Presentation is loading. Please wait.

Presentation is loading. Please wait.

UoABuddyApp.

Published byLaurel Baldwin Modified over 6 years ago

Similar presentations

Presentation on theme: "UoABuddyApp."— Presentation transcript:

1 UoABuddyApp

2 Project Profile Project Title UoABuddyApp Group & Members
Group-12 Haroon Mohan Sadiq Shamili Suzzie Zeeshan Front-End Android Studio Back-End Azure API + SQL Database Language Java, C# Department Computer Science University University of Auckland

3 Intro Scope UoABuddyApp is a mentor-student pairing application
Students can register as volunteers & newbies Volunteers can assist new joinees Scope New students find difficult to adapt to the new environment, a resolution for this subject is UoABuddyApp UoABuddyApp is an application for helping the new students in their knowhow of the university with the guidance of senior students of the university

4 Interface

5 Interface(cont.)

6 Interface(cont.)

7 Obfuscation techniques
Overall obfuscation procedure consists of 4 obfuscation techniques String-image obfuscation Control flow Block insertions Pro-guard obfuscation Smali assembly-level obfuscation Incorporate both data and control flow obfuscation procedures

8 String-Image obfuscation
Data & Control flow obfuscation technique Pre-compilation obfuscation technique Similar to Steganography Embed string data (ASCII) onto an image Reconstruct strings from image at runtime A manual & automatic (via scripts) obfuscation Pre-compilation obfuscation technique – which implies that the technique must be incorporated on top of the existing app source code Example of steganography-as-obfuscation since we are hiding information in plain sight (as an image) within the application resources First embed strings onto an image by writing each characters’ ASCII value on each pixel of the image (in column order) Once we have written all the string data to the image, we then reconstruct the strings at run-time by extracting the characters’ ASCII value from the pixels of the image We only obfuscated the API endpoints to the backend which the UOABuddyApp connects to also preference keys under which data is stored

9 String-Image obfuscation
First we store the sensitive strings line-by-line into the “input.txt” file The user then runs the “generate_image.py” python script, this script reads the strings within input text file and generates an image (which incorporates the string data) The generated image is then moved to the applications resource folder You extract the string data from the image at runtime, we have provided a method which can do this The method returns the list of ordered strings which the user had written to the input text file The indexes of the list are then assigned to the variables – therefore hiding the values of sensitive strings

10 Control Flow Block (CFB) Insertion
Control Flow obfuscation Pre-compilation obfuscation technique Randomized Insertion of if-else and try-catch blocks If statements always compute to false via opaque predicates Original program logic is wrapped within these blocks Automated technique Also a pre-compilation technique which is applied to the application source code before the APK is built Control flow obfuscation in which we insert “if-statements” and “try-catch” blocks that change the flow of original application The inserted control flow blocks (CBFs) always compute to a false condition via the use of false opaque predicates Original logic remains the same since its wrapped within these statements Control Flow blocks inserted within the opening and closing braces of methods and statements We automate the insertion by using a script which locates the 2nd opening brace within a file and from then on, inserts a CFB after each consecutive opening braces It may be easy for reverse-engineer to identify patterns in the placements of CFBs To make this difficult, the obfuscation technique is implemented such that each CFB is inserted in random order every time the script is run on a java file This means that if you run the script on 2 identical java files, the respective outputs of those files will be different

11 Control Flow Block (CFB) - Implementation
Compile false_condition.java Run script with files as input parameters * Backup your files

12 Proguard Obfuscation Basic obfuscation technique available within Android Studio Also a code/application optimizer Limited support for 3rd party libraries Basic obfuscation technique which is commonly used to obfuscate android apps since it is available for use within the Android Studio IDE We did not develop this – only utilize this within our app Only need to switch a variable to true – to use this Proguard also optimizes the source code of the app, which in turn significantly reduces the app size by removing redundant code If an application uses third-party libraries, then Proguard will have issues obfuscating (and optimizing) them, thus the developer may be required to create rules This can be done by modifying the “proguard-rules.pro file”

13 Smali assembly level obfuscation
Smali assembly level modification Post compilation obfuscation technique The final control flow obfuscation technique which we used to obfuscate our application is modification at the “Smali” level Post- compilation obfuscation technique; therefore, it can be applied onto ALL applications after they have been compiled to an APK In this technique we decompile an APK into lower level Smali files using APKTool[9], then we modify these Smali files and recompile them into the APK By decompiling to Smali, the vital App information is still retained – as opposed to decompiling to java files from which this information is lost

14 Smali modification - implementation
We decompiled the APK into the corresponding Smali files by using APKTool, we then modified the Smali files by inserting “goto” statements at the start and before the end of each method The goto statement at the start of each method were directed to the goto statement at the end of the method, this goto statement then re-directed the control flow back to the top of the method which disrupted the normal control flow of the program We produced a script which automates this procedure The goto’s require a label to jump to (as shown in Fig-5), they could potentially be anything but they cannot be reused We randomly generated a number and appended it to a string to generate the unique labels We then signed the recompiled APK to prevent invalid certificate errors

15 Smali modification - implementation (2)

16 Evaluation Obfuscating the code has its impact on the performance of the app. In data obfuscation, changing the names of the variables does not make a huge difference in the performance. Inserting new pieces of code in control flow obfuscation results in the change in performance. The obfuscated code should not only be hard to reverse engineer, but should not disrupt the performance of the app by much.

17 String-to-image overhead
Uses both data and control flow techniques. Calculated the size of the APK before and after this obfuscation technique. Original logic overhead: 100,000 – 300,000 nanoseconds Execution time overhead: 1,000,000 – 3,000,000 nanoseconds Space/storage overhead: bytes Significant execution time overhead and space/storage overhead when using this obfuscation technique due to data extraction and conversion.

18 Control-Flow-Block insertion overhead
Redundant codes which always execute to false were inserted. Variations in run time were due to computational intensity of the try-catch blocks. No change in execution times and neither was there a space overhead.

19 Proguard overhead Data and control flow technique that adds least overhead. No changes in run time was observed Minimizes code by removing all the recourses that are not used. App size before Proguard: 2.38 MB App size after Proguard: 1.58 MB

20 Smali assembly level obfuscation overhead
Altering the control flow by inserting goto statements. Addition of few smali instructions would not have noticeable impact. No changes in execution time but increase in the app size. App size after Smali modification and recompilation: 1.63 MB Not because of the technique, because of recompilation.

21 Limitations Consider How usable the techniques are for app development? How easy/difficult to reverse engineering the obfuscated app? Address potential improvements for each obfuscation techniques

22 String-To-Image Obfuscation
This technique is not straightforward Usability Require manual alterations to the source-code Effort vs protection provided Lack protection on the strings Improvement Additional encryption and encoding on the strings

23 Control-Flow-Block (CFB) Insertion
Lacking randomization with opaque predicates Usability Decrease code-readability Ineffective and prevent compilation in some cases Improvement Fair degree of wrapping within various statement blocks Insert commented-labels or pointer Detect presence of enum

24 Proguard Usability Improvement Limited support of 3rd party libraries
Customise Proguard rules Unable to obfuscate serialization strings Improvement Reduce usage of 3rd party libraries

25 Smali assembly level obfuscation
Usability Basic function wrapping at lower level Improvement Incorporate Smali logic of our CFB insertion Automate packed-switch approach

26 Overall Obfuscation Limitation
Our project focused primary on static analysis Hacker can utilise dynamic analysis technique Attach debuggers Improve against both static and dynamic analysis

27 Reverse Engineering •Dex2jar •JD-GUI •DeGuard •Java decompiler
Dex2jar to decompile the APK. •JD-GUI To view the decompiled apk files. •DeGuard Reverses the process of obfuscation performed by android obfuscation tools. •Java decompiler Performs similar task as Dex2jar

28 if (Math.random() * 20.0D > 10.0D) {}
Examples •String Obfuscation: •Control flow Obfuscation: if (Math.random() * 20.0D > 10.0D) {} int i = 0; while (i != -1)

29 Examples(Cont.) •Data obfuscation: Public List<c0624d> m3020a(){
Return (List) m3018a(m3019a(new int[]{15711}, this.f1930a));} •Most of the teams listed in the table have used ProGuard tool for class, methods, variable name obfuscation.

30 Group 1 Dice •String encryption •Control flow(Opaque predicate). Group 2 MySecret secrets •Data Obfuscation Group 4 CryptoMe •String Encryption. •Control Flow (Opaque predicate). •Layout Obfuscation •Proguard Obfuscation Group 5 There and Back again •String Encryption •Proguard obfuscation Group 6 Calories Calculator Group 7 Calorie Counter Group 8 Cash me •Opaque predicate.

31 Group 8 Cash me •Opaque predicate. •Proguard obfuscation. Group 9 Digi Receipt •String encryption •Methods names are encrypted( ProGuard). Group 10 Bus Tracker •Method names are encrypted(ProGuard) Group 11 Password Diary •Control flow (Opaque Predicate) •Data flow(Opaque predicate) Group 13 Drink Up •String Encryption •Method names are encrypted(ProGuard).

Download ppt "UoABuddyApp."

Similar presentations

Introducing JavaScript

Introducing JavaScript
The University of Adelaide, School of Computer Science

The University of Adelaide, School of Computer Science
Working with JavaScript. 2 Objectives Introducing JavaScript Inserting JavaScript into a Web Page File Writing Output to the Web Page Working with Variables.

Working with JavaScript. 2 Objectives Introducing JavaScript Inserting JavaScript into a Web Page File Writing Output to the Web Page Working with Variables.
Copyright © 2012 Pearson Education, Inc. Chapter 1: Introduction to Computers and Programming.

Copyright © 2012 Pearson Education, Inc. Chapter 1: Introduction to Computers and Programming.
XP 1 Working with JavaScript Creating a Programmable Web Page for North Pole Novelties Tutorial 10.

XP 1 Working with JavaScript Creating a Programmable Web Page for North Pole Novelties Tutorial 10.
2  Problem Definition  Project Purpose – Building Obfuscator  Obfuscation Quality  Obfuscation Using Opaque Predicates  Future Planning.

2  Problem Definition  Project Purpose – Building Obfuscator  Obfuscation Quality  Obfuscation Using Opaque Predicates  Future Planning.
Alternate Version of STARTING OUT WITH C++ 4 th Edition Chapter 1 Introduction to Computers and Programming.

Alternate Version of STARTING OUT WITH C++ 4 th Edition Chapter 1 Introduction to Computers and Programming.
Application Security Tom Chothia Computer Security, Lecture 14.

Application Security Tom Chothia Computer Security, Lecture 14.
Java: Chapter 1 Computer Systems Computer Programming II.

Java: Chapter 1 Computer Systems Computer Programming II.
Chapter 1: Introduction to Computers and Programming.

Chapter 1: Introduction to Computers and Programming.
Copyright © 2009 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Chapter 1: Introduction to Computers and Programming.

Copyright © 2009 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Chapter 1: Introduction to Computers and Programming.
Chapter 8 Cookies And Security JavaScript, Third Edition.

Chapter 8 Cookies And Security JavaScript, Third Edition.
CS266 Software Reverse Engineering (SRE) Reversing and Patching Java Bytecode Teodoro (Ted) Cipresso,

CS266 Software Reverse Engineering (SRE) Reversing and Patching Java Bytecode Teodoro (Ted) Cipresso,
Hello.java Program Output 1 public class Hello { 2 public static void main( String [] args ) 3 { 4 System.out.println( “Hello! ); 5 } // end method main.

Hello.java Program Output 1 public class Hello { 2 public static void main( String [] args ) 3 { 4 System.out.println( “Hello!" ); 5 } // end method main.
Copyright © 2010 Certification Partners, LLC -- All Rights Reserved Perl Specialist.

Copyright © 2010 Certification Partners, LLC -- All Rights Reserved Perl Specialist.
1.  10% Assignments/ class participation  10% Pop Quizzes  05% Attendance  25% Mid Term  50% Final Term 2.

1.  10% Assignments/ class participation  10% Pop Quizzes  05% Attendance  25% Mid Term  50% Final Term 2.
Implementation of Least Significant Bit Image Steganography and its Steganalaysis By: Deniz Oran Fourth Quarter.

Implementation of Least Significant Bit Image Steganography and its Steganalaysis By: Deniz Oran Fourth Quarter.
Software Engineering Laboratory, Department of Computer Science, Graduate School of Information Science and Technology, Osaka University IWPSE 2003 Program.

Software Engineering Laboratory, Department of Computer Science, Graduate School of Information Science and Technology, Osaka University IWPSE 2003 Program.
Copyright 2003 Scott/Jones Publishing Standard Version of Starting Out with C++, 4th Edition Chapter 1 Introduction to Computers and Programming.

Copyright 2003 Scott/Jones Publishing Standard Version of Starting Out with C++, 4th Edition Chapter 1 Introduction to Computers and Programming.
© 2016 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. Android Boot Camp.

© 2016 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. Android Boot Camp.

Similar presentations

Ads by Google