Reverse engineering is not just for hackers.key - Droidcon Berlin

Report 19 Downloads 294 Views

(Closed source library, e.g. ads + analytics). • “It's not my app, but crashes on my ... List contents of Zip-compatible archive. ..... Tool list a good starting point.

Reverse engineering is not just for hackers

+JonReeve @themightyjon

Why that permission?



“This notes app wants access to my contacts…”




“This photo-taking app wants to send SMS…”

Why is this crashing? •

“It’s my app, but that’s not my code!”
 (Closed source library, e.g. ads + analytics)



“It’s not my app, but crashes on my device!”
 (Device-specific variations, particularly custom ROMs)

How did they do that? •

Nifty-schwifty visual effect?



Some technical feat you thought “impossible”?
 e.g. good results from Camera API on Samsung



Too many libraries to choose from?
 See what everyone else went with!



Sure, write your own…
 But that doesn’t mean you can’t look at theirs first!

Get the APK •

From device, e.g.: $ adb shell pm list packages -f -3

… to list installed packages $ adb pull "$(adb shell pm path $1 | cut -d : -f 2 | tr -d ‘\015’)"

… to pull package $1 in one line (with root) •

Or from other sources, but be aware of TOS and malware…

aapt

aapt $ aapt
 Android Asset Packaging Tool
 




Usage:
 aapt l[ist] [-v] [-a] file.{zip,jar,apk}
 List contents of Zip-compatible archive.




aapt d[ump] [--values] [--include-meta-data] WHAT file.{apk} [asset [asset ...]]
 strings Print the contents of the resource table string pool in the APK.
 badging Print the label and icon for the app declared in APK.
 permissions Print the permissions from the APK.
 resources Print the resource table from the APK.
 configurations Print the configurations in the APK.
 xmltree Print the compiled xmls in the given assets.
 xmlstrings Print the strings of the given compiled xml assets. assets.




aapt p[ackage] [-d][-f][-m][-u][-v][-x][-z][-M AndroidManifest.xml] \
 ...






Package the android resources. It will read assets and resources that are
 supplied with the -M -A -S or raw-files-dir arguments. The -J -P -F and -R
 options control which files are output.
 aapt r[emove] [-v] file.{zip,jar,apk} file1 [file2 ...]
 Delete specified files from Zip-compatible archive.
 aapt a[dd] [-v] file.{zip,jar,apk} file1 [file2 ...]
 Add specified files to Zip-compatible archive.


aapt $ aapt
 Android Asset Packaging Tool
 




Usage:
 aapt l[ist] [-v] [-a] file.{zip,jar,apk}
 List contents of Zip-compatible archive.




aapt d[ump] [--values] [--include-meta-data] WHAT file.{apk} [asset [asset ...]]
 strings Print the contents of the resource table string pool in the APK.
 badging Print the label and icon for the app declared in APK.
 permissions Print the permissions from the APK.
 resources Print the resource table from the APK.
 configurations Print the configurations in the APK.
 xmltree Print the compiled xmls in the given assets.
 xmlstrings Print the strings of the given compiled xml assets. assets.




aapt p[ackage] [-d][-f][-m][-u][-v][-x][-z][-M AndroidManifest.xml] \
 ...






Package the android resources. It will read assets and resources that are
 supplied with the -M -A -S or raw-files-dir arguments. The -J -P -F and -R
 options control which files are output.
 aapt r[emove] [-v] file.{zip,jar,apk} file1 [file2 ...]
 Delete specified files from Zip-compatible archive.
 aapt a[dd] [-v] file.{zip,jar,apk} file1 [file2 ...]
 Add specified files to Zip-compatible archive.


aapt General APK info: $ aapt dump badging Mysterious.apk

Any interesting strings? $ aapt dump strings Mysterious.apk

View a binary XML file: $ aapt dump xmltree Mysterious.apk AndroidManifest.xml

The APK assets/ raw files, anything, even dynamically loaded code lib/ native code libraries META-INF/ Certificate, signature and file hashes, to verify origin and integrity. res/ Non-compiled resources AndroidManifest.xml Binary XML version of manifest classes.dex Dalvik Executable - All the classes for the Dalvik VM resources.arsc Compiled resources * (other)

basic tools

basic tools #!/bin/bash
 unzip -d zip-out "$1"
 java -jar AXMLPrinter2.jar zip-out/AndroidManifest.xml > AndroidManifest.xml
 /opt/dex2jar-0.0.9.15/d2j-dex2jar.sh “$1" # creates “${1%.apk}-dex2jar.jar”
 mkdir cfr-extracted && /opt/cfr/cfr.sh “${1%.apk}-dex2jar.jar” --outputdir java-out
 java -jar /opt/smali/baksmali-2.0.6.jar -o smali-out zip-out/classes.dex zip-out/classes.dex


basic tools #!/bin/bash
 unzip -d zip-out "$1"
 java -jar AXMLPrinter2.jar zip-out/AndroidManifest.xml > AndroidManifest.xml
 /opt/dex2jar-0.0.9.15/d2j-dex2jar.sh “$1" # creates “${1%.apk}-dex2jar.jar”
 mkdir cfr-extracted && /opt/cfr/cfr.sh “${1%.apk}-dex2jar.jar” --outputdir java-out
 java -jar /opt/smali/baksmali-2.0.6.jar -o smali-out zip-out/classes.dex


apktool

apktool

apktool https://ibotpeaches.github.io/Apktool/ 
$ apktool d target.apk target.apk
 I: Using Apktool 2.0.0-RC4 on target.apk
 I: Loading resource table...
 I: Decoding AndroidManifest.xml with resources...
 I: Loading resource table from file: /[…]/apktool/framework/1.apk
 I: Regular manifest package...
 I: Decoding file-resources...
 I: Decoding values */* XMLs...
 I: Baksmaling classes.dex...
 I: Copying assets and libs...
 I: Copying unknown files...
 I: Copying original files. files..

apktool https://ibotpeaches.github.io/Apktool/ 
$ apktool d target.apk target.apk
 I: Using Apktool 2.0.0-RC4 on target.apk
 I: Loading resource table...
 I: Decoding AndroidManifest.xml with resources...
 I: Loading resource table from file: /[…]/apktool/framework/1.apk
 I: Regular manifest package...
 I: Decoding file-resources...
 I: Decoding values */* XMLs...
 I: Baksmaling classes.dex...
 I: Copying assets and libs...
 I: Copying unknown files...
 I: Copying original files. files..

apktool “How was that done?”

apktool “How was that done?”

apktool “Why is this crashing?” / “I wish I could debug this!” Rebuild for debug: $ apktool d -d -o SomeApp SomeApp.apk
 


...
 


$ apktool b -d SomeApp
 


...
 


$ jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore release-key.keystore SomeApp.apk release_key_alias_name

… install, run, and a debugger can be attached.
 (use smali dir as source dir on a new project)

androguard

androguard

androguard https://github.com/androguard/androguard •

Python-based, collection of useful tools



Modular, pluggable and embeddable



Interactive, ipython shell (androlyze.py)



Includes DAD Dalvik decompiler



Site != active, but project is!

androguard https://github.com/androguard/androguard $ python androlyze.py -s Androlyze version 3.0
 In [1]: a, d, dx = AnalyzeAPK(“/Users/jon/Desktop/target.apk") In [2]: a, d, dx Out [2]:
 (,
 ,
 )
 


In [3]: a.get_main_activity() Out [3]: u'com.example.app.ui.MainHomeActivity'
 


In [4]: d.CLASS_Lcom_example_app_ui_MainHomeActivity.source()

more at https://code.google.com/p/androguard/wiki/RE

androguard “Why does it need that permission?” In [5]: show_Permissions?
 Signature: show_Permissions(dx)
 Docstring:
 Show where permissions are used in a specific application
 :param dx : the analysis virtual machine
 :type dx: a :class:`VMAnalysis` object
 File: /opt/androguard-2.0/androguard/core/analysis/analysis.py
 Type: function In [6]: show_Permissions(dx)
 android.permission.READ_CONTACTS :
 R ['Landroid/provider/ContactsContract;', 'AUTHORITY_URI', 'Landroid/net/Uri;'] (0x0) ---> Lcom/android/ex/chips/BaseRecipientAdapter$DirectoryListQuery;->()V
 R ['Landroid/provider/ContactsContract$CommonDataKinds$Email;', 'CONTENT_FILTER_URI', 'Landroid/net/Uri;'] (0x118) ---> Lcom/android/ex/chips/Queries;->()V
 R ['Landroid/provider/ContactsContract$CommonDataKinds$Phone;', 'CONTENT_FILTER_URI', 'Landroid/net/Uri;'] (0x88) ---> Lcom/android/ex/chips/Queries;->()V
 R ['Landroid/provider/ContactsContract$CommonDataKinds$Email;', 'CONTENT_URI', 'Landroid/net/ Uri;'] (0x11c) ---> Lcom/android/ex/chips/Queries;->()V
 R ['Landroid/provider/ContactsContract$CommonDataKinds$Phone;', 'CONTENT_URI', 'Landroid/net/ Uri;'] (0x8c) ---> Lcom/android/ex/chips/Queries;->()V

other tools

ClassyShark https://github.com/google/android-classyshark



GUI and CLI



Easy to browse, check basics



Dex method counts, package structure, size



Opens .dex, .aar, .so, .apk, .jar, .class, etc…

CodeInspect http://sseblog.ec-spride.de/2014/12/codeinspect/ •

“Jimple”, not “Jasmin”



“Soot” static analysis framework



Debug app, run-time analysis



Navigate + rename fields, methods



Based on Eclipse RCP :(



Alpha, access by invitation

IDA Pro https://www.hex-rays.com/products/ida/



“The Interactive Disassembler”



Incredibly full-featured disassembler + debugger with long history for other architectures.



Supports Dalvik since 6.1



Commercial, not cheap!

JEB / JEB2 https://www.pnfsoftware.com/



Dalvik -> Java source decompiler



Interactive decompilation - navigate, rename, etc.



Debuggers for Dalvik & native



Commercial, subscription

radare2 http://www.radare.org/r/



Scriptable hex editor evolved into reverse engineering framework



Supports multiple architectures



Open source



Portable - on device as well as PC (on Play Store)

Other Play Store Apps •

JaDX - old, super ugly, but still…



“Show Java” - can use above, or CFR



Dexplorer - simple asset browsing, class structure

Santoku https://santoku-linux.com/features/



Bootable Lubuntu-based Linux environment



Tools pre-installed and set up



Tool list a good starting point

Security “The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards - and even then I have my doubts.”
 


- Eugene H. Spafford

Security •

What should be secret, and how important is it?



Important? Keep it out of the app!



Protection effort vs reversing ease



Obfuscation + minification at least?



dexguard ($), SQLCipher (free), more if needed



Reverse your own apps!

Compromised Obfuscation •

“keep”-ing things keeps their whole path



Group public things in totally different package structure to avoid this



LOOK at obfuscation results

Further Info •

Android Hacker’s Handbook (find it on Amazon)



CodeInspect:
 Dismantling Droids for Breakfast @ Droidcon Berlin 2015



O&D Android Reverse Engineering @ DEFCON23



Reversing with androguard

Thanks!

Slides
 https://goo.gl/Cy96UO

+JonReeve @themightyjon

Recommend Documents
Jun 16, 2016 - 60% of shop traffic came from mobile. • 10M+ downloads Android app ... https://medium.com/google-developers/instant-run-how-does-it-work.

So why a talk at Droidcon? 14. Page 15. 15. Why Not!!! Page 16. MESH in Berlin!!! Yes, no joke. Checkout https://berlin.freifunk.net/index_en/ A mesh network for ...

Mar 11, 2007 - Outline. ○ What is Reverse Engineering. ○ UML sequence diagram & Static analysis ... Actual behavior of the software (run-time behavior).

Jun 17, 2016 - Offline-First Apps for an Always-on UX ... Native App - CloudantSync ... compile 'com.cloudant:cloudant-sync-datastore-android:latest.release'.

category names themselves play in the learning of categories. Learning that ..... label condition, F(3, 60) 5 3.79, p < .05, but not among subjects who were not ...

gious charities count as religious organizations and thus have the freedom to select employees based on religion. In these and similar cases, much depends on how religious ... 8. 2. Ibid., p. 22. 3. Comments submitted by Office of the General Counsel

Why women snore too. Ifyou keep your ... coats the walls of the trachea to stop it vibrating. Teresa Hale of ... as well as one too many alcopops. Researchers at ...

:H UHDOL]H WKLV LV TXLWH D FKDQJH DQG WKH QHZ WLPH PD\ QRW. ZRUN IRU HYHU\ERG\ EXW ZH DUH KRSLQJ WKDW LW ZLOO RSHQ XS.

grid. Using PyDBG1, launch winmine and print out its playing grid every time it is initialized/setup. ... mented correctly, you should be able to extract plain text data before it is encrypted and sent over the ... Can you locate where the HTTP heade

address of the VMWare virtual machine on fuzz target. Then by pinging ... Within the labs, we shall run be running WarFTP on the same ma- chine as the client, ...