Reverse engineering is not just for hackers

Reverse engineering is not just for hackers +JonReeve @themightyjon

Why that permission? • “This notes app wants access to
my contacts…”  • “This photo-taking app wants to send SMS…”

Why is this crashing? • “It’s my app, but that’s
not my code!”  (Closed source library, e.g. ads + analytics) • “It’s not my app, but crashes on my device!”  (Device-speciﬁc variations, particularly custom ROMs)

How did they do that? • Some technical feat you
thought “impossible”?  e.g. good results from Camera API on Samsung • Too many libraries to choose from?  See what everyone else went with! • Sure, write your own…  But that doesn’t mean you can’t look at theirs ﬁrst! • Nifty- visual effect? schwifty

Get the APK • From device, e.g.: $ adb shell
pm list packages -f -3 $ adb pull "$(adb shell pm path $1 | cut -d : -f 2 | tr -d ‘\015’)" • Or from other sources, but be aware of TOS and malware… … to list installed packages … to pull package $1 in one line (with root)

$ aapt  Android Asset Packaging Tool    Usage:  aapt l[ist]
[-v] [-a] file.{zip,jar,apk}  List contents of Zip-compatible archive.    aapt d[ump] [--values] [--include-meta-data] WHAT file.{apk} [asset [asset ...]]  strings Print the contents of the resource table string pool in the APK.  badging Print the label and icon for the app declared in APK.  permissions Print the permissions from the APK.  resources Print the resource table from the APK.  configurations Print the configurations in the APK.  xmltree Print the compiled xmls in the given assets.  xmlstrings Print the strings of the given compiled xml assets.    aapt p[ackage] [-d][-f][-m][-u][-v][-x][-z][-M AndroidManifest.xml] \  ...    Package the android resources. It will read assets and resources that are  supplied with the -M -A -S or raw-files-dir arguments. The -J -P -F and -R  options control which files are output.    aapt r[emove] [-v] file.{zip,jar,apk} file1 [file2 ...]  Delete specified files from Zip-compatible archive.    aapt a[dd] [-v] file.{zip,jar,apk} file1 [file2 ...]  Add specified files to Zip-compatible archive.  aapt aapt d[ump] [--values] [--include-meta-data] WHAT file.{apk} [asset [asset ...]]  strings Print the contents of the resource table string pool in the APK.  badging Print the label and icon for the app declared in APK.  permissions Print the permissions from the APK.  resources Print the resource table from the APK.  configurations Print the configurations in the APK.  xmltree Print the compiled xmls in the given assets.  xmlstrings Print the strings of the given compiled xml assets.

aapt General APK info: $ aapt dump badging Mysterious.apk $
aapt dump strings Mysterious.apk $ aapt dump xmltree Mysterious.apk AndroidManifest.xml Any interesting strings? View a binary XML ﬁle:

The APK assets/ lib/ META-INF/ res/ AndroidManifest.xml classes.dex resources.arsc *
raw files, anything, even dynamically loaded code native code libraries Certificate, signature and file hashes, to verify origin and integrity. Non-compiled resources Binary XML version of manifest Dalvik Executable - All the classes for the Dalvik VM Compiled resources (other)

basic tools

basic + old tools #!/bin/bash  unzip -d zip-out "$1"  java
-jar AXMLPrinter2.jar zip-out/AndroidManifest.xml > AndroidManifest.xml  /opt/dex2jar-0.0.9.15/d2j-dex2jar.sh “$1" # creates “${1%.apk}-dex2jar.jar”  mkdir cfr-extracted && /opt/cfr/cfr.sh “${1%.apk}-dex2jar.jar” --outputdir java-out  java -jar /opt/smali/baksmali-2.0.6.jar -o smali-out zip-out/classes.dex #!/bin/bash  unzip -d zip-out "$1"  java -jar AXMLPrinter2.jar zip-out/AndroidManifest.xml > AndroidManifest.xml  /opt/dex2jar-0.0.9.15/d2j-dex2jar.sh “$1" # creates “${1%.apk}-dex2jar.jar”  mkdir cfr-extracted && /opt/cfr/cfr.sh “${1%.apk}-dex2jar.jar” --outputdir java-out  java -jar /opt/smali/baksmali-2.0.6.jar -o smali-out zip-out/classes.dex 

apktool

apktool $ apktool d target.apk   I: Using Apktool 2.0.0-RC4
on target.apk  I: Loading resource table...  I: Decoding AndroidManifest.xml with resources...  I: Loading resource table from file: /[…]/apktool/framework/1.apk  I: Regular manifest package...  I: Decoding file-resources...  I: Decoding values */* XMLs...  I: Baksmaling classes.dex...  I: Copying assets and libs...  I: Copying unknown files...  I: Copying original files.. $ apktool d target.apk  I: Using Apktool 2.0.0-RC4 on target.apk  I: Loading resource table...  I: Decoding AndroidManifest.xml with resources...  I: Loading resource table from file: /[…]/apktool/framework/1.apk  I: Regular manifest package...  I: Decoding file-resources...  I: Decoding values */* XMLs...  I: Baksmaling classes.dex...  I: Copying assets and libs...  I: Copying unknown files...  I: Copying original files. https://ibotpeaches.github.io/Apktool/

apktool “How was that done?”

apktool $ apktool d -d -o SomeApp SomeApp.apk    ... 
  $ apktool b -d SomeApp    ...    $ jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore release-key.keystore SomeApp.apk release_key_alias_name Rebuild for debug: … install, run, and a debugger can be attached.  (use smali dir as source dir on a new project) “Why is this crashing?” / “I wish I could debug this!”

androguard

androguard • Python-based, collection of useful tools • Modular, pluggable
and embeddable • Interactive, ipython shell (androlyze.py) • Includes DAD Dalvik decompiler • Site != active, but project is! https://github.com/androguard/androguard

androguard $ python androlyze.py -s Androlyze version 3.0  In [1]:
a, d, dx = AnalyzeAPK(“/Users/jon/Desktop/target.apk") In [2]: a, d, dx Out [2]:  (<androguard.core.bytecodes.apk.APK at 0x10a62c350>,  <androguard.core.bytecodes.dvm.DalvikVMFormat at 0x10d7e7850>,  <androguard.core.analysis.analysis.uVMAnalysis at 0x11b80dad0>)    In [3]: a.get_main_activity() Out [3]: u'com.example.app.ui.MainHomeActivity'    In [4]: d.CLASS_Lcom_example_app_ui_MainHomeActivity.source() more at https://code.google.com/p/androguard/wiki/RE https://github.com/androguard/androguard

androguard “Why does it need that permission?” In [5]: show_Permissions? 
Signature: show_Permissions(dx)  Docstring:  Show where permissions are used in a specific application  :param dx : the analysis virtual machine  :type dx: a :class:`VMAnalysis` object  File: /opt/androguard-2.0/androguard/core/analysis/analysis.py  Type: function In [6]: show_Permissions(dx)  android.permission.READ_CONTACTS :  R ['Landroid/provider/ContactsContract;', 'AUTHORITY_URI', 'Landroid/net/Uri;'] (0x0) ---> Lcom/android/ex/chips/BaseRecipientAdapter$DirectoryListQuery;-><clinit>()V  R ['Landroid/provider/ContactsContract$CommonDataKinds$Email;', 'CONTENT_FILTER_URI', 'Landroid/net/Uri;'] (0x118) ---> Lcom/android/ex/chips/Queries;-><clinit>()V  R ['Landroid/provider/ContactsContract$CommonDataKinds$Phone;', 'CONTENT_FILTER_URI', 'Landroid/net/Uri;'] (0x88) ---> Lcom/android/ex/chips/Queries;-><clinit>()V  R ['Landroid/provider/ContactsContract$CommonDataKinds$Email;', 'CONTENT_URI', 'Landroid/net/ Uri;'] (0x11c) ---> Lcom/android/ex/chips/Queries;-><clinit>()V  R ['Landroid/provider/ContactsContract$CommonDataKinds$Phone;', 'CONTENT_URI', 'Landroid/net/ Uri;'] (0x8c) ---> Lcom/android/ex/chips/Queries;-><clinit>()V

other tools

ClassyShark https://github.com/google/android-classyshark • GUI and CLI • Easy to browse,
check basics • Dex method counts, package structure, size • Opens .dex, .aar, .so, .apk, .jar, .class, etc…

radare2 • Scriptable hex editor evolved into reverse engineering framework
• Supports multiple architectures • Open source • Portable - on device as well as PC (on Play Store) http://www.radare.org/r/

Other Play Store Apps • JaDX - old, super ugly,
but still… • “Show Java” - can use above, or CFR • Dexplorer - simple asset browsing, class structure

Santoku • Bootable Lubuntu-based Linux environment • Tools pre-installed and
set up • Tool list a good starting point https://santoku-linux.com/features/

also…

IDA Pro • “The Interactive Disassembler” • Incredibly full-featured disassembler
+ debugger with long history for other architectures. • Supports Dalvik since 6.1 • Commercial, not cheap! https://www.hex-rays.com/products/ida/

CodeInspect • “Jimple”, not “Jasmin” • “Soot” static analysis framework
• Debug app, run-time analysis • Navigate + rename ﬁelds, methods • Based on Eclipse RCP :/ http://sseblog.ec-spride.de/2014/12/codeinspect/

JEB / JEB2 • Dalvik -> Java source decompiler •
Interactive decompilation - navigate, rename, etc. • Debuggers for Dalvik & native • Commercial, subscription https://www.pnfsoftware.com/

Security “The only truly secure system is one that is
powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards - and even then I have my doubts.”    - Eugene H. Spafford

Security • What should be secret, and how important is
it? • Important? Keep it out of the app! • Protection effort vs reversing ease • Obfuscation + miniﬁcation at least? • dexguard ($), SQLCipher (free), more if needed • Reverse your own apps!

Compromised Obfuscation • “keep”-ing things keeps their whole path •
Group public things in totally different package structure to avoid this • LOOK at obfuscation results

Further Info • Android Hacker’s Handbook (ﬁnd it on Amazon)
• CodeInspect:  Dismantling Droids for Breakfast @ Droidcon Berlin 2015 • O&D Android Reverse Engineering @ DEFCON23 • Reversing with androguard

Thanks! +JonReeve @themightyjon Slides  https://goo.gl/Cy96UO

Reverse engineering is not just for hackers

Reverse engineering is not just for hackers

More Decks by Jon Reeve

Other Decks in Programming

Featured

Transcript