Dissecting Android APKReversing Android applications

/> self.me

- Final year undergraduate student at Amrita University, Amritapuri

- Love Android !

- Currently researching on Android security

- Play CTFs as a part of team bi0s

bi0s

Index

- Why Android ?

- Android security implementations and issues

- Real world Android malwares

- Reversing Android apps

- Structure of an APK

- Analyzing the contents

- Demo

- Workaround

Why Android ?

The Tale of Triumph

Open source - power to you!

User-friendly

Most used - more developers

Mobile OS Global Market Share 2016

Android security

- Sandboxing

- Permissions

- ASLR since Android 4.0 ICS

- ARM TrustZone

Implementations

Permissions

ARM TrustZone

Are we at risk ?

Issues - Malwares

- Ransomwares

- Exploits

Real world Android malwares

AccuTrack : Turns an Android device into a GPS tracker

AckPost : Steals contact information from the device and sends it to a remote server

BackFlash / Crosate : Installs as a fake Flash plugin, registers as a Device administrator, and steals sensitive data

BankBot : Particularly aims at stealing bank account information from dedicated apps

DroidDeluxe :Exploits the device to gain root privilege and then modifies access permission of database files and collects account information

APKAndroid package : APK

Zip file with .apk extension

Playstore, Amazon Appstore, F-Droid

Java + res + XML + Libs

Android PacKage

Making of an APK

Reversing Android apps Tools and Methodologies

APKTOOLReversing APKs

- Compile/decompile apps

- Smali code

- To modify apps

Structure of an APK

assets - all the unmodified app contents

AndroidManifest.xml - Generic; The app-map

classes.dex - Java files’ package. The Dalvik executable [ yeah! the source ]

res - All the resources ( drawables, icons, values )

lib - External/custom native libraries

Resources.asrc - Compiled resources / binaries

META-INF - Certificates

Dalvik / ART

→ JVM redefined

→ Dalvik until 4.4.4 Kitkat. ART from 5.0 Lollipop

→ Executes dex

→ Dalvik - JIT, ART - AOT

DEXDalvik Executable

> Dalvik’s bytecode

> java classes

> Easy to debug

Tools

ADBAndroid Debug Bridge

- Android tool

- Drop shells, files

- Access partitions

- Install applications

Dex2JarThe source

- Small in size

- Any platform

- Extracts compiled classes out of the dex

- Easy to use

Demo

Workaround ? → Check permissions

→ Trusted app sources

→ Use ‘ anti-malware ’ apps

Glossary

- aapt : Android Asset Packaging Tool.

- dex : Dalvik executable.

- dx : Tool within the Android SDK used to convert the jar files into dex files.

- R.java : A class with static methods to reference all the resources.

In-depth Introduction to Android Permission Model

Android Internals by Karim Yaghmour

Logcat Security Issue

Dalvik and ART

Dex2jar, ADB, APK Tool

DexGuard obfuscator

Dalvik opcodes

OWASP Seraphimdroid

References

Thank You