380 likes | 393 Vues
Learn about decompiling Android apps, why it is important, the risks associated with decompiling Java and .Net apps, and how to protect your code.
E N D
Decompiling Android Godfrey Nolan 1DevDay 11/5/11
Intro • What is a Decompiler? • Why Android? • Decompilers • Protect Yourself • Raising the Bar
What is a Decompiler • Reverse Engineers apps into source code • Many languages can be decompiled • Java, C#, VB.Net., Visual Basic • Others can only be disassembled • C, C++, Objective-C • Java and .Net particularly at risk • Because of JVM and CLR design • Why use decompilers? • Curiosity, Hacking, Learning, Fair Use
Why Java • Exploits JVM Design • Originally interpreted not compiled • Lots more symbolic information than binaries • Data and method separation • Simple classfilestructure • Very few opcodes
Why Java Classfile { int magic, short minor_version, short major_version, short constant_pool_count, cp_infoconstant_pool[constant_pool_count], short access_flags, short this_class, short super_class, short interfaces_count, interface_info interfaces[interfaces_count], short fields_count, field_info fields[field_count], short methods_count, method_info methods[methods_count], short attribute_count, attr_info attributes[attributes_count] }
Why Android • Client side code • Easy access to apk’s • Download apk to sd card using Astro File Mgr • Download from xdadevelopers forum • Download using ‘adb pull’ on jailbroken phone • Nobody is using obfuscation • 1 out of 20 apks downloaded were protected • Easy to convert apk to Java to decompile
Why Android • java –jar dex2jar.jar com.riis.mobile.apk • jd-gui com.riis.mobile.apk.dex2jar
Why Android • Dex file • Different structure • Different opcodes • Register based not stack based • Multiple JVMs on device
Why not iPhone? • Objective-C • Compiled not interpreted • Much less information • Fat binaries approach • Can still be disassembled • strings and otoolunix commands • Other tools like IDA Pro
Why Android • Jailbreak/Root phone • Use Z4Root • Uses RageAgainstTheCage Trojan exploit • Not available on Android Marketplace ;-) • Using Android SDK platform tools • Turn on USB debugging • Find apk using adb shell • Download using adb pull
Why Android • Even easier is the apk-tool • Install APK-tool • Download apk • Right click
Decompilers • Jive • Mocha • JAD • SourceAgain • JD-GUI
Possible Exploits • Web ServiceAPI keys exposed • Database logins • Credit Card information • Fake apps
Possible Exploits publicstaticfinal String USER_NAME = "BC7E9322-0B6B-4C28B4"; publicstaticfinal String PASSWORD = "waZawuzefrabru96ebeb";
Protect Yourself • Protect code before releasing • Hard to recover once it’s been made available • Obfuscators • ProGuard • DashO • Native Code • Use C++ and JNI • 99.99% of Android devices run on ARM processor • Use digital signature checking to protect lib
Protect Yourself • ProGuard: • Detects and removes unused classes, fields, methods, and attributes. • Optimizes bytecode and removes unused instructions. • Renames remaining classes, fields, and methods using short meaningless names. • Preverifies the processed code for Java. • Enable in default.properties files • proguard.config=proguard.cfg
Protect Yourself • DashO (basic): • Improvement over ProGuard's naming by using strange characters and heavily reusing the same names at different scopes. • Does much more involved control flow obfuscation than ProGuard, reordering code operations to make them very difficult to understand and often breaking decompilers. • Supports string encryption to render important string data unreadable to attackers.
Protect Yourself • DashO (advanced): • Supports tamper detection, handling, and reporting to prevent users from changing the compiled code, even while debugging, and to alert you if it happens. • Can automatically inject Preemptive's Runtime Intelligence functionality for remote error reporting.
Protect Yourself • DashO demo
Protect Yourself – JNI jstringJava_com_getPassword(JNIEnv* env, jobject thiz) { char *password = “waZawuzefrabru96ebeb”; return(*env)->NewStringUTF(env, password); }
Links • http://viralpatel.net/blogs/2009/01/tutorial-java-class-file-format-revealed.html • http://code.google.com/p/z4root/ • http://code.google.com/p/android-apktool/ • http://www.dalvikvm.com/
Raising the Bar • APK’s are available • Tools are easy to use • Turn on ProGuard • Investigate other obfuscators • Hide keys using JNI • Don’t put sensitive information unencrypted in APKs
SPAM #2 • RIIS LLC • Southfield, MI • Clients • Fandango • DTE • Comerica • BCBSM • Mobile Development • DTE Outage Maps • Broadsoft Front Office Assistant • Contact Information • godfrey@riis.com