With growth in app market it is essential to guard our android apps against possible threats, in this presentation we will walk through various tools and techniques which some one can use to reverse engineer an android app, we will see how some one can get access to APP DB, CODE, API, PREFERENCES.
We will also see different tools and techniques to guard our app against possible threats from code obfuscation with tools like dexgaurd to newer methods like verification of api calls using google play services.
This session was taken in Barcamp 13 bangalore http://barcampbangalore.org/bcb/bcb13/reverse-engineering-an-android-app-securing-your-android-apps-against-attacks
and bangalore android user group meetup Jan meetup http://www.meetup.com/blrdroid/events/100360682/
14. Other Techniques
junk byte insertion
Dynamic Code loading
Self Modifying code
Obfuscation at dex level
Ref: http://net.cs.uni-bonn.de/fileadmin/user_upload/plohmann/2012-Schulz-Code_Protection_in_Android.pdf
15. API Protection Google
Play Service
Token + Your Verify
Google Client id Your Token
Authutil Parameters Backend Fields
Access Token
Verify Token
Signature
Google
audience:server:client_id:9414861317621.apps.googleusercontent.com
16. API Protection
Hiding url & Use HTTPS
parameters (self signed
will work)
Use time & Use User
encoding in Agent
parameters Identifier
18. To Sum Up
Nothing is full proof
Don’t give away your code just like that
Use progaurd to protect your code
Use Google Api Verification for Sensitive
backend calls
Piracy is being address by google play licensing services but not that effective to stop piracyStealing you IP/Code
Progaurd is free and comes bundle with android SDKDexgaurd by same author of progaurdAllatori is paid
All Free tool except IDA PROAPK Tool internally uses SmaliAndroid Guard is python based tool with GUI which internally uses dex2gaurd smalietcIt works only on linux, difficult to install, A VM with fully configured android guard is available on http://www.honeynet.org/downloads/Android.tar.gz
AAPT (Android application packaging tool) converts resources reference into R.Java and compiled resources (Manifest)Java Compiler takes, R.java, Application Source code and java interfaces to generate class fileDx tool takes this .class files and 3rd party libraries and .class files to convert into dex files.so = System Objectshttp://developer.android.com/tools/building/index.html#detailed-build
Lets Reverse engineer an android app
Federal offence in some countriesUse this tools for securing your own apps
ReadSmali when de-compilation fails (Dex to smali)Multiple methods to extract APK1 pulling from device – Connect USB-Cable– Use ADB (Android Debug Bridge) from SDK– No Google Play on emulator (AVD)2. Directly downloading via googleplaypythonapi from Google Play– Configured Google Account with connected https://github.com/egirault/googleplay-apiAndroid ID3. Download from Web– Alternative source– Capture transfer to
Progaurd is simple protection tool available in android SDKIt not only acts as obfuscator but it is also a Shrinker and optimizer You can reduce size of your APK with progaurd.It is free to use and effectiveNo String encryption and advance obfuscation techniquesProgaurd can be configured to run in android during build process when you generate APKLets see how we can enable progaurd
Lets see a sample APK With progaurd enabled
Commercial tool by creator of progaurdAll features of progaurdAdvance obfuscation techniques with String encryption api hiding tamper detection etcLets see a apk obfuscated with dexgaurd
Other techniques to protect your Android App Code
New method for verifying backend calls by google play serviceVery easy to integrate works on all phones running google play services with android 2.2 and aboveNo prompting for asking anything with user runs in background Register your android app in googleapi console make client id for web application and one for android application, give your APK Signing key MD5 to protect unauthorized accessIn Android app call GoogleAuthUtil.getToken() method passing scope argument value as audience:server:client_id:X.apps.googleusercontent.com(where X is client id of your web app)User will not be prompted as system looks your server client id and since you are in the same app it gives you the token. Send this token along with your api parameters In your backend verify Access token signature with google public keyFrom the token (JSON PayLoad) get field name audazp and emailVerify from AUD if it’s the same client id as of your appOptional verification with AZP and emailSample code http://android-developers.blogspot.in/2013/01/verifying-back-end-calls-from-android.html
Simple API protection if you don’t want to use google play services
Encrypt string this will increase the time for understanding the codesEncrypt dbShare preference is also accessibleStore credentials only in encrypted formathttp://android-developers.blogspot.in/2013/02/using-cryptography-to-store-credentials.html