect DA to do better
Moral issues
Before we can say why Android, have to ask Why Java first
http://commons.apache.org/bcel/manual.html
Java Classfile Structure.
Book didn’t sell because java code is server sideno access => no decompilation
We’ll be showing you how to do this manually a bit later
Works best on Android 2.2, but you can still load it manuallyAnti-Virus on your PC will probably complain ----- Meeting Notes (11/4/11 16:28) -----Do adb demo
chmod 777 com.riis.mobile.apk
Provides all assetsReverse engineers manifest.xmlGets phonegap and titanium code too----- Meeting Notes (11/4/11 16:28) -----smali and baksmali
Fake apps like recent Netflix app
Web Service API keys
Titanium and PhoneGapjavascript code visible using one click apk-tool