Beginners Guide to Reverse Engineering Android Apps · SESSION ID: Beginners Guide to Reverse...
Transcript of Beginners Guide to Reverse Engineering Android Apps · SESSION ID: Beginners Guide to Reverse...
![Page 1: Beginners Guide to Reverse Engineering Android Apps · SESSION ID: Beginners Guide to Reverse Engineering Android Apps . STU-W02B . Pau Oliva Fora . Sr. Mobile Security Engineer .](https://reader034.fdocuments.net/reader034/viewer/2022042612/5f7416894c5c664bb05a8053/html5/thumbnails/1.jpg)
SESSION ID:
Beginners Guide to Reverse Engineering Android Apps
STU-W02B
Pau Oliva Fora Sr. Mobile Security Engineer
viaForensics @pof
![Page 2: Beginners Guide to Reverse Engineering Android Apps · SESSION ID: Beginners Guide to Reverse Engineering Android Apps . STU-W02B . Pau Oliva Fora . Sr. Mobile Security Engineer .](https://reader034.fdocuments.net/reader034/viewer/2022042612/5f7416894c5c664bb05a8053/html5/thumbnails/2.jpg)
#RSAC
Agenda
Anatomy of an Android app
Obtaining our target apps
Getting our hands dirty: reversing the target application
Demo using Santoku Linux
2
![Page 3: Beginners Guide to Reverse Engineering Android Apps · SESSION ID: Beginners Guide to Reverse Engineering Android Apps . STU-W02B . Pau Oliva Fora . Sr. Mobile Security Engineer .](https://reader034.fdocuments.net/reader034/viewer/2022042612/5f7416894c5c664bb05a8053/html5/thumbnails/3.jpg)
Anatomy of an Android app
![Page 4: Beginners Guide to Reverse Engineering Android Apps · SESSION ID: Beginners Guide to Reverse Engineering Android Apps . STU-W02B . Pau Oliva Fora . Sr. Mobile Security Engineer .](https://reader034.fdocuments.net/reader034/viewer/2022042612/5f7416894c5c664bb05a8053/html5/thumbnails/4.jpg)
#RSAC
Anatomy of an Android app
Simple ZIP file, renamed to “APK” extension
App resources
Signature
Manifest (binary XML)
4
![Page 5: Beginners Guide to Reverse Engineering Android Apps · SESSION ID: Beginners Guide to Reverse Engineering Android Apps . STU-W02B . Pau Oliva Fora . Sr. Mobile Security Engineer .](https://reader034.fdocuments.net/reader034/viewer/2022042612/5f7416894c5c664bb05a8053/html5/thumbnails/5.jpg)
Obtaining our target apps
![Page 6: Beginners Guide to Reverse Engineering Android Apps · SESSION ID: Beginners Guide to Reverse Engineering Android Apps . STU-W02B . Pau Oliva Fora . Sr. Mobile Security Engineer .](https://reader034.fdocuments.net/reader034/viewer/2022042612/5f7416894c5c664bb05a8053/html5/thumbnails/6.jpg)
#RSAC
Getting the APK from the phone
Backup to SD Card: APKOptic
Astro file manager
etc…
6
![Page 7: Beginners Guide to Reverse Engineering Android Apps · SESSION ID: Beginners Guide to Reverse Engineering Android Apps . STU-W02B . Pau Oliva Fora . Sr. Mobile Security Engineer .](https://reader034.fdocuments.net/reader034/viewer/2022042612/5f7416894c5c664bb05a8053/html5/thumbnails/7.jpg)
#RSAC
Getting the APK from the phone
Using ADB (Android Debug Bridge): adb shell pm list packages
adb pull /data/app/package-name-1.apk
7
![Page 8: Beginners Guide to Reverse Engineering Android Apps · SESSION ID: Beginners Guide to Reverse Engineering Android Apps . STU-W02B . Pau Oliva Fora . Sr. Mobile Security Engineer .](https://reader034.fdocuments.net/reader034/viewer/2022042612/5f7416894c5c664bb05a8053/html5/thumbnails/8.jpg)
#RSAC
Downloading the APK from Google Play
Using unofficial Google Play API: https://github.com/egirault/googleplay-api
Using a web service or browser extension: http://apps.evozi.com/apk-downloader/
http://apify.ifc0nfig.com/static/clients/apk-downloader/
8
![Page 9: Beginners Guide to Reverse Engineering Android Apps · SESSION ID: Beginners Guide to Reverse Engineering Android Apps . STU-W02B . Pau Oliva Fora . Sr. Mobile Security Engineer .](https://reader034.fdocuments.net/reader034/viewer/2022042612/5f7416894c5c664bb05a8053/html5/thumbnails/9.jpg)
#RSAC
Downloading the APK from Google Play
Using unofficial Google Play API: https://github.com/egirault/googleplay-api
Using a web service or browser extension: http://apps.evozi.com/apk-downloader/
http://apify.ifc0nfig.com/static/clients/apk-downloader/
9
![Page 10: Beginners Guide to Reverse Engineering Android Apps · SESSION ID: Beginners Guide to Reverse Engineering Android Apps . STU-W02B . Pau Oliva Fora . Sr. Mobile Security Engineer .](https://reader034.fdocuments.net/reader034/viewer/2022042612/5f7416894c5c664bb05a8053/html5/thumbnails/10.jpg)
Getting our hands dirty: reversing the target application
![Page 11: Beginners Guide to Reverse Engineering Android Apps · SESSION ID: Beginners Guide to Reverse Engineering Android Apps . STU-W02B . Pau Oliva Fora . Sr. Mobile Security Engineer .](https://reader034.fdocuments.net/reader034/viewer/2022042612/5f7416894c5c664bb05a8053/html5/thumbnails/11.jpg)
#RSAC
Disassembling
DEX Smali
11
![Page 12: Beginners Guide to Reverse Engineering Android Apps · SESSION ID: Beginners Guide to Reverse Engineering Android Apps . STU-W02B . Pau Oliva Fora . Sr. Mobile Security Engineer .](https://reader034.fdocuments.net/reader034/viewer/2022042612/5f7416894c5c664bb05a8053/html5/thumbnails/12.jpg)
#RSAC
Apktool
apktool - https://code.google.com/p/android-apktool/ Multi platform, Apache 2.0 license
Decode resources to original form (and rebuild after modification)
Transforms binary Dalvik bytecode (classes.dex) into Smali source
12
![Page 13: Beginners Guide to Reverse Engineering Android Apps · SESSION ID: Beginners Guide to Reverse Engineering Android Apps . STU-W02B . Pau Oliva Fora . Sr. Mobile Security Engineer .](https://reader034.fdocuments.net/reader034/viewer/2022042612/5f7416894c5c664bb05a8053/html5/thumbnails/13.jpg)
#RSAC
Smali
13
![Page 14: Beginners Guide to Reverse Engineering Android Apps · SESSION ID: Beginners Guide to Reverse Engineering Android Apps . STU-W02B . Pau Oliva Fora . Sr. Mobile Security Engineer .](https://reader034.fdocuments.net/reader034/viewer/2022042612/5f7416894c5c664bb05a8053/html5/thumbnails/14.jpg)
#RSAC
Decompiling – Java Decompiler
DEX JAR JAVA
14
![Page 15: Beginners Guide to Reverse Engineering Android Apps · SESSION ID: Beginners Guide to Reverse Engineering Android Apps . STU-W02B . Pau Oliva Fora . Sr. Mobile Security Engineer .](https://reader034.fdocuments.net/reader034/viewer/2022042612/5f7416894c5c664bb05a8053/html5/thumbnails/15.jpg)
#RSAC
Dex2Jar
dex2jar - https://code.google.com/p/dex2jar/ Multi platform, Apache 2.0 license
Converts Dalvik bytecode (DEX) to java bytecode (JAR)
Allows to use any existing Java decompiler with the resulting JAR file
15
![Page 16: Beginners Guide to Reverse Engineering Android Apps · SESSION ID: Beginners Guide to Reverse Engineering Android Apps . STU-W02B . Pau Oliva Fora . Sr. Mobile Security Engineer .](https://reader034.fdocuments.net/reader034/viewer/2022042612/5f7416894c5c664bb05a8053/html5/thumbnails/16.jpg)
#RSAC
Java Decompilers
Jd-gui - http://jd.benow.ca/ Multi platform
closed source
JAD - http://varaneckas.com/jad/ Multi platform
closed source
Command line
Others: Dare, Mocha, Procyon, …
16
![Page 17: Beginners Guide to Reverse Engineering Android Apps · SESSION ID: Beginners Guide to Reverse Engineering Android Apps . STU-W02B . Pau Oliva Fora . Sr. Mobile Security Engineer .](https://reader034.fdocuments.net/reader034/viewer/2022042612/5f7416894c5c664bb05a8053/html5/thumbnails/17.jpg)
#RSAC
Decompiling – Android (Dalvik) decompiler
DEX JAVA
17
![Page 18: Beginners Guide to Reverse Engineering Android Apps · SESSION ID: Beginners Guide to Reverse Engineering Android Apps . STU-W02B . Pau Oliva Fora . Sr. Mobile Security Engineer .](https://reader034.fdocuments.net/reader034/viewer/2022042612/5f7416894c5c664bb05a8053/html5/thumbnails/18.jpg)
#RSAC
Dalvik Decompilers
Transforming DEX to JAR looses important metadata that the decompiler could use. Pure Dalvik decompilers skip this step, so they produce better output
Unfortunately there are not as many choices for Android decompilers as for Java decompilers: Open Source: Androguard’s DAD - https://code.google.com/p/androguard/
Commercial: JEB - http://www.android-decompiler.com/
Others?
18
![Page 19: Beginners Guide to Reverse Engineering Android Apps · SESSION ID: Beginners Guide to Reverse Engineering Android Apps . STU-W02B . Pau Oliva Fora . Sr. Mobile Security Engineer .](https://reader034.fdocuments.net/reader034/viewer/2022042612/5f7416894c5c664bb05a8053/html5/thumbnails/19.jpg)
Demo – Santoku
![Page 20: Beginners Guide to Reverse Engineering Android Apps · SESSION ID: Beginners Guide to Reverse Engineering Android Apps . STU-W02B . Pau Oliva Fora . Sr. Mobile Security Engineer .](https://reader034.fdocuments.net/reader034/viewer/2022042612/5f7416894c5c664bb05a8053/html5/thumbnails/20.jpg)
#RSAC
Demo – Santoku Linux
Santoku Linux - https://santoku-linux.com/ Mobile Forensics
Mobile Malware analysis
Mobile application assessment
20
![Page 21: Beginners Guide to Reverse Engineering Android Apps · SESSION ID: Beginners Guide to Reverse Engineering Android Apps . STU-W02B . Pau Oliva Fora . Sr. Mobile Security Engineer .](https://reader034.fdocuments.net/reader034/viewer/2022042612/5f7416894c5c664bb05a8053/html5/thumbnails/21.jpg)
#RSAC
Summary
APK files are ZIP files, can be extracted with any unzip utility
Apktool helps extracting binary resources, and allows repacking
Dex2jar converts Dalvik Bytecode to Java Bytecode
Pure Android decompilers are better
Santoku Linux has all the tools you need to reverse engineering mobile apps
21