Reverse Engineering Obfuscated Android Applications

Slides:



Advertisements
Similar presentations
Introduction.  Professor  Adam Porter 
Advertisements

Android architecture overview
Aurasium: Practical Policy Enforcement for Android Applications By Yaoqi USENIX Security Symposium 2012.
Northwestern University, IL, US,
Programming with Android: SDK install and initial setup Luca Bedogni Marco Di Felice Dipartimento di Informatica: Scienza e Ingegneria Università di Bologna.
Policy Weaving for Mobile Devices Drew Davidson. Smartphone security is critical – 1200 to 1400 US Army troops to be equipped with Android smartphones.
DECOMPILING ANDROID Godfrey Nolan 1DevDay 11/5/11.
Presented by IBM developer Works ibm.com/developerworks/ 2006 January – April © 2006 IBM Corporation. Making the most of Creating Eclipse plug-ins.
Wangjun Hong, Zhengyang Qu, Northwestern University, IL, US,
This work is licensed under the Creative Commons Attribution 4.0 International License. To view a copy of this license, visit
Asst.Prof.Dr.Ahmet Ünveren SPRING Computer Engineering Department Asst.Prof.Dr.Ahmet Ünveren SPRING Computer Engineering Department.
ANDROID PROGRAMMING MODULE 1 – GETTING STARTED
L EC. 01: J AVA FUNDAMENTALS Fall Java Programming.
Page 1 Sandboxing & Signed Software Paul Krzyzanowski Distributed Systems Except as otherwise noted, the content of this presentation.
Jarhead Analysis and Detection of Malicious Java Applets Johannes Schlumberger, Christopher Kruegel, Giovanni Vigna University of California Annual Computer.
Android Introduction Platform Overview.
One Root To Own Them All Black Hat US 2013 Jeff Bluebox 1.
Parts of a Computer Why Use Binary Numbers? Source Code - Assembly - Machine Code.
Introduction to Android Swapnil Pathak Advanced Malware Analysis Training Series.
Application Security Tom Chothia Computer Security, Lecture 14.
@2011 Mihail L. Sichitiu1 Android Introduction Platform Overview.
APKInspector -Static Analysis of Android Applications Student: Yuan Tian Mentor: Cong Zheng Backup Mentor: Anthony Kara Jianwei 08/22/2012.
Is Your Mobile App Secure. DEF CON 23 Wall of Sheep Sat
Copyright© Jeffrey Jongko, Ateneo de Manila University Android.
ANDROID Presented By Mastan Vali.SK. © artesis 2008 | 2 1. Introduction 2. Platform 3. Software development 4. Advantages Main topics.
Android for Java Developers Denver Java Users Group Jan 11, Mike
CS591x A very brief introduction to Java. Java Developed by Sun Microsystems was intended a language for embedded applications became a general purpose.
EECS 354 Network Security Reverse Engineering. Introduction Preventing Reverse Engineering Reversing High Level Languages Reversing an ELF Executable.
Android Malware Ananto Dharmo Aji & RnD Team
Android Security Auditing Slides and projects at samsclass.info.
ANDROID BY:-AANCHAL MEHTA MNW-880-2K11. Introduction to Android Open software platform for mobile development A complete stack – OS, Middleware, Applications.
1 Java applications reverse engineering Antoni Bertel AUGUST 4, 2015.
Core Java Introduction Byju Veedu Ness Technologies httpdownload.oracle.com/javase/tutorial/getStarted/intro/definition.html.
Slides and projects at samsclass.info. Adding Trojans to Apps Slides and projects at samsclass.info.
Title of Presentation DD/MM/YYYY © 2015 Skycure Why Are Hackers Winning the Mobile Malware Battle.
© 2012 Pearson Education, Inc. All rights reserved types of Java programs Application – Stand-alone program (run without a web browser) – Relaxed.
Canh Le My  Motivation  Android app packing  How android execute your application  Available tools  Demonstration 2.
Lesson 1 1 LESSON 1 l Background information l Introduction to Java Introduction and a Taste of Java.
ITP 109 Week 2 Trina Gregory Introduction to Java.
Java & The Android Stack: A Security Analysis Pragati Ogal Rai Mobile Technology Evangelist PayPal, eBay Java.
 Group 6 Project Presentation. Application Overview  The idea of the Android application is to use the Gale–Shapley algorithm that will match Medical.
G2 - Keit Team members: ●Siyang Piao ●Peter Huang ●Bojun Jin ●Ivy Wang ●Jing Wang.
Android. Android An Open Handset Alliance Project A software platform and operating system for mobile devices Based on the Linux kernel Developed by Google.
Sung-Dong Kim, Dept. of Computer Engineering, Hansung University Java - Introduction.
Introduction to Android Chapter 1 1. Objectives Understand what Android is Learn the differences between Java and Android Java Examine the Android project.
The Basics of Android App Development Sankarshan Mridha Satadal Sengupta.
Intro To Android Programming
Module 51 (Mobile Device Fundamentals - Android)
Mobile Hacking - Fundamentals
Android Mobile Application Development
INFO 448: Android Development
Lecture 2: Android Concepts
Android Development.
Cash Me Presented By Group 8 Kartik Patel, Aaron Zhong, Wen-Kai Chen,
Obtaining the Required Tools
Android Runtime – Dalvik VM
Android.
CASE STUDY 1: Linux and Android
Java programming lecture one
Programming Language Concepts (CIS 635)
CMPE419 Mobile Application Development
Mobile Handset Virtual Machine
CHAPTER 1 Introduction Chapter objectives: Understand what Android is
(Computer fundamental Lab)
Android Platform, Android App Basic Components
Lecture 2: Android Concepts
CMPE419 Mobile Application Development
Chapter 3 Software.
Plug-In Architecture Pattern
Presentation transcript:

Reverse Engineering Obfuscated Android Applications Tom Keetch, IntrinSec SSA Ltd. SteelCon – Sheffield – 4th July 2015

About Me Independent Software Security Consultant in London IntrinSec SSA Ltd. All forms of software security consultancy Process / SDLC Architecture / Design Review Code Review (white-box) Reverse Engineering / Penetration Testing (black-box) Interested in: reverse engineering, sandboxes/container/virtualization, low- level software, cryptographic protocols Contact: @tkeetch, tom@intrinsec.co.uk

Contents Introduction Android Reverse Engineering Tools Android Application Runtime Environment Android Reverse Engineering Tools Standard Tools & Techniques Reverse Engineering Obfuscated Applications More advanced material Conclusions

Reverse Engineering

Reverse Engineering The process of decomposition an object or system to discover it’s internal operation or construction. With software, we usually have a full description of the program in a machine readable form, but we want it in a human understandable form. Techniques fall into two main groups: Static Analysis Runtime Analysis The focus of this presentation is static analysis

Reverse Engineering Inputs Compiled object code Dynamic application behaviour Static Resources – configuration files etc. Associated systems e.g. server for a client Similar applications /systems Public Documentation / Standards Open source code (i.e. libraries, LGPL components) Patents Company Structure & History Mergers, Acquisitions, Licensing Deals Open Source Intelligence (i.e. LinkedIn, Leaked Documents)

Static vs. Dynamic Analysis Typically want to combine both approaches Sometimes static analysis is required first to: Remove anti-debugging functionality Bypass root/jailbreak detection Identify hidden functionality Disable certificate pinning Dynamic analysis can be faster if app is heavily obfuscated Dependent on the app, and what you want to find out Normally fastest way to identify attack surface

Reverse Engineering - Legality

I am not a lawyer!

Reverse Engineering – Legal Impediments End User License Agreements (EULAs) Anti-Circumvention Legislation (e.g. DMCA) Non-Disclosure Agreements (NDAs) Trade Secrets / Law of Confidence (UK) Copyright Future: Wassenar Arrangement (?!#?) Esp. Dual-use technologies. Computer Misuse Act (!) More Background: http://www.computing.co.uk/ctg/analysis/2373094/trade-secrets-and-reverse-engineering-the-legal-view

The Android Runtimes

Android Applications - Platforms ?????

Dalvik Runtime The original Android Runtime (Android 1.0, 2008) An application virtual machine similar to the JVM Just In Time compilation (JIT) of bytecode Optimised for mobile devices DEX (Dalvik Executable) => ODEX (Optimised DEX) ODEX files don’t need to be portable, so optimisations can be OS/device/platform specific.

ART New Android Runtime Previewed in KitKat (Android 4.4, 2013) Now default runtime in Lollipop (Android 5.0, 2014) Compiles DEX files to native ELF executables at install-time Uses Ahead Of Time (AOT) compilation Instead of Just In Time (JIT) compilation

DEX files are common to both the Dalvik and ART runtimes. Packaged in an APK Source: https://commons.wikimedia.org/wiki/File:ART_view.png

Let’s Reverse an Android App!

First we need an APK… Download from App Store 2) Copy from the device Web Application: http://apps.evozi.com/apk-downloader/ Firefox plugin: https://addons.mozilla.org/en-US/firefox/addon/apk-downloader/ Chrome plugin: https://chrome.google.com/webstore/detail/apk- downloader/cgihflhdpokeobcfimliamffejfnmfii 2) Copy from the device adb shell pm list packages adb pull “/data/apps/<package_name>.apk” 3) Download from a 3rd Party AppStore Not always a good idea…

Inside the APK An APK is just a ZIP archive, containing: /assets/ /lib/ /META-INF/ /res/ AndroidManifest.xml classes.dex resources.arsc

APK Analysis Process APK DEX Bytecode Smali Disassembly Java Source Code Understandable Code

Reversing an APK APK java –jar apktool.jar decode in.apk DEX Bytecode Smali Disassembly java –jar apktool.jar build in.apk Java Source Code Understandable Code

APK Analysis Tools – apktool & baksmali java –jar apktool.jar decode –s in.apk DEX Bytecode java –jar baksmali.jar classes.dex Smali Disassembly Java Source Code Understandable Code

APK Analysis Tools –smali & apktool DEX Bytecode java –jar apktool.jar build <app_path> Smali Disassembly java –jar smali.jar *.smali Java Source Code Understandable Code

APK Analysis Tools – dex2jar & jd-gui DEX Bytecode Windows: d2j-dex2jar.bat –o out.jar in.apk\classes.dex Linux: d2j-dex2jar.sh –o out.jar in.apk\classes.dex Java ARchive (JAR) JD-GUI – Java Decompiler Java Source Code Understandable Code

Reversing an APK – JEB Decompiler DEX Bytecode JEB Decompiler – a[n expensive] commercial tool Smali Disassembly Java Source Code Understandable Code

Detour: Modifying the APK Put the Android device in development mode. Alter the Smali code (not covered in this presentation) Assemble the modified code using smali Re-package the APK using apktool or Zip (depending on unpacking) Sign the APK package with jarsigner.jar Instructions: http://developer.android.com/tools/publishing/app- signing.html#signing-manually Use the keystore located at: <HOME>\.android\debug.keystore Keystore password “android” Install the new APK with adb: adb install modified.apk

Java Source Code? After running jd-gui or JEB, we will have Java Source code! It may be easily readable, or it could be ()BfuSc4t3d….

Overcoming Obfuscation

Obfuscated Java Code All classes, methods, variables renamed to single Unicode characters, “semantically meaningless names”…

It’s Not All Bad… Some code can’t be obfuscated: Primitive types Standard Java API calls Exported/Public APIs Code relying on Java Reflection

Identifying Classes (1) Object Class A Class B Class C

Identifying Classes (2) Object Service Class B Class C

Identifying Classes (3) Object ISerializable Class A Class B Class C

Identifying Classes (4) Object ISomeInterface IOtherInterface Class A Class B Class C

Android Manifest The manifest cannot be obfuscated It needs to be readable by Android OS Encoded in a Binary Format called Android XML (AXML) Decode contents using AXMLPrinter2.jar or aapt (from the SDK): java -jar AXMLPrinter2.jar .\in.apk\AndroidManifest.xml aapt dump xmltree in.apk AndroidManifest.xml

Android Manifest Contents Statically Registered Broadcast Receivers For notifications of system events, or broadcast messages Public/Private Activities Especially Browsable Activities Public/Private Content Providers Permissions Requested Permissions Custom Permissions Public/Private Services

Where to Start? Identify classes associated with application entry-points. For example: android.app.Activity android.content.BroadcastReciever android.content.ContentProvider android.content.Intent android.content.IntentFilter android.app.Service Other interesting functionality: References to the Cipher class, encryption classes, or large arrays Reflection API methods such as getMethod() and invoke()

Some Common Obfuscations Improve/retain Performance Degrade Performance Dead code removal Class/method/fields/variable renaming Remove logging code Peephole optimisations String encryption* Call-hiding with reflection* Resource/asset encryption Control flow obfuscation Junk code insertion Data Flow obfuscation

DexGuard String Encryption

ProGuard & DexGuard Proguard ships for free with the Android SDK DexGuard is a paid version by the same author

Example: DexGuard String Encryption public void LoadObfuscatedAsset() { … InputStream obfAsset = OsAppContext.getAssets().open( ObfuscatedAppConfig.Lookup( ObfuscatedAppConfig.LookupTable[12], 52, ObfuscatedAppConfig.LookupTable[67] - 1));

ObfuscatedAppConfig.Lookup Let’s reverse the ‘Lookup’ method used by the “configuration” class It takes 3 integers and returns a String. I’ve simplified the Java a little first We’ll go step by step through the reasoning Don’t worry about following the code, just the logic. We could just copy and paste the code to get the decrypted string.

private static String Lookup(int arg6, int arg7, int arg8) { int v3; int v2; arg7 = 62 - arg7; arg8 += 2; short[] Lookup = Deobfuscate.LookupTable; int v1 = 0; arg6 += 65; byte[] b = new byte[arg8]; --arg8; while(true){ ++arg7; b[i] = ((byte)arg6); if(v1 == arg8) { return new String(b); } else { ++v1; v2 = arg6; v3 = Lookup[arg7]; arg6 = v2 + v3 - 29;

private static String Lookup(int arg6, int arg7, int arg8) { int v3; int v2; arg7 = 62 - arg7; arg8 += 2; short[] Lookup = Deobfuscate.LookupTable; int v1 = 0; arg6 += 65; byte[] outBuffer = new byte[arg8]; --arg8; while(true){ ++arg7; outBuffer[i] = ((byte)arg6); if(v1 == arg8) { return new String(outBuffer); } else { ++v1; v2 = arg6; v3 = Lookup[arg7]; arg6 = v2 + v3 - 29;

private static String Lookup(int arg6, int arg7, int arg8) { int v3; int v2; arg7 = 62 - arg7; arg8 += 2; short[] Lookup = Deobfuscate.LookupTable; int i = 0; arg6 += 65; byte[] outBuffer = new byte[arg8]; --arg8; while(true){ ++arg7; outBuffer[i] = ((byte)arg6); if(i == arg8) { return new String(outBuffer); } else { ++i; v2 = arg6; v3 = Lookup[arg7]; arg6 = v2 + v3 - 29;

private static String Lookup(int arg6, int arg7, int len) { int v3; int v2; arg7 = 62 - arg7; len += 2; short[] Lookup = Deobfuscate.LookupTable; int i = 0; arg6 += 65; byte[] outBuffer = new byte[len]; --len; while(true){ ++arg7; outBuffer[i] = ((byte)arg6); if(i == len) { return new String(outBuffer); } else { ++i; v2 = arg6; v3 = Lookup[arg7]; arg6 = v2 + v3 - 29;

private static String Lookup(int char_val, int arg7, int len) { int v3; int v2; arg7 = 62 - arg7; len += 2; short[] Lookup = Deobfuscate.LookupTable; int i = 0; char_val += 65; byte[] outBuffer = new byte[len]; --len; while(true){ ++arg7; outBuffer[i] = ((byte)char_val); if(i == len) { return new String(outBuffer); } else { ++i; v2 = char_val; v3 = Lookup[arg7]; char_val = v2 + v3 - 29;

private static String Lookup(int char_val, int key_ptr, int len) { int v3; int v2; key_ptr = 62 – key_ptr; len += 2; short[] Lookup = Deobfuscate.LookupTable; int i = 0; char_val += 65; byte[] outBuffer = new byte[len]; --len; while(true){ ++key_ptr; outBuffer[i] = ((byte)char_val); if(i == len) { return new String(outBuffer); } else { ++i; v2 = char_val; v3 = Lookup[key_ptr]; char_val = v2 + v3 - 29;

private static String Lookup(int char_val, int key_ptr, int len) { int v3; int v2; key_ptr = 62 – key_ptr; len += 2; short[] Lookup = Deobfuscate.LookupTable; int i = 0; char_val += 65; byte[] outBuffer = new byte[len]; --len; while(true){ ++key_ptr; outBuffer[i] = ((byte)char_val); if(i == len) { return new String(outBuffer); } else { ++i; char_val2 = char_val; differential_key_value = Lookup[key_ptr]; char_val = char_val2 + differential_key_value - 29;

String Encryption Summary Array of Bytes, differences between adjacent characters Arg 1: Starting character value Arg 2: Starting key index Arg 3: String length Start Value = “b”, start Index = 1, length = 3 Array: { 20, 1, -2, 19, 5 } Result: “cat” (b + 1 = c), (c - 2 = a), ( a + 19 = t)

Call Hiding Using Reflection UnknownObject1 = String.class.getMethod( ObfuscatedAppConfig.Lookup( ObfuscatedAppConfig.LookupTable[40] - 1, ObfuscatedAppConfig.LookupTable[2] - 1, 6), String.class).invoke(string1, string0);

Native Code

Android Native Code APKs can contain native code in the /lib/ directory One sub-directory for each supported architecture (or ABI) E.g. armeabi, armeabi-v7a, x86 Android Java interfaces with native code using the Java Native Interface (JNI) Standardised by Oracle: https://docs.oracle.com/javase/7/docs/technotes/guides/jni/spec/jniTOC.html Java: System.loadLibrary(“foo”) // Loads ./lib/libfoo.so

JNI Exports JNIEXPORT void JNICALL Java_ClassName_FunctionName ( JNIEnv *jniEnv, jobject classInstancePointer, <…args…>);

Conclusions

Conclusions Obfuscators slow down attackers Arms-race between attackers & defenders Both apply to legitimate software & malware Obfuscators don’t fix vulnerabilities Just makes them harder to find using static techniques Effective security assessments should be done with source code.

Recommended Further Reading

Tool References Android Studio and SDK – https://developer.android.com/sdk/index.html Apktool – http://ibotpeaches.github.io/Apktool/ smali/backsmali – https://bitbucket.org/JesusFreke/smali/downloads jd-gui - http://jd.benow.ca/ APK Studio - https://apkstudio.codeplex.com/ JEB Decompiler (Commercial) – https://www.pnfsoftware.com/ Not Covered in this presentation: Radare2 – http://www.radare.org/r/down.html Androguard – https://github.com/androguard/androguard

Any Questions? Twitter: @tkeetch Email: tom@intrinsec.co.uk

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.