Protecting Source Code

Godfrey Nolan

Hear no evil, see no evil Decompiling APK demo Raising the bar

Easy access to APKs APK design Nobody using obfuscation

According to DuoSecurity Over 50% of Android phones are rootable

See Xray.io for more information Vulnerabilities

ASHMEM

Exploid

Gingerbreak

Levitator

Memoproid

etc.

Logins

API keys

Credit card information Fake apps

sdcard Rooting phone Download from forums

Obfuscation Android NDK SQLCipher for SQLite Google Closure for JavaScript in HTML5/CSS Don’t use keys - login each time Break tools

Dex2Jar and Baksmali

Google Encryption in Jelly Bean (RIP) Hide key info elsewhere (see resources)

Obfuscation Theory

Layout

Control

Data

Obfuscation Type Classification Transformation

Layout Scramble identifiers.

Control Computations Insert dead or irrelevant code.

Extend a loop condition.

Reducible to non-reducible.

Add redundant operands.

Remove programming idioms.

Parallelize code.

Aggregations Inline and outline methods.

Interleave methods.

Clone methods.

Loop transformations.

Ordering Reorder statements.

Reorder loops.

Reorder expressions.

Data Storage and encoding Change encoding.

Split variables.

Convert static data to procedural data.

Aggregation Merge scalar variables.

Factor a class.

Insert a bogus class.

Refactor a class.

Split an array.

Merge arrays.

Fold an array.

Flatten an array.

Ordering Reorder methods and instance variables.

Reorder arrays.

Obfuscators

ProGuard and DexGuard

DashO

Application size Performance Remove logging, debugging, testing code Protection

At the bytecode level

Dead code elimination

Constant propagation

Method Inlining

Class Merging

Remove logging code

Peephole optimizations

Devirtualization

Nothing is unbreakable, you can raise the bar:

Reflection

String encryption

Class encryption

Tamper detection

Debug detection

Emulator detection

Bug fixing Unit testing Obfuscation = defactoring

WordPress

ProGuard & DexGuard

DashO

HoseDex2Jar

NDK

DexToXML DexToSource Giveaway

What does Dex stand for?

http://www.strazzere.com/papers/DexEducation-PracticingSafeDex.pdf https://www.pcisecuritystandards.org/security_standards/documents.php?document=mobile_payment_security_guidelines1 http://xray.io http://www.netmite.com/android/mydroid/dalvik/docs/dalvik-bytecode.html http://source.android.com/tech/dalvik/dex-format.html http://pallergabor.uw.hu/androidblog/dalvik_opcodes.html http://www.saikoa.com/dexguard http://www.preemptive.com/products/dasho/overview http://android.wordpress.org/development/ http://selinuxproject.org/page/SEAndroid

http://www.decompilingandroid.com @decompiling godfrey@riis.com http://www.riis.com