DECOMPILING ANDROID Godfrey Nolan 1DevDay 11/5/11.

DECOMPILING ANDROIDGodfrey Nolan

1DevDay 11/5/11

Intro

• What is a Decompiler?• Why Android?• Decompilers • Protect Yourself• Raising the Bar

SPAM #1

What is a Decompiler

• Reverse Engineers apps into source code • Many languages can be decompiled

• Java, C#, VB.Net., Visual Basic

• Others can only be disassembled• C, C++, Objective-C

• Java and .Net particularly at risk• Because of JVM and CLR design

• Why use decompilers?• Curiosity, Hacking, Learning, Fair Use

Why Java

• Exploits JVM Design• Originally interpreted not compiled • Lots more symbolic information than binaries• Data and method separation• Simple classfile structure• Very few opcodes

Why Java

Why JavaClassfile {

int magic,

short minor_version,

short major_version,

short constant_pool_count,

cp_info constant_pool[constant_pool_count],

short access_flags,

short this_class,

short super_class,

short interfaces_count,

interface_info interfaces[interfaces_count],

short fields_count,

field_info fields[field_count],

short methods_count,

method_info methods[methods_count],

short attribute_count,

attr_info attributes[attributes_count]

}

Why Java

Why Android

• Client side code• Easy access to apk’s

• Download apk to sd card using Astro File Mgr• Download from xdadevelopers forum• Download using ‘adb pull’ on jailbroken phone

• Nobody is using obfuscation• 1 out of 20 apks downloaded were protected

• Easy to convert apk to Java to decompile

Why Android

Why Android

java –jar dex2jar.jar com.riis.mobile.apkjd-gui com.riis.mobile.apk.dex2jar

Why Android

• Dex file• Different structure• Different opcodes• Register based not stack based• Multiple JVMs on device

Why Android

Why Android

Why not iPhone?

•Objective-C• Compiled not interpreted• Much less information• Fat binaries approach

•Can still be disassembled• strings and otool unix commands• Other tools like IDA Pro

Why Android

• Jailbreak/Root phone • Use Z4Root• Uses RageAgainstTheCage Trojan exploit• Not available on Android Marketplace ;-)

• Using Android SDK platform tools• Turn on USB debugging• Find apk using adb shell• Download using adb pull

Why Android

Why Android

• Even easier is the apk-tool• Install APK-tool

• Download apk • Right click

Decompilers

• Jive• Mocha• JAD• SourceAgain• JD-GUI

Possible Exploits

• Web Service API keys exposed• Database logins• Credit Card information• Fake apps

Possible Exploits

Possible Exploits

Possible Exploits

public static final String USER_NAME = "BC7E9322-0B6B-4C28B4";public static final String PASSWORD = "waZawuzefrabru96ebeb";

Protect Yourself

• Protect code before releasing• Hard to recover once it’s been made available

• Obfuscators• ProGuard• DashO

• Native Code• Use C++ and JNI• 99.99% of Android devices run on ARM processor• Use digital signature checking to protect lib

Protect Yourself

• ProGuard:• Detects and removes unused classes, fields, methods,

and attributes. • Optimizes bytecode and removes unused instructions. • Renames remaining classes, fields, and methods using

short meaningless names. • Preverifies the processed code for Java.

• Enable in default.properties files• proguard.config=proguard.cfg

Protect Yourself

• DashO (basic):• Improvement over ProGuard's naming by using strange

characters and heavily reusing the same names at different scopes.

• Does much more involved control flow obfuscation than ProGuard, reordering code operations to make them very difficult to understand and often breaking decompilers. 

• Supports string encryption to render important string data unreadable to attackers. 

Protect Yourself

• DashO (advanced):• Supports tamper detection, handling, and reporting to

prevent users from changing the compiled code, even while debugging, and to alert you if it happens.

• Can automatically inject Preemptive's Runtime Intelligence functionality for remote error reporting.

Protect Yourself• DashO demo

Protect Yourself - Decompiled

Protect Yourself - ProGuard

Protect Yourself – DashO

Protect Yourself – JNI

jstring Java_com_getPassword(JNIEnv* env, jobject thiz){

char *password = “waZawuzefrabru96ebeb”;

return (*env)->NewStringUTF(env, password);}

Protect Yourself – JNI

Protect Yourself – JNI

Links• http://viralpatel.net/blogs/2009/01/tutorial-java-class-file-fo

rmat-revealed.html• http://code.google.com/p/z4root/• http://code.google.com/p/android-apktool/• http://www.dalvikvm.com/

Raising the Bar• APK’s are available• Tools are easy to use• Turn on ProGuard• Investigate other obfuscators• Hide keys using JNI• Don’t put sensitive information unencrypted in APKs

SPAM #2• RIIS LLC

• Southfield, MI

• Clients• Fandango• DTE• Comerica• BCBSM

• Mobile Development• DTE Outage Maps• Broadsoft Front Office Assistant

• Contact Information• [email protected]