8,848 views

Reverse engineering android apps

This document discusses ways to secure Android applications against threats such as unauthorized code access and malware. It covers tools for code protection, including ProGuard and DexGuard, as well as methods for disassembling apps and implementing API protections. The author emphasizes that while various techniques can enhance security, no method is entirely foolproof.

Technology◦

Reverse engineering android apps

1.
Securing Your AndroidApps By Pranay Airan @pranayairan
2.
Pranay Airan Web application developer @Intuit Android Developer by choice  Assistant organizer Blrdroid @pranayairan
3.
Current Threats Code Protection Tools Code Analysis Tools Android App Build Process How to disassemble Different protection techniques
4.
Current Threats Stealing App Stealing App Unauthorized Code Assets API Access Stealing App Repackaging Malwares DB and selling and viruses Piracy
5.
Code Protectors Progaurd Dexgaurd Java obfuscators
6.
Code Analysis Tools Dex2jar Smali IDA Pro Dexdump
7.
Android Application Build Process Java .java files .class files Compiler Obfuscator Jar .so Dx tool resource Signer files Obfuscator .apk files APK Builder .dex files Ref: http://net.cs.uni-bonn.de/fileadmin/user_upload/plohmann/2012-Schulz-Code_Protection_in_Android.pdf
8.
Reverse Engineering AnApp
9.
Use this methods This can be used on Federal Offence ethically your apps
10.
Lets disassemble App on phone Apk Extractor .apk files Extract APK Images DB AAPT Readable resource .dex files Manifest asset XML etc dex -> class (dex2jar) .class files Class -> java Java files
11.
Code Protection Obfuscation Shrinker Optimization Progaurd Using Progaurd in Android
12.
Reversed APK withProgaurd
13.
Reversed APK withDexgaurd
14.
Other Techniques junk byte insertion Dynamic Code loading Self Modifying code Obfuscation at dex level Ref: http://net.cs.uni-bonn.de/fileadmin/user_upload/plohmann/2012-Schulz-Code_Protection_in_Android.pdf
15.
API Protection Google Play Service Token + Your Verify Google Client id Your Token Authutil Parameters Backend Fields Access Token Verify Token Signature Google audience:server:client_id:9414861317621.apps.googleusercontent.com
16.
API Protection Hiding url& Use HTTPS parameters (self signed will work) Use time & Use User encoding in Agent parameters Identifier
17.
DB Protection Hash yourdata 3rd Party DB encryption like SQLCipher String Encryption
18.
To Sum Up Nothingis full proof Don’t give away your code just like that Use progaurd to protect your code Use Google Api Verification for Sensitive backend calls
19.
Questions ??
20.
Thank You Pranay.airan@iiitb.net @pranayairan http://goo.gl/okiJp
21.
Useful Links • http://www.honeynet.org/downloads/Android.tar.gz •http://proguard.sourceforge.net/index.html#manual/examples. html • http://code.google.com/p/dex2jar/ • http://code.google.com/p/android-apktool/ • http://android-developers.blogspot.in/2013/01/verifying-back- end-calls-from-android.html • http://sqlcipher.net/sqlcipher-for-android/

Editor's Notes

#5 Piracy is being address by google play licensing services but not that effective to stop piracyStealing you IP/Code
#6 Progaurd is free and comes bundle with android SDKDexgaurd by same author of progaurdAllatori is paid
#7 All Free tool except IDA PROAPK Tool internally uses SmaliAndroid Guard is python based tool with GUI which internally uses dex2gaurd smalietcIt works only on linux, difficult to install, A VM with fully configured android guard is available on http://www.honeynet.org/downloads/Android.tar.gz
#8 AAPT (Android application packaging tool) converts resources reference into R.Java and compiled resources (Manifest)Java Compiler takes, R.java, Application Source code and java interfaces to generate class fileDx tool takes this .class files and 3rd party libraries and .class files to convert into dex files.so = System Objectshttp://developer.android.com/tools/building/index.html#detailed-build
#9 Lets Reverse engineer an android app
#10 Federal offence in some countriesUse this tools for securing your own apps
#11 ReadSmali when de-compilation fails (Dex to smali)Multiple methods to extract APK1 pulling from device – Connect USB-Cable– Use ADB (Android Debug Bridge) from SDK– No Google Play on emulator (AVD)2. Directly downloading via googleplaypythonapi from Google Play– Configured Google Account with connected https://github.com/egirault/googleplay-apiAndroid ID3. Download from Web– Alternative source– Capture transfer to
#12 Progaurd is simple protection tool available in android SDKIt not only acts as obfuscator but it is also a Shrinker and optimizer You can reduce size of your APK with progaurd.It is free to use and effectiveNo String encryption and advance obfuscation techniquesProgaurd can be configured to run in android during build process when you generate APKLets see how we can enable progaurd
#13 Lets see a sample APK With progaurd enabled
#14 Commercial tool by creator of progaurdAll features of progaurdAdvance obfuscation techniques with String encryption api hiding tamper detection etcLets see a apk obfuscated with dexgaurd
#15 Other techniques to protect your Android App Code
#16 New method for verifying backend calls by google play serviceVery easy to integrate works on all phones running google play services with android 2.2 and aboveNo prompting for asking anything with user runs in background Register your android app in googleapi console make client id for web application and one for android application, give your APK Signing key MD5 to protect unauthorized accessIn Android app call GoogleAuthUtil.getToken() method passing scope argument value as audience:server:client_id:X.apps.googleusercontent.com(where X is client id of your web app)User will not be prompted as system looks your server client id and since you are in the same app it gives you the token. Send this token along with your api parameters In your backend verify Access token signature with google public keyFrom the token (JSON PayLoad) get field name audazp and emailVerify from AUD if it’s the same client id as of your appOptional verification with AZP and emailSample code http://android-developers.blogspot.in/2013/01/verifying-back-end-calls-from-android.html
#17 Simple API protection if you don’t want to use google play services
#18 Encrypt string this will increase the time for understanding the codesEncrypt dbShare preference is also accessibleStore credentials only in encrypted formathttp://android-developers.blogspot.in/2013/02/using-cryptography-to-store-credentials.html

Reverse engineering android apps

1.
Securing Your AndroidApps By Pranay Airan @pranayairan
2.
Pranay Airan Web application developer @Intuit Android Developer by choice  Assistant organizer Blrdroid @pranayairan
3.
Current Threats Code Protection Tools Code Analysis Tools Android App Build Process How to disassemble Different protection techniques
4.
Current Threats Stealing App Stealing App Unauthorized Code Assets API Access Stealing App Repackaging Malwares DB and selling and viruses Piracy
5.
Code Protectors Progaurd Dexgaurd Java obfuscators
6.
Code Analysis Tools Dex2jar Smali IDA Pro Dexdump
7.
Android Application Build Process Java .java files .class files Compiler Obfuscator Jar .so Dx tool resource Signer files Obfuscator .apk files APK Builder .dex files Ref: http://net.cs.uni-bonn.de/fileadmin/user_upload/plohmann/2012-Schulz-Code_Protection_in_Android.pdf
8.
Reverse Engineering AnApp
9.
Use this methods This can be used on Federal Offence ethically your apps
10.
Lets disassemble App on phone Apk Extractor .apk files Extract APK Images DB AAPT Readable resource .dex files Manifest asset XML etc dex -> class (dex2jar) .class files Class -> java Java files
11.
Code Protection Obfuscation Shrinker Optimization Progaurd Using Progaurd in Android
12.
Reversed APK withProgaurd
13.
Reversed APK withDexgaurd
14.
Other Techniques junk byte insertion Dynamic Code loading Self Modifying code Obfuscation at dex level Ref: http://net.cs.uni-bonn.de/fileadmin/user_upload/plohmann/2012-Schulz-Code_Protection_in_Android.pdf
15.
API Protection Google Play Service Token + Your Verify Google Client id Your Token Authutil Parameters Backend Fields Access Token Verify Token Signature Google audience:server:client_id:9414861317621.apps.googleusercontent.com
16.
API Protection Hiding url& Use HTTPS parameters (self signed will work) Use time & Use User encoding in Agent parameters Identifier
17.
DB Protection Hash yourdata 3rd Party DB encryption like SQLCipher String Encryption
18.
To Sum Up Nothingis full proof Don’t give away your code just like that Use progaurd to protect your code Use Google Api Verification for Sensitive backend calls
19.
Questions ??
20.
Thank You Pranay.airan@iiitb.net @pranayairan http://goo.gl/okiJp
21.
Useful Links • http://www.honeynet.org/downloads/Android.tar.gz •http://proguard.sourceforge.net/index.html#manual/examples. html • http://code.google.com/p/dex2jar/ • http://code.google.com/p/android-apktool/ • http://android-developers.blogspot.in/2013/01/verifying-back- end-calls-from-android.html • http://sqlcipher.net/sqlcipher-for-android/

Editor's Notes

#5 Piracy is being address by google play licensing services but not that effective to stop piracyStealing you IP/Code
#6 Progaurd is free and comes bundle with android SDKDexgaurd by same author of progaurdAllatori is paid
#7 All Free tool except IDA PROAPK Tool internally uses SmaliAndroid Guard is python based tool with GUI which internally uses dex2gaurd smalietcIt works only on linux, difficult to install, A VM with fully configured android guard is available on http://www.honeynet.org/downloads/Android.tar.gz
#8 AAPT (Android application packaging tool) converts resources reference into R.Java and compiled resources (Manifest)Java Compiler takes, R.java, Application Source code and java interfaces to generate class fileDx tool takes this .class files and 3rd party libraries and .class files to convert into dex files.so = System Objectshttp://developer.android.com/tools/building/index.html#detailed-build
#9 Lets Reverse engineer an android app
#10 Federal offence in some countriesUse this tools for securing your own apps
#11 ReadSmali when de-compilation fails (Dex to smali)Multiple methods to extract APK1 pulling from device – Connect USB-Cable– Use ADB (Android Debug Bridge) from SDK– No Google Play on emulator (AVD)2. Directly downloading via googleplaypythonapi from Google Play– Configured Google Account with connected https://github.com/egirault/googleplay-apiAndroid ID3. Download from Web– Alternative source– Capture transfer to
#12 Progaurd is simple protection tool available in android SDKIt not only acts as obfuscator but it is also a Shrinker and optimizer You can reduce size of your APK with progaurd.It is free to use and effectiveNo String encryption and advance obfuscation techniquesProgaurd can be configured to run in android during build process when you generate APKLets see how we can enable progaurd
#13 Lets see a sample APK With progaurd enabled
#14 Commercial tool by creator of progaurdAll features of progaurdAdvance obfuscation techniques with String encryption api hiding tamper detection etcLets see a apk obfuscated with dexgaurd
#15 Other techniques to protect your Android App Code
#16 New method for verifying backend calls by google play serviceVery easy to integrate works on all phones running google play services with android 2.2 and aboveNo prompting for asking anything with user runs in background Register your android app in googleapi console make client id for web application and one for android application, give your APK Signing key MD5 to protect unauthorized accessIn Android app call GoogleAuthUtil.getToken() method passing scope argument value as audience:server:client_id:X.apps.googleusercontent.com(where X is client id of your web app)User will not be prompted as system looks your server client id and since you are in the same app it gives you the token. Send this token along with your api parameters In your backend verify Access token signature with google public keyFrom the token (JSON PayLoad) get field name audazp and emailVerify from AUD if it’s the same client id as of your appOptional verification with AZP and emailSample code http://android-developers.blogspot.in/2013/01/verifying-back-end-calls-from-android.html
#17 Simple API protection if you don’t want to use google play services
#18 Encrypt string this will increase the time for understanding the codesEncrypt dbShare preference is also accessibleStore credentials only in encrypted formathttp://android-developers.blogspot.in/2013/02/using-cryptography-to-store-credentials.html

Reverse engineering android apps

Reverse engineering android apps

Editor's Notes

More Related Content

What's hot

Viewers also liked

Similar to Reverse engineering android apps

Recently uploaded

Reverse engineering android apps

Editor's Notes