Bypassing Android Binary Protections - Julian Android Binary... · SDK tools - includes Android...
Transcript of Bypassing Android Binary Protections - Julian Android Binary... · SDK tools - includes Android...
![Page 1: Bypassing Android Binary Protections - Julian Android Binary... · SDK tools - includes Android Developer Bridge (adb) Android Emulator or a rooted Android device Apktool - decodes](https://reader033.fdocuments.net/reader033/viewer/2022052723/5f0d9c917e708231d43b369a/html5/thumbnails/1.jpg)
Bypassing Android Binary Protections
![Page 2: Bypassing Android Binary Protections - Julian Android Binary... · SDK tools - includes Android Developer Bridge (adb) Android Emulator or a rooted Android device Apktool - decodes](https://reader033.fdocuments.net/reader033/viewer/2022052723/5f0d9c917e708231d43b369a/html5/thumbnails/2.jpg)
Julian Berton?● Application Security tester● OWASP Melbourne chapter lead● Was a developer
Contact● meetup.com/Application-Security-OWASP-Melbourne/● @JulianBerton (Twitter - not very active)
![Page 3: Bypassing Android Binary Protections - Julian Android Binary... · SDK tools - includes Android Developer Bridge (adb) Android Emulator or a rooted Android device Apktool - decodes](https://reader033.fdocuments.net/reader033/viewer/2022052723/5f0d9c917e708231d43b369a/html5/thumbnails/3.jpg)
Why are you here and not at the bar?● Android, a quick intro?
● What are binary protections?
● Why do we need to bypass them?
● The different types of protections.
● How we can bypass them?
● Lots of bypass demos!
![Page 4: Bypassing Android Binary Protections - Julian Android Binary... · SDK tools - includes Android Developer Bridge (adb) Android Emulator or a rooted Android device Apktool - decodes](https://reader033.fdocuments.net/reader033/viewer/2022052723/5f0d9c917e708231d43b369a/html5/thumbnails/4.jpg)
Android● Mostly open source mobile operating system
● Android Open Source Project (AOSP)
●
![Page 5: Bypassing Android Binary Protections - Julian Android Binary... · SDK tools - includes Android Developer Bridge (adb) Android Emulator or a rooted Android device Apktool - decodes](https://reader033.fdocuments.net/reader033/viewer/2022052723/5f0d9c917e708231d43b369a/html5/thumbnails/5.jpg)
2008 2010
20152011
![Page 6: Bypassing Android Binary Protections - Julian Android Binary... · SDK tools - includes Android Developer Bridge (adb) Android Emulator or a rooted Android device Apktool - decodes](https://reader033.fdocuments.net/reader033/viewer/2022052723/5f0d9c917e708231d43b369a/html5/thumbnails/6.jpg)
![Page 7: Bypassing Android Binary Protections - Julian Android Binary... · SDK tools - includes Android Developer Bridge (adb) Android Emulator or a rooted Android device Apktool - decodes](https://reader033.fdocuments.net/reader033/viewer/2022052723/5f0d9c917e708231d43b369a/html5/thumbnails/7.jpg)
![Page 8: Bypassing Android Binary Protections - Julian Android Binary... · SDK tools - includes Android Developer Bridge (adb) Android Emulator or a rooted Android device Apktool - decodes](https://reader033.fdocuments.net/reader033/viewer/2022052723/5f0d9c917e708231d43b369a/html5/thumbnails/8.jpg)
Source: IDC, 2014 Q4
Smartphone OS Market Share
=
![Page 9: Bypassing Android Binary Protections - Julian Android Binary... · SDK tools - includes Android Developer Bridge (adb) Android Emulator or a rooted Android device Apktool - decodes](https://reader033.fdocuments.net/reader033/viewer/2022052723/5f0d9c917e708231d43b369a/html5/thumbnails/9.jpg)
Android System Architecture
![Page 10: Bypassing Android Binary Protections - Julian Android Binary... · SDK tools - includes Android Developer Bridge (adb) Android Emulator or a rooted Android device Apktool - decodes](https://reader033.fdocuments.net/reader033/viewer/2022052723/5f0d9c917e708231d43b369a/html5/thumbnails/10.jpg)
![Page 11: Bypassing Android Binary Protections - Julian Android Binary... · SDK tools - includes Android Developer Bridge (adb) Android Emulator or a rooted Android device Apktool - decodes](https://reader033.fdocuments.net/reader033/viewer/2022052723/5f0d9c917e708231d43b369a/html5/thumbnails/11.jpg)
Android Application Build Process
![Page 12: Bypassing Android Binary Protections - Julian Android Binary... · SDK tools - includes Android Developer Bridge (adb) Android Emulator or a rooted Android device Apktool - decodes](https://reader033.fdocuments.net/reader033/viewer/2022052723/5f0d9c917e708231d43b369a/html5/thumbnails/12.jpg)
Application source files (.
java).class files
javac.dex files
dex
Android Package (.apk)
.dex files
resources .arsc
AndroidManifest.xml
other resources
jarsigner Signed Android Package (.apk)
adb Run on device or emulator
Developer
Everyone
Certificate
apkbuilder
Application resources
![Page 13: Bypassing Android Binary Protections - Julian Android Binary... · SDK tools - includes Android Developer Bridge (adb) Android Emulator or a rooted Android device Apktool - decodes](https://reader033.fdocuments.net/reader033/viewer/2022052723/5f0d9c917e708231d43b369a/html5/thumbnails/13.jpg)
Binary What?1. Code obfuscation
2. SSL pinning
3. Root detection
4. Debugger checks
5.
6. Others
Ordered by popularity
Source: me
![Page 14: Bypassing Android Binary Protections - Julian Android Binary... · SDK tools - includes Android Developer Bridge (adb) Android Emulator or a rooted Android device Apktool - decodes](https://reader033.fdocuments.net/reader033/viewer/2022052723/5f0d9c917e708231d43b369a/html5/thumbnails/14.jpg)
![Page 15: Bypassing Android Binary Protections - Julian Android Binary... · SDK tools - includes Android Developer Bridge (adb) Android Emulator or a rooted Android device Apktool - decodes](https://reader033.fdocuments.net/reader033/viewer/2022052723/5f0d9c917e708231d43b369a/html5/thumbnails/15.jpg)
![Page 16: Bypassing Android Binary Protections - Julian Android Binary... · SDK tools - includes Android Developer Bridge (adb) Android Emulator or a rooted Android device Apktool - decodes](https://reader033.fdocuments.net/reader033/viewer/2022052723/5f0d9c917e708231d43b369a/html5/thumbnails/16.jpg)
Got Rooted?
![Page 17: Bypassing Android Binary Protections - Julian Android Binary... · SDK tools - includes Android Developer Bridge (adb) Android Emulator or a rooted Android device Apktool - decodes](https://reader033.fdocuments.net/reader033/viewer/2022052723/5f0d9c917e708231d43b369a/html5/thumbnails/17.jpg)
Why Do I Need Them - Developers\Businesses?
● Intellectual property theft
● Brand damage
● Reduce number of attacks
● Because OWASP says...
![Page 18: Bypassing Android Binary Protections - Julian Android Binary... · SDK tools - includes Android Developer Bridge (adb) Android Emulator or a rooted Android device Apktool - decodes](https://reader033.fdocuments.net/reader033/viewer/2022052723/5f0d9c917e708231d43b369a/html5/thumbnails/18.jpg)
![Page 19: Bypassing Android Binary Protections - Julian Android Binary... · SDK tools - includes Android Developer Bridge (adb) Android Emulator or a rooted Android device Apktool - decodes](https://reader033.fdocuments.net/reader033/viewer/2022052723/5f0d9c917e708231d43b369a/html5/thumbnails/19.jpg)
Why Do We Care - Pen testers?● Need to bypass the protections to perform analysis and
find vulnerabilities.
![Page 20: Bypassing Android Binary Protections - Julian Android Binary... · SDK tools - includes Android Developer Bridge (adb) Android Emulator or a rooted Android device Apktool - decodes](https://reader033.fdocuments.net/reader033/viewer/2022052723/5f0d9c917e708231d43b369a/html5/thumbnails/20.jpg)
Environment Setup● SDK tools - includes Android Developer Bridge (adb)
● Android Emulator or a rooted Android device
● Apktool - decodes and rebuilds apk files
● dex2jar - as the name suggests
● jd-gui - takes jar file and converts to Java source code
● Cydia Substrate - runtime manipulation/hooking
● Xposed Framework - runtime manipulation/hooking
![Page 21: Bypassing Android Binary Protections - Julian Android Binary... · SDK tools - includes Android Developer Bridge (adb) Android Emulator or a rooted Android device Apktool - decodes](https://reader033.fdocuments.net/reader033/viewer/2022052723/5f0d9c917e708231d43b369a/html5/thumbnails/21.jpg)
Static
Dynamic
Disassembler (IDA)
dex2jar
XML viewer
jd-gui
Emulator/Device Intercepting Proxy (Burp Suite) Cydia Substrate
Xposed FrameworkDrozer
apktool
jdb
![Page 22: Bypassing Android Binary Protections - Julian Android Binary... · SDK tools - includes Android Developer Bridge (adb) Android Emulator or a rooted Android device Apktool - decodes](https://reader033.fdocuments.net/reader033/viewer/2022052723/5f0d9c917e708231d43b369a/html5/thumbnails/22.jpg)
Bypassing Root Detection And SSL Pinning
![Page 23: Bypassing Android Binary Protections - Julian Android Binary... · SDK tools - includes Android Developer Bridge (adb) Android Emulator or a rooted Android device Apktool - decodes](https://reader033.fdocuments.net/reader033/viewer/2022052723/5f0d9c917e708231d43b369a/html5/thumbnails/23.jpg)
Bypass Methods1. Install apps that try to hide root
2. Install Cydia Substrate or Xposed and write a module
3. Modify the smali and build the app
Easiest to Hardest Method
![Page 24: Bypassing Android Binary Protections - Julian Android Binary... · SDK tools - includes Android Developer Bridge (adb) Android Emulator or a rooted Android device Apktool - decodes](https://reader033.fdocuments.net/reader033/viewer/2022052723/5f0d9c917e708231d43b369a/html5/thumbnails/24.jpg)
Demo!!
![Page 25: Bypassing Android Binary Protections - Julian Android Binary... · SDK tools - includes Android Developer Bridge (adb) Android Emulator or a rooted Android device Apktool - decodes](https://reader033.fdocuments.net/reader033/viewer/2022052723/5f0d9c917e708231d43b369a/html5/thumbnails/25.jpg)
More Info?1. Root Detection Bypass - https://bertonjulian.github.
io/2015/01/30/root-detection-bypass.html
2. Android SSL Pinning Bypass - http://opentechnotes.blogspot.com.au/2015/01/intercept-all-http-ssl-android-traffic.html
![Page 26: Bypassing Android Binary Protections - Julian Android Binary... · SDK tools - includes Android Developer Bridge (adb) Android Emulator or a rooted Android device Apktool - decodes](https://reader033.fdocuments.net/reader033/viewer/2022052723/5f0d9c917e708231d43b369a/html5/thumbnails/26.jpg)
References● Android System Arcitecture - http://anatomyofandroid.
com/2013/10/15/zygote/● Android build process - https://developer.android.com/sdk/installing/studio-
build.html● Dalvik vs ART - https://source.android.com/devices/tech/dalvik/index.html● SSL Pinning - https://www.owasp.org/index.
php/Certificate_and_Public_Key_Pinning● SSL Pinning Google - https://developer.android.com/training/articles/security-
ssl.html● Anti-reverse engineering - https://bluebox.com/wp-
content/uploads/2013/05/AndroidREnDefenses201305.pdf● OWASP Mobile Top 10 - https://www.owasp.org/index.
php/Mobile_Top_10_2014-M10
![Page 27: Bypassing Android Binary Protections - Julian Android Binary... · SDK tools - includes Android Developer Bridge (adb) Android Emulator or a rooted Android device Apktool - decodes](https://reader033.fdocuments.net/reader033/viewer/2022052723/5f0d9c917e708231d43b369a/html5/thumbnails/27.jpg)
References - Tools● Xposed Framework - http://repo.xposed.info/● Genymotion - https://www.genymotion.com/● apktool - https://ibotpeaches.github.io/Apktool/● Cydia Substrate - http://www.cydiasubstrate.com/● Android SDK - https://developer.android.com/sdk/index.html#Other● dex2jar - https://github.com/pxb1988/dex2jar● jd-gui - http://jd.benow.ca/● jdb - https://docs.oracle.com/javase/7/docs/technotes/tools/windows/jdb.html
![Page 28: Bypassing Android Binary Protections - Julian Android Binary... · SDK tools - includes Android Developer Bridge (adb) Android Emulator or a rooted Android device Apktool - decodes](https://reader033.fdocuments.net/reader033/viewer/2022052723/5f0d9c917e708231d43b369a/html5/thumbnails/28.jpg)
References - Images● http://www.firstpost.com/wp-content/uploads/2013/09/01_Android-all-
versions.jpg● http://opensignal.com/reports/2014/android-fragmentation/● https://www.theverge.com/2014/6/25/5841924/google-android-users-1-
billion-stats● http://jaredrummler.com/2014/11/09/lollipop-land/● http://www.slideshare.net/opersys/inside-androids-ui