UNIVERSITY DRINKING BANS
DECOMPILING ANDROIDGodfrey Nolan
1DevDay 11/5/11
Intro
• What is a Decompiler?• Why Android?• Decompilers • Protect Yourself• Raising the Bar
SPAM #1
What is a Decompiler
• Reverse Engineers apps into source code • Many languages can be decompiled
• Java, C#, VB.Net., Visual Basic
• Others can only be disassembled• C, C++, Objective-C
• Java and .Net particularly at risk• Because of JVM and CLR design
• Why use decompilers?• Curiosity, Hacking, Learning, Fair Use
Why Java
• Exploits JVM Design• Originally interpreted not compiled • Lots more symbolic information than binaries• Data and method separation• Simple classfile structure• Very few opcodes
Why Java
Why JavaClassfile {
int magic,
short minor_version,
short major_version,
short constant_pool_count,
cp_info constant_pool[constant_pool_count],
short access_flags,
short this_class,
short super_class,
short interfaces_count,
interface_info interfaces[interfaces_count],
short fields_count,
field_info fields[field_count],
short methods_count,
method_info methods[methods_count],
short attribute_count,
attr_info attributes[attributes_count]
}
Why Java
Why Android
• Client side code• Easy access to apk’s
• Download apk to sd card using Astro File Mgr• Download from xdadevelopers forum• Download using ‘adb pull’ on jailbroken phone
• Nobody is using obfuscation• 1 out of 20 apks downloaded were protected
• Easy to convert apk to Java to decompile
Why Android
Why Android
java –jar dex2jar.jar com.riis.mobile.apkjd-gui com.riis.mobile.apk.dex2jar
Why Android
• Dex file• Different structure• Different opcodes• Register based not stack based• Multiple JVMs on device
Why Android
Why Android
Why not iPhone?
•Objective-C• Compiled not interpreted• Much less information• Fat binaries approach
•Can still be disassembled• strings and otool unix commands• Other tools like IDA Pro
Why Android
• Jailbreak/Root phone • Use Z4Root• Uses RageAgainstTheCage Trojan exploit• Not available on Android Marketplace ;-)
• Using Android SDK platform tools• Turn on USB debugging• Find apk using adb shell• Download using adb pull
Why Android
Why Android
• Even easier is the apk-tool• Install APK-tool
• Download apk • Right click
Decompilers
• Jive• Mocha• JAD• SourceAgain• JD-GUI
Possible Exploits
• Web Service API keys exposed• Database logins• Credit Card information• Fake apps
Possible Exploits
Possible Exploits
Possible Exploits
public static final String USER_NAME = "BC7E9322-0B6B-4C28B4";public static final String PASSWORD = "waZawuzefrabru96ebeb";
Protect Yourself
• Protect code before releasing• Hard to recover once it’s been made available
• Obfuscators• ProGuard• DashO
• Native Code• Use C++ and JNI• 99.99% of Android devices run on ARM processor• Use digital signature checking to protect lib
Protect Yourself
• ProGuard:• Detects and removes unused classes, fields, methods,
and attributes. • Optimizes bytecode and removes unused instructions. • Renames remaining classes, fields, and methods using
short meaningless names. • Preverifies the processed code for Java.
• Enable in default.properties files• proguard.config=proguard.cfg
Protect Yourself
• DashO (basic):• Improvement over ProGuard's naming by using strange
characters and heavily reusing the same names at different scopes.
• Does much more involved control flow obfuscation than ProGuard, reordering code operations to make them very difficult to understand and often breaking decompilers.
• Supports string encryption to render important string data unreadable to attackers.
Protect Yourself
• DashO (advanced):• Supports tamper detection, handling, and reporting to
prevent users from changing the compiled code, even while debugging, and to alert you if it happens.
• Can automatically inject Preemptive's Runtime Intelligence functionality for remote error reporting.
Protect Yourself• DashO demo
Protect Yourself - Decompiled
Protect Yourself - ProGuard
Protect Yourself – DashO
Protect Yourself – JNI
jstring Java_com_getPassword(JNIEnv* env, jobject thiz){
char *password = “waZawuzefrabru96ebeb”;
return (*env)->NewStringUTF(env, password);}
Protect Yourself – JNI
Protect Yourself – JNI
Links• http://viralpatel.net/blogs/2009/01/tutorial-java-class-file-fo
rmat-revealed.html• http://code.google.com/p/z4root/• http://code.google.com/p/android-apktool/• http://www.dalvikvm.com/
Raising the Bar• APK’s are available• Tools are easy to use• Turn on ProGuard• Investigate other obfuscators• Hide keys using JNI• Don’t put sensitive information unencrypted in APKs
SPAM #2• RIIS LLC
• Southfield, MI
• Clients• Fandango• DTE• Comerica• BCBSM
• Mobile Development• DTE Outage Maps• Broadsoft Front Office Assistant
• Contact Information• [email protected]