Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Android Reverse Engineering and Analysis - OWAS...

Android Reverse Engineering and Analysis - OWASP Tbilisi

Android reverse engineering & malware injection. As Android engineers, we often like tinkering with the platform and for us, it is much easier to recognize some patterns while analyzing malicious code which gives us a huge advantage. This talk aims to explore the basics of reverse engineering, trending tools. How to decompile, disassemble the application, how to find malicious code snippets and what are the possible pitfalls. Difference between static and dynamic analysis. A little bit about Smali and DEX compilers. We will have 2 live demos. First: show how to reverse engineer an application and second: at the end of the session, we will decompile APK, plant malicious code, repackage again and install on the device to test it for educational purposes. Also will provide some introductory info on what is the Catch The Flag challenges and how we can practice.

Merab Tato Kutalia

December 05, 2020
Tweet

More Decks by Merab Tato Kutalia

Other Decks in Programming

Transcript

  1. Plan • Tools • Static Analysis vs Dynamic • What

    is Reverse Engineering (RE) • Stats • CTF
  2. Tools Static Analysis • JADX - Decompiler • ApkTool -

    Decompiler • Dex2Jar - Dex decompiler to Jar • JD-GUI - Java Decompiler Dynamic analysis • FRIDA Disassembler • GHIDRA • IDA PRO
  3. • AndroidManifest.xml • META-INF/ - java meta/signatures • classes.dex -

    dalvik bytecode • lib/ - native libs • assets/ - other Application Structure APK
  4. Java vs Smali Java public Boolean myStrMethod(byte mybyte, String str)

    smali .method public myStrMethod(B; Ljava/lang/String)Z – http://pallergabor.uw.hu/androidblog/dalvik_opcodes.html https://github.com/JesusFreke/smali/wiki
  5. RE? Malware analysis? Pentest? • list activities and exported components

    • monitor api calls - Burp Suite + (bypass SSL pinning)? • analyze decompiled code
  6. FRIDA Gadget vs FRIDA Server // Gadget - decompile APK

    - add FRIDA native library to lib/ - inject into bytecode - add permission - repackage - sign - install System.loadLibrary("frida-gadget") const-string v0, "frida-gadget" invoke-static {v0}, Ljava/lang/System;->loadLibrary(Ljava/lang/String;)V
  7. Scanned Apps - bypass otp/pin - client side check only

    - SQL injection - base64 decoding leading to app crash - mobile number / otp / pin / email enumeration - exposed client secrets - save sessionId in preferences - password reset does not kill the current session - leaking Google API keys - leaking test url and users in prod - leaking test features in production app