TRUESEEING: EFFECTIVE DATAFLOW ANALYSIS

OVER DALVIK OPCODES

Takahiro / Ken-ya Yoshimura (@alterakey / @ad3liae)

WHO WE ARE

➤ alterakey

➤ Security Researcher

➤ iOS/Android Apps

➤ Android System

➤ Network

➤ ad3liae

➤ Security Researcher

➤ iOS Apps

➤ At Monolith Works Inc.

MOBILE APP SECURITY

➤ Attack Vectors

➤ Malicious App

➤ Malicious User

➤ Risks

➤ Vulnerabilities

➤ Unwanted Behaviors

FINDING VULNERABILITIES

➤ Static Analysis

➤ Reversing the target and deriving its behavior

➤ Reversing data flow is important

➤ Decompilers (such as JD-GUI) are essential tools

➤ Decompiling takes time

➤ Dynamic Analysis

➤ Running the target and seeing its behavior

PROBLEMS

➤ Dynamic Analysis

➤ Often unwanted :(

➤ Obfuscation

➤ Common practice

➤ Hinders decompilers

➤ What can we do?

RELATED WORKS

➤ Mixing multiple decompilers(QARK et al.)

➤ Speed: even more time

➤ Fragility

➤ Mixing alone does not answer the question, IMHO..

GO DIRECT

➤ Trueseeing

➤ Capable of

➤ Reversing data flow

➤ Loosely guessing constants/typesets/…

➤ Manifest analysis (of course)

➤ Uses no decompilers

➤ Speed

➤ Resiliency

DISASSEMBLING

➤ apktool

➤ SQLite3 DB

MARKING UP

➤ Constants

➤ Invocations

➤ Stored as tables/views

DATAFLOW TRACING (1)

➤ Call tracing

➤ Reading backwards

➤ Climbing call stacks up

DATAFLOW TRACING (2)

➤ Static trace

➤ Matching sget/sput

➤ Solving constants in sput

DATAFLOW TRACING (3)

➤ Instansic trance

➤ Matching iget/iput

➤ Ignoring instance identity

➤ Solving constants in iput

REPORTING

➤ HTML: clarity

➤ gcc-style: CI

CAPABILITY

➤ Most of OWASP TOP 10 Mobile (2015)

➤ M1: Improper Platform Usage

➤ M2: Insecure Data

➤ M3: Insecure Communication

➤ M4: Insecure Authentication

➤ M5: Insufficient Cryptography

➤ M6: Insecure Authorization

➤ M7: Client Code Quality Issues

➤ M8: Code Tampering

➤ M9: Reverse Engineering

➤ M10: Extraneous Functionality

FIN.30.7.2017 Monolith Works Inc.

BRING YOUR APK!