2014. 10. 8. Shinjo Park Thanks to Sungjae and Suwan.

Slides:



Advertisements
Similar presentations
Chapter 6 Server-side Programming: Java Servlets
Advertisements

Android Application Development A Tutorial Driven Course.
Google Android Introduction to Mobile Computing. Android is part of the build a better phone process Open Handset Alliance produces Android Comprises.
Dynamic Analysis of Windows Phone 7 apps Behrang Fouladi, SensePost.
Cracking the Code of Mobile Application OWASP APPSEC USA 2012
Android OS : Core Concepts Dr. Jeyakesavan Veerasamy Sr. Lecturer University of Texas at Dallas
Introduction.  Professor  Adam Porter 
Android architecture overview
Aurasium: Practical Policy Enforcement for Android Applications By Yaoqi USENIX Security Symposium 2012.
Northwestern University, IL, US,
Programming with Android: SDK install and initial setup Luca Bedogni Marco Di Felice Dipartimento di Informatica: Scienza e Ingegneria Università di Bologna.
Policy Weaving for Mobile Devices Drew Davidson. Smartphone security is critical – 1200 to 1400 US Army troops to be equipped with Android smartphones.
.NET IL Obfuscation Presented by: Sarath Chandra Dorbala.
DECOMPILING ANDROID Godfrey Nolan 1DevDay 11/5/11.
Wangjun Hong, Zhengyang Qu, Northwestern University, IL, US,
This work is licensed under the Creative Commons Attribution 4.0 International License. To view a copy of this license, visit
Asst.Prof.Dr.Ahmet Ünveren SPRING Computer Engineering Department Asst.Prof.Dr.Ahmet Ünveren SPRING Computer Engineering Department.
ANDROID PROGRAMMING MODULE 1 – GETTING STARTED
Page 1 Sandboxing & Signed Software Paul Krzyzanowski Distributed Systems Except as otherwise noted, the content of this presentation.
CRYPTOGRAPHY PROGRAMMING ON ANDROID Jinsheng Xu Associate Professor North Carolina A&T State University.
Android Introduction Platform Overview.
Introduction to Mobile Malware
A Free sample background from © 2001 By Default!Slide 1.NET Overview BY: Pinkesh Desai.
VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.
Introduction to Android Swapnil Pathak Advanced Malware Analysis Training Series.
Authors: William Enck The Pennsylvania State University Peter Gilbert Duke University Byung-Gon Chun Intel Labs Landon P. Cox Duke University Jaeyeon Jung.
Application Security Tom Chothia Computer Security, Lecture 14.
Presented by: Kushal Mehta University of Central Florida Michael Spreitzenbarth, Felix Freiling Friedrich-Alexander- University Erlangen, Germany michael.spreitzenbart,
@2011 Mihail L. Sichitiu1 Android Introduction Platform Overview.
Is Your Mobile App Secure. DEF CON 23 Wall of Sheep Sat
Copyright© Jeffrey Jongko, Ateneo de Manila University Android.
ANDROID Presented By Mastan Vali.SK. © artesis 2008 | 2 1. Introduction 2. Platform 3. Software development 4. Advantages Main topics.
Android for Java Developers Denver Java Users Group Jan 11, Mike
Java Security Nathan Moore CS 665. Overview Survey of Java Inherent Security Properties Java Runtime Environment Java Virtual Machine Java Security Model.
EECS 354 Network Security Reverse Engineering. Introduction Preventing Reverse Engineering Reversing High Level Languages Reversing an ELF Executable.
Confidential. For use within only Slide 1 iOS and Android content protection requirements Version 0.2 Sony Pictures Entertainment Tim Wright.
Android Security Auditing Slides and projects at samsclass.info.
VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.
ANDROID BY:-AANCHAL MEHTA MNW-880-2K11. Introduction to Android Open software platform for mobile development A complete stack – OS, Middleware, Applications.
1 Java applications reverse engineering Antoni Bertel AUGUST 4, 2015.
Mobile Application Security on Android Originally presented by Jesse Burns at Black Hat
PRIOR TO WEB SERVICES THE OTHER TECHNOLOGIES ARE:.
Android System Security Xinming Ou. Android System Basics An open-source operating system for mobile devices (AOSP, led by Google) – Consists of a base.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Slides and projects at samsclass.info. Adding Trojans to Apps Slides and projects at samsclass.info.
ICM – API Server Gary Ratcliffe. 2 Agenda Webinar Programme API Server Overview JSON-RPC iCM API Service API Server and Forms New services under.
Anritsu Automation Platform (AAP) AAP PC Connects to the system via IP connection (system switch) AAP was developed to add features that were requested.
Intoduction to Andriod studio Environment With a hello world program.
Java & The Android Stack: A Security Analysis Pragati Ogal Rai Mobile Technology Evangelist PayPal, eBay Java.
Accelerometer based motion gestures for mobile devices Presented by – Neel Parikh Advisor Committee members Dr. Chris Pollett Dr. Robert Chun Dr. Mark.
Android. Android An Open Handset Alliance Project A software platform and operating system for mobile devices Based on the Linux kernel Developed by Google.
Sung-Dong Kim, Dept. of Computer Engineering, Hansung University Java - Introduction.
Module 51 (Mobile Device Fundamentals - Android)
Computer System Structures
Mobile Device Development
Mobile Hacking - Fundamentals
Android Mobile Application Development
Swords and shields: A study of mobile game hacks and existing defences
Android Development.
Obtaining the Required Tools
What is WWW? The term WWW refers to the World Wide Web or simply the Web. The World Wide Web consists of all the public Web sites connected to the Internet.
Android Runtime – Dalvik VM
Harvesting Runtime Values in Android Applications That Feature Anti-Analysis Techniques Presented by Vikraman Mohan.
CMPE419 Mobile Application Development
Part 1: Basic Analysis Chapter 1: Basic Static Techniques
Mobile Handset Virtual Machine
Chapter 3. Basic Dynamic Analysis
Lecture 2 - SQL Injection
Android Platform, Android App Basic Components
CMPE419 Mobile Application Development
Presentation transcript:

Shinjo Park Thanks to Sungjae and Suwan

2 Mobile Apps under Attack  State of security in the app economy –Mobile app hacking revealed

3 Agenda  Android application reverse engineering –Decompiling APK file –Structural problems in application  What to see and what to get –Static, dynamic analysis –Countermeasures –Details about obfuscation  Real world examples –Raon Secure application and more

5 Android?  Mobile operating system by Google  Based on Linux kernel and Dalvik VM  #1 popular mobile OS

6 Android Components  Platform middleware, library, API in native code  Android framework and system/user applications

7 Android Application  Distributed in Google Play or 3 rd -party store as APK (Android application package) format –Contains application binary and resources  Variant of JAR (Java ARchive)/ZIP  Self-signed by developer

8 Android Application(2)  APK build process .dex file –Compiled Dalvik bytecode, smali analogous to “assembler”

9 Main Problem  Easy distribution of repackaged app  Self signing –Any key will be accepted (in first install)  Source code exposure –Decompiling DEX bytecode is easy –Easy analysis of control flows inside app –Easy manipulation of smali (disassembled Dalvik bytecode)

10 Android Application Repackaging  Tampering app made easy –Decompile and modify DEX bytecode –Recompile and distribute malicious APK

11 Example: Bypassing Integrity Check  Remove the routine to check integrity

12 Related Tools  Android DEX to Java –dex2jar: apk -> jar –JAR decompiling tools: jad / jd-gui  Android DEX to smali –Smali in Android is analogous to assembly in PC –apktool: apk -> smali  Frequently used by both crackers and hackers

13 dex2jar  Convert Dalvik bytecode to Java bytecode

14 jad / jd-gui  Decompile Java bytecode to source code

15 Problems of jad/ jd-gui  Dalvik is not Java, decompile can fail

16 apktool  Extract smali and resources of APK file  smali: Dalvik (dis)assembler

17 Sample smali Code new-instanve v0, Lcom/example/adbmobileversion/AdbConnection; invoke-direct {v0}, Lcom/example/adbmobileversion/AdbConnection;-> ()V.line 93.local v0, newConn:Lcom/example/adbmobileversion/AdbConnection; iput-object p1, v0, Lcom/example/adbmobileversion/AdbConnection;- >crypto:Lcom/example/adbmobileversion/AdbCrypto;.line 95 iput-object p0, v0, Lcom/example/adbmobileversion/AdbConnection;->socket:Ljava/net/Socket;.line 96 invoke-virtual {p0}, Ljava/net/Socket;->getInputStream()Ljava/io/InputStream; move-result-object v1 iput-object v1, v0, Lcom/example/adbmobileversion/AdbConnection;inputStream:Ljava/io/InputStream;.line 97 invoke-virtual {p0}, Ljava/net/Socket;->getOutputStream()Ljava/io/OutputStream;

18 smali Code Syntax.class public Lcom/example/simmobileversion/simConnection; // Class name.super Ljava/lang/Object; // Parent class name.source "simConnection.java".field private connected:Z // Boolean variable declaration.field private connectionThread:Ljava/lang/Thread; // Thread variable declaration.field private lastLocalId:I // Integer variable declaration.method public connect()V.registers 3 [instruction] {args} [package-type]->[function-name](arg-type)ret-type iget-object v0, p0, Lcom/example/simmobileversion/SimConnection;- >outputStream:Ljava/io/OutputStream; invoke-static {}, Lcom/example/simmobileversion/SimProtocol;->generateConnect() [B move-result-object v1 invoke-virtual {v0, v1}, Ljava/io/OutputStream;->write([B)V invoke-virtual {v0}, Ljava/io/OutputStream;->flush()V.end method // End of method

19 smali Code Syntax // Java code if (intVar == 1) intVar = 2; else intVar = 3; // smali code const/4 v1, 0x1 if-ne v0, v1, :cond_0 // v0 not equals v1 const/4 v2, 0x2 move v0, v2 goto :goto_0 :cond_0 const/4 v2, 0x3 move v0, v2 :goto_0 // Other considerations if-eq v0, v1, :cond_0 // v0 equals v1 if-ge v0, v1, :cond_0 // v0 is greater or equal to v1

20 Recompile Application

21 Sign APK File with SignAPK App installed to device

22 Repackaging Example  T Silver Service by SK Telecom –Dial hacker’s number instead of 119 –Send SMS messages to hacker instead of 119 –Launch hacker’s website/apps in launcher

23 Finding Strings  String constants are not modified by simple obfuscation  Strong obfuscators modify strings –Fixed replacement of bytes –Dynamically decrypt string inside code

24 Found Target String

26 What to See on Apps  Java/smali code filtered by search string  Network packets –Capture using Wireshark and rogue AP –PC – Rogue AP – Android phone –HTTPS connection: mitmproxy, Paros, Burp Suite –Custom encryption: good luck!  Debug messages –Android provides System.log API to collect logs –Android <=4.0 allows any apps to read logs –Android >=4.1 requires root/PC adb connection

27 Code Analysis  Get control flow, string information –Java Decompiler –baksmali (used by apktool)

28 Packet Capture  Use capture tools on Android side –Some tool like tcpdump required rooting  Build rogue AP and sniffing –ARP spoofing, MITM attack –Content-modifying proxy

29 SSL Man-in-the-Middle Client Hello? Client Hello Server Hello Client Key Exchange Server Key Exchange Client Hello Server Hello Client Key Exchange Server Key Exchange

30 Requirements  Access point –Connected via PC for black box analysis –Firmware modification possible  SSLStrip –Python, Linux –  Paros –Java runtime, tested on Windows and Linux – –Alternatives: Burp Suite, mitmproxy (

31 SSLStrip: ARP Spoofing :00:be:ef:ca:fe :00:de:ad:be:ef x Default GW:

32 SSLStrip: ARP Spoofing is 00:00:de:ad:be:ef

33 SSLStrip: ARP Spoofing via Can see every packets

34 How SSLStrip Works

35 Paros  Web proxy with content manipulation  Free software

36 How Paros Works

37 Paros Setup  Paros running on gateway –Windows or Linux  Smartphone’s proxy set to Paros –Manual setting on Android –Traffic hijacking could be possible  App analysis –All http is inspectable via Paros –https without certificate check also inspectable

38 Paros Application

39 Use Paros as Global Proxy

40 Fun: Upside-Down-Ternet

41 Will This Work?  SSL without certificate validation –App developer must turn off explicitly –Attacker can harvest all private information  SSL with certificate validation –Mitmproxy can generate certificate on-the-fly –If root certificate is trusted (installed on the device), SSL could be hijacked  Certificate pinning –Must modify application to modify pinning –Most secure method to protect connection

42 Logcat on Device  Android <=4.0 allows arbitrary log access

43 Private Information on Debug Log  Probably developers are too lazy  Google recommends screening of all logging API on Android before release  Example of PIN code on debug log PIN: syssec0!

44 Injecting Debug Code  Insert debug code around interested instructions on application –Print private key, private information, etc.  Problems –No automatic variable management: we must track free Dalvik registers –String literal is also counted as variables –Recommendation: compile Android code, compile and convert to smali, inject the resulting code  Native code is still a problem

45 Native Code Debugging  Android app may use native code  Dynamic analysis of native code –No Dalvik VM is involved, native debugger like GDB, IDA could be used

46 Developer’s Countermeasures  Integrity check: Bytecode/Native code, Resources  Use secured network connection and do not deliberately degrade security  Remove any log outputs before releasing  Obfuscate code, resource to prevent script kiddies from analyzing

47 What Obfuscator Does  Variable, Class renaming –AnInterestingClass -> a, MySecretVariable -> b  String encryption –GoToClass(“EE515”) -> a(sd(“RR494”))  Entire class encryption –Encrypt important class (license checking, In App Billing, …)  API hiding –Hide sensitive API using reflection

48 What Obfuscator Does  Tamper detection –Check whether app is modified or not –Usually done by comparing hash with developer’s one  Resource encryption –Encrypt resources like image, audio, text  Native library obfuscation

49 Android Obfuscator: Proguard  Provided by default on Android SDK  Renaming, optimization

50 Android Obfuscator: DexGuard  Commercially available  Custom methods, string encryption, API hiding

52 Android App Vulnerability Examples  Naver Line –Update server problem: attacker can hijack update request and install malicious APK (fixed)  Xiaomi MiTalk –Can steal friend list by SQL injection on content provider  USIM-based mobile PKI –Can steal private information via logcat (partially fixed) –SSL proxy possible in some cases

53 Naver Line

54 Line Update Vulnerabilities appdown.naver.com Request service.xml Response service.xml Request update files Response update files

55 Xiaomi Mitalk

56 Xiaomi Mitalk SQL Injection Content Provider Chat Buddy Card # Friend List Messages Mitalk Can’t access Can access SQL Injection

57 USIM-based Mobile PKI  Consists of USIM applet and Android app –Further reading: Analyzing Security of Korean USIM-based PKI Certificate Service, WISA 2014  baksmali gives error on extraction

58 What?!  Decompile results by baksmali/IDA  Unusual decompile results

59 Key Inside Crypt  Custom obfuscation method based on native library –Android loads unencrypted bootstrap, whose memory region is read-only –Bootstrap calls native function to grant read-write access to application bytecode –Let’s start from this function

60 Opening the Real Crypt  Native function to decrypt application: “Java_lh_bWhere_init”  Follow control flow, assisted by decompiler (Hex-Rays)

61 Decryption Overview  Dexcrypto, custom obfuscation method com.example.mobiletoken.apk classes.dex Initialize Encrypted Area Libraries libhi.so … Load library and call decryption routine Decrypt Decrypted Area

62 How to Crack?  Dump memory area after decryption  Remove call to decryption com.example.mobiletoken.apk classes.dex Initialize Encrypted Area Libraries libhi.so … Load library and call decryption routine Decrypt Decrypted Area

63 Cracking Method Summary  Install and execute the application  Get memory dump using IDA –Custom script to gather scattered bytecode  Convert to regular DEX file –Optimization applied by Dalvik VM: reference to system framework, JIT compilation, etc.  Disassemble DEX to smali  Modify application and repackage

64 Lecture Summary  Android applications are easy to reverse engineer due to usage of bytecode  Reverse engineering starts from collecting every traces of the application  Application could be protected by integrity check, obfuscation, etc. –These could be easily circumvented!

65 Questions?