Reverse & Inject - droidcon

Transcript

1. Reverse & Inject

2. Android Chapter Lead @ TBC Bank tatocaster.me Tato Kutalia tatocaster

3. Plan • Tools • Static Analysis vs Dynamic • What

   is Reverse Engineering (RE)

4. Tools Static Analysis • JADX - Decompiler • ApkTool -

   Decompiler • Dex2Jar - Dex decompiler to Jar • JD-GUI - Java Decompiler Dynamic analysis • FRIDA Disassembler • GHIDRA • IDA PRO

5. • AndroidManifest.xml • META-INF/ - java meta/signatures • classes.dex -

   dalvik bytecode • lib/ - native libs • assets/ - other Application Structure APK

6. Java vs Android compilation

7. Java vs Smali Java public Boolean myStrMethod(byte mybyte, String str)

   smali .method public myStrMethod(B; Ljava/lang/String)Z – http://pallergabor.uw.hu/androidblog/dalvik_opcodes.html https://github.com/JesusFreke/smali/wiki

8. RE: DEMO

9. What about .so files?

10. None
11. None
12. None

13. Dynamic analysis • change and examine app in runtime

14. : DEMO

15. FRIDA Gadget vs FRIDA Server // Gadget - decompile APK

    - add FRIDA native library to lib/ - inject into bytecode - add permission - repackage - sign - install System.loadLibrary("frida-gadget") const-string v0, "frida-gadget" invoke-static {v0}, Ljava/lang/System;->loadLibrary(Ljava/lang/String;)V

16. Scanned Apps

17. Scanned Apps - bypass otp/pin - client side check only

    - SQL injection - base64 decoding leading to app crash - mobile number / otp / pin / email enumeration - exposed client secrets - save sessionId in preferences - password reset does not kill the current session - leaking Google API keys - leaking test url and users in prod - leaking test features in production app

18. Catch the Flags

19. None

20. Q&A