Reverse-Engineering apps on the device - how far can we go? (Droidcon UK 2019)

@jebstuart — ware.to/reverse Reverse-Engineering on the Device:  How Far Can
We Go? Jeb Ware American Express

@jebstuart — ware.to/reverse Views expressed here are my own  
and do not necessarily reﬂect   the views of my employer.

@jebstuart — ware.to/reverse Reverse-Engineering on Device? APK

@jebstuart — ware.to/reverse # Reverse-Engineering on Device? APK

@jebstuart — ware.to/reverse Reverse-Engineering on Device! APK APK

@jebstuart — ware.to/reverse App Sandboxing APK Sandbox res dex so
asset files db shared pref keys APK Sandbox res dex so asset files db shared pref keys APK Sandbox res dex so asset files db shared pref keys

@jebstuart — ware.to/reverse /data/app/com.example.yourapp-1/base.apk

@jebstuart — ware.to/reverse /data/app/com.example.yourapp-1/base.apk context.packageManager .getInstalledApplications(...) .map { it.publicSourceDir }

@jebstuart — ware.to/reverse APK • AndroidManifest.xml • assets/ • …
• classes.dex • classes2.dex • res/ • anim/ • color/ • drawable/ • layout/ • raw/ • …

@jebstuart — ware.to/reverse val zip = ZipFile(appInfo.publicSourceDir)  zip.entries().toList() .map {
zip.getInputStream(it) } .onEach { ... }

@jebstuart — ware.to/reverse Compiled XML ? @.;FP}?  interpolatordurationshareInterpolator fromYDeltatoYDeltaandroid**http:// schemas.android.com/apk/res/androidset
translate?A????????8????????????t???????????? ?????????????????????????????????

@jebstuart — ware.to/reverse val appId = “com.example.yourapp" val res: Resources
= packageManager.getResourcesForApplication(appId)

@jebstuart — ware.to/reverse val res: Resources = packageManager.getResourcesForApplication(appId) res.getString(0x7f0e0003)

@jebstuart — ware.to/reverse val res: Resources = packageManager.getResourcesForApplication(appId) res.getString(0x7f0e0003) “Hello,
World!”

@jebstuart — ware.to/reverse val res: Resources = packageManager.getResourcesForApplication(appId) res.getString(0x7f0e0003) “Hello,
World!” ???

@jebstuart — ware.to/reverse Resource IDs 0x7f0e0003

@jebstuart — ware.to/reverse Resource IDs 0x7f0e0003 ??? ??? ???

@jebstuart — ware.to/reverse

@jebstuart — ware.to/reverse Resource IDs 0x7f0e0003

@jebstuart — ware.to/reverse 0e Resource IDs { const 0x7f 0003

@jebstuart — ware.to/reverse 0e Resource IDs { { const type
0x7f 0003

@jebstuart — ware.to/reverse 0e Resource IDs { { { const
type identiﬁer 0x7f 0003

@jebstuart — ware.to/reverse Enumerating Resources 0x7f 0000 01

@jebstuart — ware.to/reverse Enumerating Resources 0x7f 0003 01 ResourceNotFoundException

@jebstuart — ware.to/reverse Enumerating Resources val res: Resources = packageManager.getResourcesForApplication(appId)
val name = res.getResourceName(0x7f0e0003) val type = res.getResourceTypeName(0x7f0e0003) val entry = res.getResourceEntryName(0x7f0e0003)

@jebstuart — ware.to/reverse Enumerating Resources val res: Resources = packageManager.getResourcesForApplication(appId)
val name = res.getResourceName(0x7f0e0003) val type = res.getResourceTypeName(0x7f0e0003) val entry = res.getResourceEntryName(0x7f0e0003) “anim” “abc_slide_out_top” “com.example:anim/abc_slide_out_top”

@jebstuart — ware.to/reverse Loading Resource Values val res: Resources =
packageManager.getResourcesForApplication(appId) res.getBoolean(0x7f0e0123) res.getColor(0x7f0e0123, null) res.getDimension(0x7f0e0123) res.getDrawable(0x7f0e0123, null) res.getInteger(0x7f0e0123) res.getString(0x7f0e0123)

@jebstuart — ware.to/reverse Live demo!

@jebstuart — ware.to/reverse Enumerating Assets val res: Resources = packageManager.getResourcesForApplication(appId)
val fileNames = res.assets.list("")

@jebstuart — ware.to/reverse Enumerating Assets val res: Resources = packageManager.getResourcesForApplication(appId)
val fileNames = res.assets.list("") AMobileConfig.json bar.properties fonts html settings.json

@jebstuart — ware.to/reverse Enumerating Assets val inputStream = res.assets.open(path) //
for image val bitmap = BitmapFactory.decodeStream(inputStream) // for text file val text = inputStream.reader().readLines()

@jebstuart — ware.to/reverse Live demo?

@jebstuart — ware.to/reverse DEX ﬁles

@jebstuart — ware.to/reverse DEX ﬁles val apk = ZipFile(appInfo.publicSourceDir) val
dexEntries = apk.entries().toList() .filter { it.name.startsWith("classes") && it.name.endsWith(".dex") }

@jebstuart — ware.to/reverse

@jebstuart — ware.to/reverse .class ﬁles

@jebstuart — ware.to/reverse .dex ﬁle .class ﬁles

@jebstuart — ware.to/reverse .dex ﬁle

@jebstuart — ware.to/reverse .dex ﬁle header

@jebstuart — ware.to/reverse .dex ﬁle header strings table

@jebstuart — ware.to/reverse .dex ﬁle header strings table code ’n’
stuﬀ

@jebstuart — ware.to/reverse implementation 'com.jakewharton.android.repackaged:dalvik-dx:9.0.0_r3'

@jebstuart — ware.to/reverse import com.android.dex.Dex val strings = dexFiles.flatMap {
val dex = Dex(it.readBytes()) dex.strings() }

@jebstuart — ware.to/reverse ¡Live demo!

@jebstuart — ware.to/reverse .dex ﬁle header strings table code ’n’
stuﬀ

@jebstuart — ware.to/reverse implementation 'org.smali:baksmali:2.3.4'

@jebstuart — ware.to/reverse val dexFile = DexFileFactory.loadDexEntry( File(appInfo.publicSourceDir), // APK
file "classes.dex", // name of dex file within true, // exactMatch null // opcodes )

@jebstuart — ware.to/reverse val dexFile = DexFileFactory.loadDexEntry( File(appInfo.publicSourceDir), // APK
file "classes.dex", // name of dex file within true, // exactMatch null // opcodes ) Baksmali.disassembleDexFile( dexFile, outputDir, 10, // jobs BaksmaliOptions() )

@jebstuart — ware.to/reverse ¿Live demo?

@jebstuart — ware.to/reverse DexClassLoader classLoader = DexClassLoader( targetFile.absolutePath, null, null,
classLoader)

@jebstuart — ware.to/reverse val clazz = classLoader.loadClass("com.example.MyClass")

@jebstuart — ware.to/reverse implementation 'com.jakewharton.dex:dex-member-list:3.3.0'

@jebstuart — ware.to/reverse Enumerating Classes val members: List<DexMember> = DexParser.fromFile(dexFile).list()
member.declaringType

@jebstuart — ware.to/reverse val clazz = classLoader.loadClass(fqcn)  val modifiers =
clazz.getDeclaredField(fieldName).modifiers val public: Boolean = Modifier.isPublic(modifiers)

@jebstuart — ware.to/reverse val field = clazz.getDeclaredField(fieldName) val instance =
clazz.newInstance()   val value = field.get(instance)

@jebstuart — ware.to/reverse val clazz = targetClassLoader.loadClass(declaringType) val instance =
clazz.newInstance() val method = clazz.getDeclaredMethod(methodName, String::class.java, Boolean::class.java) val result = method.invoke(instance, "arg1", true)

@jebstuart — ware.to/reverse Live demo?!

@jebstuart — ware.to/reverse Loading Layouts

@jebstuart — ware.to/reverse java.lang.ClassNotFoundException: Didn't find class "android.support.v7.widget.ActivityChooserView$InnerLayout" on path:
DexPathList[ [zip file “/data/app/com.jebware.appspy-A_W1…2Q==/base.apk”], nativeLibraryDirectories=[ /data/app/com.jebware.appspy-A_W1…2Q==/lib/arm64, /system/lib64  ] ]

@jebstuart — ware.to/reverse val flags = CONTEXT_INCLUDE_CODE val targetContext =
createPackageContext("com.example.app", flags)

@jebstuart — ware.to/reverse val flags = CONTEXT_INCLUDE_CODE val targetContext =
createPackageContext("com.example.app", flags) SecurityException

@jebstuart — ware.to/reverse val flags = CONTEXT_INCLUDE_CODE or CONTEXT_IGNORE_SECURITY val
targetContext = createPackageContext("com.example.app", flags)

@jebstuart — ware.to/reverse val flags = CONTEXT_INCLUDE_CODE or CONTEXT_IGNORE_SECURITY val
targetContext = createPackageContext(targetPackageName, flags)

@jebstuart — ware.to/reverse val targetLayoutInflater = layoutInflater .cloneInContext(targetContext)

@jebstuart — ware.to/reverse val targetLayout = targetLayoutInflater .inflate(targetLayoutId, null) setContentView(targetLayout)

@jebstuart — ware.to/reverse Live Demo!!

@jebstuart — ware.to/reverse APK Sandbox res dex so asset files
db shared pref keys APK Sandbox res dex so asset files db shared pref keys APK Sandbox res dex so asset files db shared pref keys

db shared pref keys APK Sandbox res dex so asset ﬁles db shared pref keys APK Sandbox res dex so asset ﬁles db shared pref keys uid 10001 uid 10002 uid 10003

db shared pref keys APK Sandbox res dex so asset ﬁles db shared pref keys APK Sandbox res dex so asset ﬁles db shared pref keys uid 10001 uid 10002 uid 10003 APK

@jebstuart — ware.to/reverse “external” storage

@jebstuart — ware.to/reverse “external” storage Context.getExternalFilesDir()

@jebstuart — ware.to/reverse “external” storage Context.getExternalFilesDir()       /storage/emulated/0/Android/data/com.example/files
         

@jebstuart — ware.to/reverse “external” storage Context.getExternalFilesDir()   Environment.getExternalStoragePublicDirectory(  Environment.DIRECTORY_PICTURES)  
  /storage/emulated/0/Android/data/com.example/files       /storage/emulated/0/Pictures   

Environment.getExternalStorageDirectory()   /storage/emulated/0/Android/data/com.example/files       /storage/emulated/0/Pictures      /storage/emulated/0   

Environment.getExternalStorageDirectory()   System.getenv("EXTERNAL_STORAGE") /storage/emulated/0/Android/data/com.example/files       /storage/emulated/0/Pictures      /storage/emulated/0      /sdcard

@jebstuart — ware.to/reverse “external” storage Context.getExternalFilesDir()   (no permission)  
Environment.getExternalStorageDirectory()   android.Manifest.permission.READ_EXTERNAL_STORAGE /storage/emulated/0/Android/data/com.example/files             /storage/emulated/0     

@jebstuart — ware.to/reverse val path = file.toPath() // java.nio.file.Path

@jebstuart — ware.to/reverse val path = file.toPath() // java.nio.file.Path val
uid = Files.getAttribute(path, "unix:uid") as Int

@jebstuart — ware.to/reverse val path = file.toPath() // java.nio.file.Path val
uid = Files.getAttribute(path, "unix:uid") as Int // String[] val packages = packageManager.getPackagesForUid(uid)  packageManager.getApplicationInfo(packages.first(), 0)

@jebstuart — ware.to/reverse Live Demo!!

@jebstuart — ware.to/reverse Takeaways • Sandbox protects private data, keys,
etc. • Not code, resources, assets. • “External” storage is (eﬀectively) world-readable • Many RE tools available - some will run inside another app

@jebstuart — ware.to/reverse Questions? Jeb Ware  American Express    @jebstuart 
http://ware.to/reverse

Reverse-Engineering apps on the device - how f...

Reverse-Engineering apps on the device - how far can we go? (Droidcon UK 2019)

More Decks by jebstuart

Other Decks in Programming

Featured

Transcript