G2 - Keit Team members: ●Siyang Piao ●Peter Huang ●Bojun Jin ●Ivy Wang ●Jing Wang
App - WhoTouchedMyPhone How it works 1. Open the app, Wait for 30 seconds.(In case you have something left to do before you leave). 2. Turn off the screen and leave. 3. If someone used your phone. When you open the app again, the text will be changed. We used Android Sensor for Motion Detection. The service keeps tracking the Accelerometer on X and Y axes.
Demo
Overview of Keit - Identifier Mangling
Overview of Keit - Method Extraction
Base on the idea and demo code from an blog[1] Put our APK file into a shell application Use the shell application to run our APK file Our Apk Shell Apk Overview of Keit - Add a Shell
Shell APK Lib META-INFO res Classes.dex …….. Our APK Binary data Encrypt Encrypt our APK file Put the encrypt data into Dex file of the shell APK Dex shell tool: Automate this process Process
Checksum Signature File_size ………… Unshell Dex Original APK Size of original APK Modify checksum, signature and file_size in the header of Dex file Put the size of our Apk file at the end of Dex file Modified Dex file
Run the application Start the shell application Get data from Dex file Decrypt the binary data Write data into a temporary APK file Dynamically load the application Run our application
Keit: Automated tool
Automate the process
Evaluation of Keit ✖ Protect actual codes from decompilers BeforeAfter
Evaluation Cont. PerformanceBefore vs After FunctionsSame. InitializingSlower by approx 1s. InstallationNo significant difference. ➔ Size increased by 1 MB.
Limitation ✖ API Version Restriction. ✖ Application Class must exist. ✖ Source codes required.
Improvement ✖ Extract source code automatically ✖ Include white noise ✖ Encrypt AndroidManifest.xml
Comparison Obfuscation ToolSource CodeDalvik BytecodeAPK Binary Code ProGuard DexGuard Allatori Dalvik-Obfuscator APKfuscator Keit
Comparison Cont. -String encryption, junk byte insertion, self- modifying native code, … -Merge method, encapsulate field, … - Dalvik bytecode encryption with an interpreter
Reverse Engineering
Questions? ✖ Thanks for your attention =)