Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
[WeAreDevelopers World Conference] Reversing An...
Search
Marc Obrador
June 30, 2021
Programming
0
660
[WeAreDevelopers World Conference] Reversing Android Apps
Marc Obrador
June 30, 2021
Tweet
Share
More Decks by Marc Obrador
See All by Marc Obrador
[Droidcon London 2023] REST in Peace: A Journey Through API Protection
marcobrador
0
110
[Droidcon Berlin 2023] Obfuscation in Mobile Apps
marcobrador
0
1.3k
[mDevCamp 2020] Reversing Android Apps
marcobrador
3
2.8k
Introduction to Mobile App Security
marcobrador
2
380
[ICE71 CyberSecurity Networking Night] Mobile App Security: A developer's introduction
marcobrador
0
780
[GDG BCN 2019] Introduction to Android App Security
marcobrador
1
900
[DroidCon Lisbon 2019] Intro to Android App Security
marcobrador
2
470
Other Decks in Programming
See All in Programming
코딩 에이전트 체크리스트: Claude Code ver.
nacyot
0
990
Git Sync を超える!OSS で実現する CDK Pull 型デプロイ / Deploying CDK with PipeCD in Pull-style
tkikuc
4
470
ZeroETLで始めるDynamoDBとS3の連携
afooooil
0
120
脱Riverpod?fqueryで考える、TanStack Queryライクなアーキテクチャの可能性
ostk0069
0
560
AIコーディングエージェント全社導入とセキュリティ対策
hikaruegashira
14
7.9k
構文解析器入門
ydah
7
1.9k
PHPカンファレンス関西2025 基調講演
sugimotokei
5
950
CDK引数設計道場100本ノック
badmintoncryer
2
570
Startups on Rails in Past, Present and Future–Irina Nazarova, RailsConf 2025
irinanazarova
0
300
「次に何を学べばいいか分からない」あなたへ──若手エンジニアのための学習地図
panda_program
3
650
可変性を制する設計: 構造と振る舞いから考える概念モデリングとその実装
a_suenami
7
920
Jakarta EE Meets AI
ivargrimstad
0
320
Featured
See All Featured
Build your cross-platform service in a week with App Engine
jlugia
231
18k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
234
17k
BBQ
matthewcrist
89
9.7k
Learning to Love Humans: Emotional Interface Design
aarron
273
40k
Embracing the Ebb and Flow
colly
86
4.8k
Mobile First: as difficult as doing things right
swwweet
223
9.7k
Statistics for Hackers
jakevdp
799
220k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
44
2.4k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
47
9.6k
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
10
990
How STYLIGHT went responsive
nonsquared
100
5.7k
Thoughts on Productivity
jonyablonski
69
4.7k
Transcript
Reversing Android Apps
Marc Obrador Lead Architect @ Build38 Barcelona
[email protected]
@marcobrador /in/marc-obrador
None
Source: https://en.wikipedia.org/wiki/Reverse_engineering It’s illegal (in the EU)!
None
Josep Bernad iOS Albert Sunyer UI
Artà is in Mallorca ABF takes place (usually) in June
COVID-19 pushed it to … ?
None
Get to know the app Step 0
Get to know the app
Get to know the app
Get to know the app
Get to know the app
Static Analysis Step 1
Static Analysis
Getting the APK
Decompiling the app https://ibotpeaches.github.io/Apktool/ $ brew install apktool
Decompiling the app
None
None
None
None
None
Let’s keep looking around
Wait… “discount codes”?
App users get a discount for events
None
Let’s take a closer look…
None
HTTP Basic Authorisation = Base64(“username:password”)
None
HTTP Basic Authorisation = Base64(“username:password”) username = “string1” xor “string2”
pasword = “string3” xor “string2”
None
Protecting against static analysis ProGuard is a good start… for
regular apps • It’s just method renaming and code shrinking • Tools for reversing ProGuard exist: http://apk-deguard.com/ Other (paid) alternatives exist for obfuscation Writing sensitve code in native (NDK) is a good idea
Dynamic Analysis Step 2
Dynamic Analysis
Dynamic Analysis
Network Sniffing a.k.a MITM
Network Sniffing https://www.charlesproxy.com/
Setting Up Charles Proxy
Setting Up Charles Proxy
Setting Up Charles Proxy
First attempt…
First attempt…
Setting Up Charles Proxy
Setting Up Charles Proxy
Let’s try again…
None
None
None
None
None
• Use certificate pinning • Implement Root/Debugger/Emulator/Hooking Framework detection •
Try to detect app tampering Protecting against dynamic analysis
Using Certificate Pinning Source: https://developer.android.com/training/articles/security-config
Tampering with the App Step 3
Assuming the app implemented Certificate Pinning…
$ adb install “Downloads/Artà Beer Festival_v1.2.5_apkpure.com.apk” Performing Streamed Install Success
$ adb shell am start com.marcobrador.android.artabeerfestival/.SplashActivity Starting: Intent { act=android.intent.action.MAIN cat=[android.intent.category .LAUNCHER] cmp=com.marcobrador.android.artabeerfestival/.SplashActivity }
Let’s try to remove it
None
None
None
Time to give it a try!
None
None
Preventing Repackaging
Looks like we are done here Looks like we are
done here
This code can be removed, too!
Closing Thoughts
None
None
None
Thank you!