SlideShare une entreprise Scribd logo

Cracking the Mobile Application Code

Télécharger en tant que PPTX, PDF
c0c0n - International Cyber Security and Policing Conference
c0c0n - International Cyber Security and Policing Conference

Cracking the Mobile Application Code by Sreenarayan A. at c0c0n - International Cyber Security and Policing Conference http://is-ra.org/c0c0n/speakers.html

Technologie
1  sur  24
Cracking the Mobile Application Code - Sreenarayan A Paladion Mobile Security Team
Take Away for the day • Purpose of Decompiling Mobile Applications • Methodology of Decompilation • Live Demo’s: – Android App – iOS (iPhone / iPad App) – Blackberry Apps / Nokia App
Why is security relevant for Mobile Platform? • 400% Increase in the number for Organizations Developing Mobile Platform based applications. • 300% Increase in the no of Mobile Banking Applications. • 500% Increase in the number of people using the Mobile Phones for their day to day transactions. • 82% Chances of end users not using their Mobile Phones with proper caution. • 79% Chances of Mobile Phone users Jail Breaking their Phones. • 65% Chances of Mobile Phone users not installing Anti-virus on their Mobile Phones. • 71% Chances of any application to get misused. • 57% Chances of a user losing his sensitive credentials to a hacker.
Market Statistics of Mobile Users
Mobile Market Trends
Different Types of Mobile Applications • WAP Mobile Applications • Native Mobile Applications • Hybrid Mobile Applications
Different Types of Mobile Applications
Different Types of Mobile Architecture
Why did we learn the above types?? • Which applications can be Decompiled? – WAP Mobile Applications ? – Native Mobile Applications ? – Hybrid Mobile Applications ? • We have to get to know of the basics!
Cracking the Mobile Application Code
Cracking the Mobile Application Code •What do you mean by Reverse Engineering? •What do you mean by Decompilation? -> What is Compilation? Questions to be answered: •What are the goals/purpose of Cracking the code? •What is the methodology of Decompilation? •What the tools which can be used to Decompile? •Can Decompilation be done on all platforms? 1. ANDROID ? 2. iPHONE / iPAD ? 3. BLACKBERRY ? 4. NOKIA ?
Goal of cracking the Mobile Application Code
Goals of Cracking the Source Code •“UNDERSTAND THE WORKING OF THE APPLICATION AND TO FIGURE OUT THE LOOPHOLES!” •To find Treasure Key Words (password , keys , sql, algo, AES, DES, Base64, etc) •Figure out the Algorithms Used and their keys. •By-passing the client side checks by rebuilding the app. •E.g. Password in Banking Application (Sensitive Information) •E.g. Angry Birds Malware (Stealing Data) •E.g. Zitmo Malware (Sending SMS) •We have understood the goals, how to achieve them? Methodology.
Methodology of Cracking
Methodology / Study S1: Gaining access to the executable S2: Understanding the Technology used to code the application. S3: Finding out ways to derive the Object Code from the Executable. S4: Figuring out a way to derive the Class Files from the Object Code. S5: Figuring out a way to derive the Function Definitions from the Object Code
JUMP TO DEMO’s
Demo - Reverse Engineer the Android Application •Tools used: -De-compresser (Winrar / Winzip / 7zip) -Dex2jar -Jar Decompiler •Steps 1. .apk -> .dex 2. .dex -> .jar 3. .jar -> .java • Demo • Limitations
Demo - Reverse Engineer the iOS Application •Tools used: -iExplorer -Windows Explorer -oTool -Classdumpz •Steps 1. .app -> Garbage (Object Code) (DVM) 2. Object Code -> .Class • Demo • Limitations
Demo - Reverse Engineer the Blackberry Application •Tools used: -JD – GUI (Java Decompiler) -Notepad •There are two types of Application files found in Blackberry: 1. .Jar (.jad -> .jar) 2. .Cod (.jad -> .cod (Blackberry Code Files) •Steps 1. .jar -> .java (JD-GUI) Or 1. Notepad to open .cod (No luck!) • Demo • Limitation
Tip - Reverse Engineer the Windows Phone Application •Tools used: -.net decompiler -Visual Studio with Windows Phone SDK
Palisade Articles • iOS vs Android Testing • Mobile Data Encryption • Mobile Application Security Testing • Demystifying the Android • And … • Website link: palpapers.paladion.net
• Questions and Answers • Quiz • Feedback
Thank You Sreenarayan.india@gmail.com Sreenarayan.a@paladion.net Twitter: Ace_Sree

Recommandé

Mobile testing. Tips and Tricks
Mobile testing. Tips and TricksMobile testing. Tips and Tricks
Mobile testing. Tips and Tricks
Artem Pinchuk
 
Attacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesAttacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS Devices
Tom Eston
 
CrikeyCon 2015 - iOS Runtime Hacking Crash Course
CrikeyCon 2015 - iOS Runtime Hacking Crash CourseCrikeyCon 2015 - iOS Runtime Hacking Crash Course
CrikeyCon 2015 - iOS Runtime Hacking Crash Course
eightbit
 
Security Best Practices for Mobile Development
Security Best Practices for Mobile DevelopmentSecurity Best Practices for Mobile Development
Security Best Practices for Mobile Development
Salesforce Developers
 
OWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration TestingOWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration Testing
eightbit
 
Malware could steal data from i phones using siri
Malware could steal data from i phones using siriMalware could steal data from i phones using siri
Malware could steal data from i phones using siri
Edward Perea
 
Penetrating Android Aapplications
Penetrating Android AapplicationsPenetrating Android Aapplications
Penetrating Android Aapplications
Roshan Thomas
 
The Password Is Dead: An Argument for Multifactor Biometric Authentication
The Password Is Dead: An Argument for Multifactor Biometric AuthenticationThe Password Is Dead: An Argument for Multifactor Biometric Authentication
The Password Is Dead: An Argument for Multifactor Biometric Authentication
Veridium
 

Recommandé

Mobile testing. Tips and Tricks
Mobile testing. Tips and TricksMobile testing. Tips and Tricks
Mobile testing. Tips and Tricks
Artem Pinchuk
 
Attacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesAttacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS Devices
Tom Eston
 
CrikeyCon 2015 - iOS Runtime Hacking Crash Course
CrikeyCon 2015 - iOS Runtime Hacking Crash CourseCrikeyCon 2015 - iOS Runtime Hacking Crash Course
CrikeyCon 2015 - iOS Runtime Hacking Crash Course
eightbit
 
Security Best Practices for Mobile Development
Security Best Practices for Mobile DevelopmentSecurity Best Practices for Mobile Development
Security Best Practices for Mobile Development
Salesforce Developers
 
OWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration TestingOWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration Testing
eightbit
 
Malware could steal data from i phones using siri
Malware could steal data from i phones using siriMalware could steal data from i phones using siri
Malware could steal data from i phones using siri
Edward Perea
 
Penetrating Android Aapplications
Penetrating Android AapplicationsPenetrating Android Aapplications
Penetrating Android Aapplications
Roshan Thomas
 
The Password Is Dead: An Argument for Multifactor Biometric Authentication
The Password Is Dead: An Argument for Multifactor Biometric AuthenticationThe Password Is Dead: An Argument for Multifactor Biometric Authentication
The Password Is Dead: An Argument for Multifactor Biometric Authentication
Veridium
 
iOS 6 Exploitation: 280 days later
iOS 6 Exploitation: 280 days lateriOS 6 Exploitation: 280 days later
iOS 6 Exploitation: 280 days later
Seguridad Apple
 
Team 3 status report#4
Team 3 status report#4Team 3 status report#4
Team 3 status report#4
Joaquim Jaime
 
iOS Developer Concept introduction
iOS Developer Concept introductioniOS Developer Concept introduction
iOS Developer Concept introduction
Banyapon Poolsawas
 
Tech savvy seniors term 4 introduction
Tech savvy seniors term 4 introductionTech savvy seniors term 4 introduction
Tech savvy seniors term 4 introduction
Marni3Bridges
 
Introduction to Mobile Apps
Introduction to Mobile Apps Introduction to Mobile Apps
Introduction to Mobile Apps
Shahryar Khan
 
Ios forensics
Ios forensicsIos forensics
Ios forensics
Kamal Patel
 
Android malware analysis
Android malware analysisAndroid malware analysis
Android malware analysis
Jason Ross
 
Dynamic Security Analysis & Static Security Analysis for Android Apps.
Dynamic Security Analysis & Static Security Analysis for Android Apps.Dynamic Security Analysis & Static Security Analysis for Android Apps.
Dynamic Security Analysis & Static Security Analysis for Android Apps.
VodqaBLR
 
UI-Redressing Attacks - The Process & Exploitation
UI-Redressing Attacks - The Process & ExploitationUI-Redressing Attacks - The Process & Exploitation
UI-Redressing Attacks - The Process & Exploitation
c0c0n - International Cyber Security and Policing Conference
 
Web Application Security 101 - 02 The Basics
Web Application Security 101 - 02 The BasicsWeb Application Security 101 - 02 The Basics
Web Application Security 101 - 02 The Basics
Websecurify
 
Leveraging mobile & wireless technology for Law and Order
Leveraging mobile & wireless technology for Law and OrderLeveraging mobile & wireless technology for Law and Order
Leveraging mobile & wireless technology for Law and Order
c0c0n - International Cyber Security and Policing Conference
 
Marine and Freshwater Ecology Revision
Marine and Freshwater Ecology RevisionMarine and Freshwater Ecology Revision
Marine and Freshwater Ecology Revision
anigvanderanal
 
OWASP A1 - Injection | The art of manipulation
OWASP A1 - Injection | The art of manipulationOWASP A1 - Injection | The art of manipulation
OWASP A1 - Injection | The art of manipulation
Pavan M
 
Hacker's jargons
Hacker's jargonsHacker's jargons
Hacker's jargons
Pavan M
 
OWASP A7 and A8
OWASP A7 and A8OWASP A7 and A8
OWASP A7 and A8
Pavan M
 
Web-App Remote Code Execution Via Scripting Engines
Web-App Remote Code Execution Via Scripting EnginesWeb-App Remote Code Execution Via Scripting Engines
Web-App Remote Code Execution Via Scripting Engines
c0c0n - International Cyber Security and Policing Conference
 
Cracking the mobile application code
Cracking the mobile application codeCracking the mobile application code
Cracking the mobile application code
Sreenarayan A
 
Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2
drewz lin
 
I haz you and pwn your maal
I haz you and pwn your maalI haz you and pwn your maal
I haz you and pwn your maal
c0c0n - International Cyber Security and Policing Conference
 
I haz you and pwn your maal
I haz you and pwn your maalI haz you and pwn your maal
I haz you and pwn your maal
Harsimran Walia
 
SmartDevCon - Katowice - 2013
SmartDevCon - Katowice - 2013SmartDevCon - Katowice - 2013
SmartDevCon - Katowice - 2013
Petr Dvorak
 
михаил дударев
михаил дударевмихаил дударев
михаил дударев
apps4allru
 

Contenu connexe

Tendances

Team 3 status report#4
Team 3 status report#4Team 3 status report#4
Team 3 status report#4
Joaquim Jaime
 
Tech savvy seniors term 4 introduction
Tech savvy seniors term 4 introductionTech savvy seniors term 4 introduction
Tech savvy seniors term 4 introduction
Marni3Bridges
 

Tendances (8)

iOS 6 Exploitation: 280 days later
iOS 6 Exploitation: 280 days lateriOS 6 Exploitation: 280 days later
iOS 6 Exploitation: 280 days later
 
Team 3 status report#4
Team 3 status report#4Team 3 status report#4
Team 3 status report#4
 
iOS Developer Concept introduction
iOS Developer Concept introductioniOS Developer Concept introduction
iOS Developer Concept introduction
 
Tech savvy seniors term 4 introduction
Tech savvy seniors term 4 introductionTech savvy seniors term 4 introduction
Tech savvy seniors term 4 introduction
 
Introduction to Mobile Apps
Introduction to Mobile Apps Introduction to Mobile Apps
Introduction to Mobile Apps
 
Ios forensics
Ios forensicsIos forensics
Ios forensics
 
Android malware analysis
Android malware analysisAndroid malware analysis
Android malware analysis
 
Dynamic Security Analysis & Static Security Analysis for Android Apps.
Dynamic Security Analysis & Static Security Analysis for Android Apps.Dynamic Security Analysis & Static Security Analysis for Android Apps.
Dynamic Security Analysis & Static Security Analysis for Android Apps.
 

En vedette

En vedette (8)

UI-Redressing Attacks - The Process & Exploitation
UI-Redressing Attacks - The Process & ExploitationUI-Redressing Attacks - The Process & Exploitation
UI-Redressing Attacks - The Process & Exploitation
 
Web Application Security 101 - 02 The Basics
Web Application Security 101 - 02 The BasicsWeb Application Security 101 - 02 The Basics
Web Application Security 101 - 02 The Basics
 
Leveraging mobile & wireless technology for Law and Order
Leveraging mobile & wireless technology for Law and OrderLeveraging mobile & wireless technology for Law and Order
Leveraging mobile & wireless technology for Law and Order
 
Marine and Freshwater Ecology Revision
Marine and Freshwater Ecology RevisionMarine and Freshwater Ecology Revision
Marine and Freshwater Ecology Revision
 
OWASP A1 - Injection | The art of manipulation
OWASP A1 - Injection | The art of manipulationOWASP A1 - Injection | The art of manipulation
OWASP A1 - Injection | The art of manipulation
 
Hacker's jargons
Hacker's jargonsHacker's jargons
Hacker's jargons
 
OWASP A7 and A8
OWASP A7 and A8OWASP A7 and A8
OWASP A7 and A8
 
Web-App Remote Code Execution Via Scripting Engines
Web-App Remote Code Execution Via Scripting EnginesWeb-App Remote Code Execution Via Scripting Engines
Web-App Remote Code Execution Via Scripting Engines
 

Similaire à Cracking the Mobile Application Code

Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2
drewz lin
 
I haz you and pwn your maal
I haz you and pwn your maalI haz you and pwn your maal
I haz you and pwn your maal
Harsimran Walia
 
михаил дударев
михаил дударевмихаил дударев
михаил дударев
apps4allru
 
Software quality and mobile apps
Software quality and mobile appsSoftware quality and mobile apps
Software quality and mobile apps
Prawesh Shrestha
 
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud XiaoFruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Shakacon
 

Similaire à Cracking the Mobile Application Code (20)

Cracking the mobile application code
Cracking the mobile application codeCracking the mobile application code
Cracking the mobile application code
 
Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2
 
I haz you and pwn your maal
I haz you and pwn your maalI haz you and pwn your maal
I haz you and pwn your maal
 
I haz you and pwn your maal
I haz you and pwn your maalI haz you and pwn your maal
I haz you and pwn your maal
 
SmartDevCon - Katowice - 2013
SmartDevCon - Katowice - 2013SmartDevCon - Katowice - 2013
SmartDevCon - Katowice - 2013
 
михаил дударев
михаил дударевмихаил дударев
михаил дударев
 
Software quality and mobile apps
Software quality and mobile appsSoftware quality and mobile apps
Software quality and mobile apps
 
Outsmarting SmartPhones
Outsmarting SmartPhonesOutsmarting SmartPhones
Outsmarting SmartPhones
 
[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101
 
Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)
 
Reading Group Presentation: Why Eve and Mallory Love Android
Reading Group Presentation: Why Eve and Mallory Love AndroidReading Group Presentation: Why Eve and Mallory Love Android
Reading Group Presentation: Why Eve and Mallory Love Android
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013
 
Virtue Security - The Art of Mobile Security 2013
Virtue Security - The Art of Mobile Security 2013Virtue Security - The Art of Mobile Security 2013
Virtue Security - The Art of Mobile Security 2013
 
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationDEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
 
How to Test Security and Vulnerability of Your Android and iOS Apps
How to Test Security and Vulnerability of Your Android and iOS AppsHow to Test Security and Vulnerability of Your Android and iOS Apps
How to Test Security and Vulnerability of Your Android and iOS Apps
 
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud XiaoFruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
 
Yow connected developing secure i os applications
Yow connected developing secure i os applicationsYow connected developing secure i os applications
Yow connected developing secure i os applications
 
Hacking your Droid (Aditya Gupta)
Hacking your Droid (Aditya Gupta)Hacking your Droid (Aditya Gupta)
Hacking your Droid (Aditya Gupta)
 
Barcode scanning on Android
Barcode scanning on AndroidBarcode scanning on Android
Barcode scanning on Android
 
Android Penetration testing - Day 2
Android Penetration testing - Day 2 Android Penetration testing - Day 2
Android Penetration testing - Day 2
 

Dernier

The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 

Dernier (20)

🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 

Cracking the Mobile Application Code

  • 1. Cracking the Mobile Application Code - Sreenarayan A Paladion Mobile Security Team
  • 2. Take Away for the day • Purpose of Decompiling Mobile Applications • Methodology of Decompilation • Live Demo’s: – Android App – iOS (iPhone / iPad App) – Blackberry Apps / Nokia App
  • 3. Why is security relevant for Mobile Platform? • 400% Increase in the number for Organizations Developing Mobile Platform based applications. • 300% Increase in the no of Mobile Banking Applications. • 500% Increase in the number of people using the Mobile Phones for their day to day transactions. • 82% Chances of end users not using their Mobile Phones with proper caution. • 79% Chances of Mobile Phone users Jail Breaking their Phones. • 65% Chances of Mobile Phone users not installing Anti-virus on their Mobile Phones. • 71% Chances of any application to get misused. • 57% Chances of a user losing his sensitive credentials to a hacker.
  • 4. Market Statistics of Mobile Users
  • 6. Different Types of Mobile Applications • WAP Mobile Applications • Native Mobile Applications • Hybrid Mobile Applications
  • 7. Different Types of Mobile Applications
  • 8. Different Types of Mobile Architecture
  • 9.
  • 10. Why did we learn the above types?? • Which applications can be Decompiled? – WAP Mobile Applications ? – Native Mobile Applications ? – Hybrid Mobile Applications ? • We have to get to know of the basics!
  • 11. Cracking the Mobile Application Code
  • 12. Cracking the Mobile Application Code •What do you mean by Reverse Engineering? •What do you mean by Decompilation? -> What is Compilation? Questions to be answered: •What are the goals/purpose of Cracking the code? •What is the methodology of Decompilation? •What the tools which can be used to Decompile? •Can Decompilation be done on all platforms? 1. ANDROID ? 2. iPHONE / iPAD ? 3. BLACKBERRY ? 4. NOKIA ?
  • 13. Goal of cracking the Mobile Application Code
  • 14. Goals of Cracking the Source Code •“UNDERSTAND THE WORKING OF THE APPLICATION AND TO FIGURE OUT THE LOOPHOLES!” •To find Treasure Key Words (password , keys , sql, algo, AES, DES, Base64, etc) •Figure out the Algorithms Used and their keys. •By-passing the client side checks by rebuilding the app. •E.g. Password in Banking Application (Sensitive Information) •E.g. Angry Birds Malware (Stealing Data) •E.g. Zitmo Malware (Sending SMS) •We have understood the goals, how to achieve them? Methodology.
  • 16. Methodology / Study S1: Gaining access to the executable S2: Understanding the Technology used to code the application. S3: Finding out ways to derive the Object Code from the Executable. S4: Figuring out a way to derive the Class Files from the Object Code. S5: Figuring out a way to derive the Function Definitions from the Object Code
  • 18. Demo - Reverse Engineer the Android Application •Tools used: -De-compresser (Winrar / Winzip / 7zip) -Dex2jar -Jar Decompiler •Steps 1. .apk -> .dex 2. .dex -> .jar 3. .jar -> .java • Demo • Limitations
  • 19. Demo - Reverse Engineer the iOS Application •Tools used: -iExplorer -Windows Explorer -oTool -Classdumpz •Steps 1. .app -> Garbage (Object Code) (DVM) 2. Object Code -> .Class • Demo • Limitations
  • 20. Demo - Reverse Engineer the Blackberry Application •Tools used: -JD – GUI (Java Decompiler) -Notepad •There are two types of Application files found in Blackberry: 1. .Jar (.jad -> .jar) 2. .Cod (.jad -> .cod (Blackberry Code Files) •Steps 1. .jar -> .java (JD-GUI) Or 1. Notepad to open .cod (No luck!) • Demo • Limitation
  • 21. Tip - Reverse Engineer the Windows Phone Application •Tools used: -.net decompiler -Visual Studio with Windows Phone SDK
  • 22. Palisade Articles • iOS vs Android Testing • Mobile Data Encryption • Mobile Application Security Testing • Demystifying the Android • And … • Website link: palpapers.paladion.net
  • 23. • Questions and Answers • Quiz • Feedback