Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Android Reverse Engineering and Analysis - OWAS...

Merab Tato Kutalia
December 05, 2020
Programming
1
210

Android Reverse Engineering and Analysis - OWASP Tbilisi

Android reverse engineering & malware injection. As Android engineers, we often like tinkering with the platform and for us, it is much easier to recognize some patterns while analyzing malicious code which gives us a huge advantage. This talk aims to explore the basics of reverse engineering, trending tools. How to decompile, disassemble the application, how to find malicious code snippets and what are the possible pitfalls. Difference between static and dynamic analysis. A little bit about Smali and DEX compilers. We will have 2 live demos. First: show how to reverse engineer an application and second: at the end of the session, we will decompile APK, plant malicious code, repackage again and install on the device to test it for educational purposes. Also will provide some introductory info on what is the Catch The Flag challenges and how we can practice.

Merab Tato Kutalia

December 05, 2020
Tweet

More Decks by Merab Tato Kutalia

See All by Merab Tato Kutalia
What's new in Android 14?
tatocaster
0
130
Migrate to Gradle version catalog and convention plugins
tatocaster
3
1.7k
Make Codebases Secure with OWASP
tatocaster
0
170
Secure Coding Standards
tatocaster
0
130
ტანგო ანდროიდთან
tatocaster
0
180
Adopting Huawei Mobile Services
tatocaster
0
48
Android UI Testing & Challenges
tatocaster
1
68
Reverse & Inject - droidcon
tatocaster
3
240
mobile DevOps
tatocaster
1
83

Other Decks in Programming

See All in Programming
AWS IaCの注目アップデート 2024年10月版
konokenj
3
3.1k
カラム追加で増えるActiveRecordのメモリサイズ イメージできますか?
asayamakk
4
1.6k
Tuning GraphQL on Rails
pyama86
2
1k
推し活の ハイトラフィックに立ち向かう Railsとアーキテクチャ - Kaigi on Rails 2024
falcon8823
6
2.2k
Universal Linksの実装方法と陥りがちな罠
kaitokudou
1
220
Outline View in SwiftUI
1024jp
1
160
Webの技術スタックで マルチプラットフォームアプリ開発を可能にするElixirDesktopの紹介
thehaigo
2
920
Amazon Neptuneで始めてみるグラフDB -OpenSearchによるグラフの全文検索-
satoshi256kbyte
4
330
約9000個の自動テストの 時間を50分->10分に短縮 Flakyテストを1%以下に抑えた話
hatsu38
23
11k
Kaigi on Rails 2024 - Rails APIモードのためのシンプルで効果的なCSRF対策 / kaigionrails-2024-csrf
corocn
5
3.4k
What’s New in Compose Multiplatform - A Live Tour (droidcon London 2024)
zsmb
1
340
/←このスケジュール表に立ち向かう フロントエンド開発戦略 / A front-end development strategy to tackle a single-slash schedule.
nrslib
1
590

Featured

See All Featured
A Modern Web Designer's Workflow
chriscoyier
692
190k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
92
16k
Why Our Code Smells
bkeepers
PRO
334
57k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
126
18k
Bash Introduction
62gerente
608
210k
Music & Morning Musume
bryan
46
6.1k
Intergalactic Javascript Robots from Outer Space
tanoku
268
27k
Six Lessons from altMBA
skipperchong
26
3.5k
RailsConf 2023
tenderlove
29
880
The Pragmatic Product Professional
lauravandoore
31
6.3k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
31
2.7k
jQuery: Nuts, Bolts and Bling
dougneiner
61
7.5k

Transcript

  1. Android Reverse Engineering and Analysis

  2. Android Chapter Lead @ TBC tatocaster.me debuggerpodcast.ge Tato Kutalia tatocaster

  3. None

  4. Plan • Tools • Static Analysis vs Dynamic • What

    is Reverse Engineering (RE) • Stats • CTF

  5. Tools Static Analysis • JADX - Decompiler • ApkTool -

    Decompiler • Dex2Jar - Dex decompiler to Jar • JD-GUI - Java Decompiler Dynamic analysis • FRIDA Disassembler • GHIDRA • IDA PRO

  6. • AndroidManifest.xml • META-INF/ - java meta/signatures • classes.dex -

    dalvik bytecode • lib/ - native libs • assets/ - other Application Structure APK

  7. Java vs Android compilation

  8. Java vs Smali Java private static void myMethod() smali .method

    private static myMethod()V

  9. Java vs Smali Java public Boolean myStrMethod(byte mybyte, String str)

    smali .method public myStrMethod(B; Ljava/lang/String)Z – http://pallergabor.uw.hu/androidblog/dalvik_opcodes.html https://github.com/JesusFreke/smali/wiki

  10. Entry point • Activity • Services • Receivers • ContentProviders

    • Application • exported components!!

  11. RE? Malware analysis? Pentest? • list activities and exported components

    • monitor api calls - Burp Suite + (bypass SSL pinning)? • analyze decompiled code

  12. RE: DEMO

  13. What about .so files?

  14. None
  15. None
  16. None

  17. Dynamic analysis • change and examine app in runtime

  18. : DEMO

  19. FRIDA Gadget vs FRIDA Server // Gadget - decompile APK

    - add FRIDA native library to lib/ - inject into bytecode - add permission - repackage - sign - install System.loadLibrary("frida-gadget") const-string v0, "frida-gadget" invoke-static {v0}, Ljava/lang/System;->loadLibrary(Ljava/lang/String;)V

  20. Scanned Apps

  21. Scanned Apps - bypass otp/pin - client side check only

    - SQL injection - base64 decoding leading to app crash - mobile number / otp / pin / email enumeration - exposed client secrets - save sessionId in preferences - password reset does not kill the current session - leaking Google API keys - leaking test url and users in prod - leaking test features in production app

  22. Scanned Apps

  23. Bug Bounty

  24. Catch the Flags

  25. None

  26. Questions