SlideShare a Scribd company logo

Reverse engineering android apps

Pranay Airan
Pranay Airan

With growth in app market it is essential to guard our android apps against possible threats, in this presentation we will walk through various tools and techniques which some one can use to reverse engineer an android app, we will see how some one can get access to APP DB, CODE, API, PREFERENCES. We will also see different tools and techniques to guard our app against possible threats from code obfuscation with tools like dexgaurd to newer methods like verification of api calls using google play services. This session was taken in Barcamp 13 bangalore http://barcampbangalore.org/bcb/bcb13/reverse-engineering-an-android-app-securing-your-android-apps-against-attacks and bangalore android user group meetup Jan meetup http://www.meetup.com/blrdroid/events/100360682/

Technology
1 of 21
Securing Your Android Apps By Pranay Airan @pranayairan
Pranay Airan Web application developer @Intuit Android Developer by choice  Assistant organizer Blrdroid @pranayairan
Current Threats Code Protection Tools Code Analysis Tools Android App Build Process How to disassemble Different protection techniques
Current Threats Stealing App Stealing App Unauthorized Code Assets API Access Stealing App Repackaging Malwares DB and selling and viruses Piracy
Code Protectors Progaurd Dexgaurd Java obfuscators
Code Analysis Tools Dex2jar Smali IDA Pro Dexdump
Android Application Build Process Java .java files .class files Compiler Obfuscator Jar .so Dx tool resource Signer files Obfuscator .apk files APK Builder .dex files Ref: http://net.cs.uni-bonn.de/fileadmin/user_upload/plohmann/2012-Schulz-Code_Protection_in_Android.pdf
Reverse Engineering An App
Use this methods This can be used on Federal Offence ethically your apps
Lets disassemble App on phone Apk Extractor .apk files Extract APK Images DB AAPT Readable resource .dex files Manifest asset XML etc dex -> class (dex2jar) .class files Class -> java Java files
Code Protection Obfuscation Shrinker Optimization Progaurd Using Progaurd in Android
Reversed APK with Progaurd
Reversed APK with Dexgaurd
Other Techniques junk byte insertion Dynamic Code loading Self Modifying code Obfuscation at dex level Ref: http://net.cs.uni-bonn.de/fileadmin/user_upload/plohmann/2012-Schulz-Code_Protection_in_Android.pdf
API Protection Google Play Service Token + Your Verify Google Client id Your Token Authutil Parameters Backend Fields Access Token Verify Token Signature Google audience:server:client_id:9414861317621.apps.googleusercontent.com
API Protection Hiding url & Use HTTPS parameters (self signed will work) Use time & Use User encoding in Agent parameters Identifier
DB Protection Hash your data 3rd Party DB encryption like SQLCipher String Encryption
To Sum Up Nothing is full proof Don’t give away your code just like that Use progaurd to protect your code Use Google Api Verification for Sensitive backend calls
Questions ??
Thank You Pranay.airan@iiitb.net @pranayairan http://goo.gl/okiJp
Useful Links • http://www.honeynet.org/downloads/Android.tar.gz • http://proguard.sourceforge.net/index.html#manual/examples. html • http://code.google.com/p/dex2jar/ • http://code.google.com/p/android-apktool/ • http://android-developers.blogspot.in/2013/01/verifying-back- end-calls-from-android.html • http://sqlcipher.net/sqlcipher-for-android/

Recommended

Reverse Engineering Android Application
Reverse Engineering Android ApplicationReverse Engineering Android Application
Reverse Engineering Android Application
n|u - The Open Security Community
 
Android Security
Android SecurityAndroid Security
Android Security
Lars Jacobs
 
Android reverse engineering: understanding third-party applications. OWASP EU...
Android reverse engineering: understanding third-party applications. OWASP EU...Android reverse engineering: understanding third-party applications. OWASP EU...
Android reverse engineering: understanding third-party applications. OWASP EU...
Internet Security Auditors
 
Pentesting Android Apps
Pentesting Android AppsPentesting Android Apps
Pentesting Android Apps
Abdelhamid Limami
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile Applications
Denim Group
 
Android pentesting
Android pentestingAndroid pentesting
Android pentesting
Mykhailo Antonishyn
 
Android Security
Android SecurityAndroid Security
Android Security
Suminda Gunawardhana
 
Android Security
Android SecurityAndroid Security
Android Security
Arqum Ahmad
 

Recommended

Reverse Engineering Android Application
Reverse Engineering Android ApplicationReverse Engineering Android Application
Reverse Engineering Android Application
n|u - The Open Security Community
 
Android Security
Android SecurityAndroid Security
Android Security
Lars Jacobs
 
Android reverse engineering: understanding third-party applications. OWASP EU...
Android reverse engineering: understanding third-party applications. OWASP EU...Android reverse engineering: understanding third-party applications. OWASP EU...
Android reverse engineering: understanding third-party applications. OWASP EU...
Internet Security Auditors
 
Pentesting Android Apps
Pentesting Android AppsPentesting Android Apps
Pentesting Android Apps
Abdelhamid Limami
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile Applications
Denim Group
 
Android pentesting
Android pentestingAndroid pentesting
Android pentesting
Mykhailo Antonishyn
 
Android Security
Android SecurityAndroid Security
Android Security
Suminda Gunawardhana
 
Android Security
Android SecurityAndroid Security
Android Security
Arqum Ahmad
 
Owasp Top 10 (M-10 : Lack of Binary Protection) | Null Meet
Owasp Top 10 (M-10 : Lack of Binary Protection) | Null MeetOwasp Top 10 (M-10 : Lack of Binary Protection) | Null Meet
Owasp Top 10 (M-10 : Lack of Binary Protection) | Null Meet
5h1vang
 
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Ajin Abraham
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android Applications
Cláudio André
 
Step by step - Selenium 3 web-driver - From Scratch
Step by step - Selenium 3 web-driver - From Scratch Step by step - Selenium 3 web-driver - From Scratch
Step by step - Selenium 3 web-driver - From Scratch
Haitham Refaat
 
Travis CI
Travis CITravis CI
Travis CI
Анете Аннемария
 
Android Malware Detection Mechanisms
Android Malware Detection MechanismsAndroid Malware Detection Mechanisms
Android Malware Detection Mechanisms
Talha Kabakus
 
Mobile Apps Security Testing -1
Mobile Apps Security Testing -1Mobile Apps Security Testing -1
Mobile Apps Security Testing -1
Krisshhna Daasaarii
 
Understanding android security model
Understanding android security modelUnderstanding android security model
Understanding android security model
Pragati Rai
 
Cross Site Request Forgery Vulnerabilities
Cross Site Request Forgery VulnerabilitiesCross Site Request Forgery Vulnerabilities
Cross Site Request Forgery Vulnerabilities
Marco Morana
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonCheckmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Adar Weidman
 
Practical Application of the API Security Top Ten: A Tester's Perspective
Practical Application of the API Security Top Ten: A Tester's PerspectivePractical Application of the API Security Top Ten: A Tester's Perspective
Practical Application of the API Security Top Ten: A Tester's Perspective
RajniHatti
 
Mobile Application Penetration Testing
Mobile Application Penetration TestingMobile Application Penetration Testing
Mobile Application Penetration Testing
BGA Cyber Security
 
Android security
Android securityAndroid security
Android security
Mobile Rtpl
 
Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed Adam
Mohammed Adam
 
APIsecure 2023 - Android Applications and API Hacking, Gabrielle Botbol
APIsecure 2023 - Android Applications and API Hacking, Gabrielle BotbolAPIsecure 2023 - Android Applications and API Hacking, Gabrielle Botbol
APIsecure 2023 - Android Applications and API Hacking, Gabrielle Botbol
apidays
 
Introduction to flutter's basic concepts
Introduction to flutter's basic conceptsIntroduction to flutter's basic concepts
Introduction to flutter's basic concepts
Kumaresh Chandra Baruri
 
Android pentesting the hackers-meetup
Android pentesting the hackers-meetupAndroid pentesting the hackers-meetup
Android pentesting the hackers-meetup
kunwaratul hax0r
 
Owasp mobile top 10
Owasp mobile top 10Owasp mobile top 10
Owasp mobile top 10
Pawel Rzepa
 
Android security
Android securityAndroid security
Android security
Midhun P Gopi
 
Android pentesting
Android pentestingAndroid pentesting
Android pentesting
Mykhailo Antonishyn
 
Practice of Android Reverse Engineering
Practice of Android Reverse EngineeringPractice of Android Reverse Engineering
Practice of Android Reverse Engineering
National Cheng Kung University
 
Understanding the Dalvik Virtual Machine
Understanding the Dalvik Virtual MachineUnderstanding the Dalvik Virtual Machine
Understanding the Dalvik Virtual Machine
National Cheng Kung University
 

More Related Content

What's hot

Android Malware Detection Mechanisms
Android Malware Detection MechanismsAndroid Malware Detection Mechanisms
Android Malware Detection Mechanisms
Talha Kabakus
 
Cross Site Request Forgery Vulnerabilities
Cross Site Request Forgery VulnerabilitiesCross Site Request Forgery Vulnerabilities
Cross Site Request Forgery Vulnerabilities
Marco Morana
 

What's hot (20)

Owasp Top 10 (M-10 : Lack of Binary Protection) | Null Meet
Owasp Top 10 (M-10 : Lack of Binary Protection) | Null MeetOwasp Top 10 (M-10 : Lack of Binary Protection) | Null Meet
Owasp Top 10 (M-10 : Lack of Binary Protection) | Null Meet
 
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android Applications
 
Step by step - Selenium 3 web-driver - From Scratch
Step by step - Selenium 3 web-driver - From Scratch Step by step - Selenium 3 web-driver - From Scratch
Step by step - Selenium 3 web-driver - From Scratch
 
Travis CI
Travis CITravis CI
Travis CI
 
Android Malware Detection Mechanisms
Android Malware Detection MechanismsAndroid Malware Detection Mechanisms
Android Malware Detection Mechanisms
 
Mobile Apps Security Testing -1
Mobile Apps Security Testing -1Mobile Apps Security Testing -1
Mobile Apps Security Testing -1
 
Understanding android security model
Understanding android security modelUnderstanding android security model
Understanding android security model
 
Cross Site Request Forgery Vulnerabilities
Cross Site Request Forgery VulnerabilitiesCross Site Request Forgery Vulnerabilities
Cross Site Request Forgery Vulnerabilities
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonCheckmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
 
Practical Application of the API Security Top Ten: A Tester's Perspective
Practical Application of the API Security Top Ten: A Tester's PerspectivePractical Application of the API Security Top Ten: A Tester's Perspective
Practical Application of the API Security Top Ten: A Tester's Perspective
 
Mobile Application Penetration Testing
Mobile Application Penetration TestingMobile Application Penetration Testing
Mobile Application Penetration Testing
 
Android security
Android securityAndroid security
Android security
 
Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed Adam
 
APIsecure 2023 - Android Applications and API Hacking, Gabrielle Botbol
APIsecure 2023 - Android Applications and API Hacking, Gabrielle BotbolAPIsecure 2023 - Android Applications and API Hacking, Gabrielle Botbol
APIsecure 2023 - Android Applications and API Hacking, Gabrielle Botbol
 
Introduction to flutter's basic concepts
Introduction to flutter's basic conceptsIntroduction to flutter's basic concepts
Introduction to flutter's basic concepts
 
Android pentesting the hackers-meetup
Android pentesting the hackers-meetupAndroid pentesting the hackers-meetup
Android pentesting the hackers-meetup
 
Owasp mobile top 10
Owasp mobile top 10Owasp mobile top 10
Owasp mobile top 10
 
Android security
Android securityAndroid security
Android security
 
Android pentesting
Android pentestingAndroid pentesting
Android pentesting
 

Viewers also liked

LinkedIn - Disassembling Dalvik Bytecode
LinkedIn - Disassembling Dalvik BytecodeLinkedIn - Disassembling Dalvik Bytecode
LinkedIn - Disassembling Dalvik Bytecode
Alain Leon
 
Android reverse engineering - Analyzing skype
Android reverse engineering - Analyzing skypeAndroid reverse engineering - Analyzing skype
Android reverse engineering - Analyzing skype
Mário Almeida
 
IEEE Day 2013 - Reverse Engineering an Android Application
IEEE Day 2013 - Reverse Engineering an Android ApplicationIEEE Day 2013 - Reverse Engineering an Android Application
IEEE Day 2013 - Reverse Engineering an Android Application
Rufatet Babakishiyev
 

Viewers also liked (18)

Practice of Android Reverse Engineering
Practice of Android Reverse EngineeringPractice of Android Reverse Engineering
Practice of Android Reverse Engineering
 
Understanding the Dalvik Virtual Machine
Understanding the Dalvik Virtual MachineUnderstanding the Dalvik Virtual Machine
Understanding the Dalvik Virtual Machine
 
Understanding the Dalvik bytecode with the Dedexer tool
Understanding the Dalvik bytecode with the Dedexer toolUnderstanding the Dalvik bytecode with the Dedexer tool
Understanding the Dalvik bytecode with the Dedexer tool
 
Learning by hacking - android application hacking tutorial
Learning by hacking - android application hacking tutorialLearning by hacking - android application hacking tutorial
Learning by hacking - android application hacking tutorial
 
Dancing with dalvik
Dancing with dalvikDancing with dalvik
Dancing with dalvik
 
AnDevCon: Android Reverse Engineering
AnDevCon: Android Reverse EngineeringAnDevCon: Android Reverse Engineering
AnDevCon: Android Reverse Engineering
 
Smali语法
Smali语法Smali语法
Smali语法
 
Hacking your Droid (Aditya Gupta)
Hacking your Droid (Aditya Gupta)Hacking your Droid (Aditya Gupta)
Hacking your Droid (Aditya Gupta)
 
Toward Reverse Engineering of VBA Based Excel Spreadsheets Applications
Toward Reverse Engineering of VBA Based Excel Spreadsheets ApplicationsToward Reverse Engineering of VBA Based Excel Spreadsheets Applications
Toward Reverse Engineering of VBA Based Excel Spreadsheets Applications
 
Let's talk about jni
Let's talk about jniLet's talk about jni
Let's talk about jni
 
LinkedIn - Disassembling Dalvik Bytecode
LinkedIn - Disassembling Dalvik BytecodeLinkedIn - Disassembling Dalvik Bytecode
LinkedIn - Disassembling Dalvik Bytecode
 
Reverse Engineering .NET and Java
Reverse Engineering .NET and JavaReverse Engineering .NET and Java
Reverse Engineering .NET and Java
 
Android reverse engineering - Analyzing skype
Android reverse engineering - Analyzing skypeAndroid reverse engineering - Analyzing skype
Android reverse engineering - Analyzing skype
 
Steelcon 2015 Reverse-Engineering Obfuscated Android Applications
Steelcon 2015 Reverse-Engineering Obfuscated Android ApplicationsSteelcon 2015 Reverse-Engineering Obfuscated Android Applications
Steelcon 2015 Reverse-Engineering Obfuscated Android Applications
 
How to reverse engineer Android applications—using a popular word game as an ...
How to reverse engineer Android applications—using a popular word game as an ...How to reverse engineer Android applications—using a popular word game as an ...
How to reverse engineer Android applications—using a popular word game as an ...
 
Android internals 05 - Dalvik VM (rev_1.1)
Android internals 05 - Dalvik VM (rev_1.1)Android internals 05 - Dalvik VM (rev_1.1)
Android internals 05 - Dalvik VM (rev_1.1)
 
IEEE Day 2013 - Reverse Engineering an Android Application
IEEE Day 2013 - Reverse Engineering an Android ApplicationIEEE Day 2013 - Reverse Engineering an Android Application
IEEE Day 2013 - Reverse Engineering an Android Application
 
How to implement a simple dalvik virtual machine
How to implement a simple dalvik virtual machineHow to implement a simple dalvik virtual machine
How to implement a simple dalvik virtual machine
 

Similar to Reverse engineering android apps

Java & The Android Stack: A Security Analysis
Java & The Android Stack: A Security AnalysisJava & The Android Stack: A Security Analysis
Java & The Android Stack: A Security Analysis
Pragati Rai
 
Droidcon Greece '15 - Reverse Engineering in Android: Countermeasures and Tools
Droidcon Greece '15 - Reverse Engineering in Android: Countermeasures and ToolsDroidcon Greece '15 - Reverse Engineering in Android: Countermeasures and Tools
Droidcon Greece '15 - Reverse Engineering in Android: Countermeasures and Tools
Dario Incalza
 

Similar to Reverse engineering android apps (20)

Android security by ravi-rai
Android security by ravi-raiAndroid security by ravi-rai
Android security by ravi-rai
 
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat DasNull Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
 
Eric Lafortune - Fighting application size with ProGuard and beyond
Eric Lafortune - Fighting application size with ProGuard and beyondEric Lafortune - Fighting application size with ProGuard and beyond
Eric Lafortune - Fighting application size with ProGuard and beyond
 
Eric Lafortune - Fighting application size with ProGuard and beyond
Eric Lafortune - Fighting application size with ProGuard and beyondEric Lafortune - Fighting application size with ProGuard and beyond
Eric Lafortune - Fighting application size with ProGuard and beyond
 
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentestingNull Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
 
Java & The Android Stack: A Security Analysis
Java & The Android Stack: A Security AnalysisJava & The Android Stack: A Security Analysis
Java & The Android Stack: A Security Analysis
 
Android pen test basics
Android pen test basicsAndroid pen test basics
Android pen test basics
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash Course
 
MobSecCon 2015 - Dynamic Analysis of Android Apps
MobSecCon 2015 - Dynamic Analysis of Android AppsMobSecCon 2015 - Dynamic Analysis of Android Apps
MobSecCon 2015 - Dynamic Analysis of Android Apps
 
Droidcon Greece '15 - Reverse Engineering in Android: Countermeasures and Tools
Droidcon Greece '15 - Reverse Engineering in Android: Countermeasures and ToolsDroidcon Greece '15 - Reverse Engineering in Android: Countermeasures and Tools
Droidcon Greece '15 - Reverse Engineering in Android: Countermeasures and Tools
 
CNIT 128 6. Analyzing Android Applications (Part 1)
CNIT 128 6. Analyzing Android Applications (Part 1)CNIT 128 6. Analyzing Android Applications (Part 1)
CNIT 128 6. Analyzing Android Applications (Part 1)
 
Android Resource Manager
Android Resource ManagerAndroid Resource Manager
Android Resource Manager
 
Multithreading in Android
Multithreading in AndroidMultithreading in Android
Multithreading in Android
 
2021 JCConf 使用Dapr簡化Java微服務應用開發
2021 JCConf 使用Dapr簡化Java微服務應用開發2021 JCConf 使用Dapr簡化Java微服務應用開發
2021 JCConf 使用Dapr簡化Java微服務應用開發
 
Lecture slides introduction_introduction
Lecture slides introduction_introductionLecture slides introduction_introduction
Lecture slides introduction_introduction
 
Docker Azure Friday OSS March 2017 - Developing and deploying Java & Linux on...
Docker Azure Friday OSS March 2017 - Developing and deploying Java & Linux on...Docker Azure Friday OSS March 2017 - Developing and deploying Java & Linux on...
Docker Azure Friday OSS March 2017 - Developing and deploying Java & Linux on...
 
Containerless in the Cloud with AWS Lambda
Containerless in the Cloud with AWS LambdaContainerless in the Cloud with AWS Lambda
Containerless in the Cloud with AWS Lambda
 
Deep Dive into WinRT
Deep Dive into WinRTDeep Dive into WinRT
Deep Dive into WinRT
 
Securing android applications
Securing android applicationsSecuring android applications
Securing android applications
 
Denis Zhuchinski Ways of enhancing application security
Denis Zhuchinski Ways of enhancing application securityDenis Zhuchinski Ways of enhancing application security
Denis Zhuchinski Ways of enhancing application security
 

Recently uploaded

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 

Recently uploaded (20)

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 

Reverse engineering android apps

  • 1. Securing Your Android Apps By Pranay Airan @pranayairan
  • 2. Pranay Airan Web application developer @Intuit Android Developer by choice  Assistant organizer Blrdroid @pranayairan
  • 3. Current Threats Code Protection Tools Code Analysis Tools Android App Build Process How to disassemble Different protection techniques
  • 4. Current Threats Stealing App Stealing App Unauthorized Code Assets API Access Stealing App Repackaging Malwares DB and selling and viruses Piracy
  • 5. Code Protectors Progaurd Dexgaurd Java obfuscators
  • 6. Code Analysis Tools Dex2jar Smali IDA Pro Dexdump
  • 7. Android Application Build Process Java .java files .class files Compiler Obfuscator Jar .so Dx tool resource Signer files Obfuscator .apk files APK Builder .dex files Ref: http://net.cs.uni-bonn.de/fileadmin/user_upload/plohmann/2012-Schulz-Code_Protection_in_Android.pdf
  • 9. Use this methods This can be used on Federal Offence ethically your apps
  • 10. Lets disassemble App on phone Apk Extractor .apk files Extract APK Images DB AAPT Readable resource .dex files Manifest asset XML etc dex -> class (dex2jar) .class files Class -> java Java files
  • 11. Code Protection Obfuscation Shrinker Optimization Progaurd Using Progaurd in Android
  • 12. Reversed APK with Progaurd
  • 13. Reversed APK with Dexgaurd
  • 14. Other Techniques junk byte insertion Dynamic Code loading Self Modifying code Obfuscation at dex level Ref: http://net.cs.uni-bonn.de/fileadmin/user_upload/plohmann/2012-Schulz-Code_Protection_in_Android.pdf
  • 15. API Protection Google Play Service Token + Your Verify Google Client id Your Token Authutil Parameters Backend Fields Access Token Verify Token Signature Google audience:server:client_id:9414861317621.apps.googleusercontent.com
  • 16. API Protection Hiding url & Use HTTPS parameters (self signed will work) Use time & Use User encoding in Agent parameters Identifier
  • 17. DB Protection Hash your data 3rd Party DB encryption like SQLCipher String Encryption
  • 18. To Sum Up Nothing is full proof Don’t give away your code just like that Use progaurd to protect your code Use Google Api Verification for Sensitive backend calls
  • 20. Thank You Pranay.airan@iiitb.net @pranayairan http://goo.gl/okiJp
  • 21. Useful Links • http://www.honeynet.org/downloads/Android.tar.gz • http://proguard.sourceforge.net/index.html#manual/examples. html • http://code.google.com/p/dex2jar/ • http://code.google.com/p/android-apktool/ • http://android-developers.blogspot.in/2013/01/verifying-back- end-calls-from-android.html • http://sqlcipher.net/sqlcipher-for-android/

Editor's Notes

  1. Piracy is being address by google play licensing services but not that effective to stop piracyStealing you IP/Code
  2. Progaurd is free and comes bundle with android SDKDexgaurd by same author of progaurdAllatori is paid
  3. All Free tool except IDA PROAPK Tool internally uses SmaliAndroid Guard is python based tool with GUI which internally uses dex2gaurd smalietcIt works only on linux, difficult to install, A VM with fully configured android guard is available on http://www.honeynet.org/downloads/Android.tar.gz
  4. AAPT (Android application packaging tool) converts resources reference into R.Java and compiled resources (Manifest)Java Compiler takes, R.java, Application Source code and java interfaces to generate class fileDx tool takes this .class files and 3rd party libraries and .class files to convert into dex files.so = System Objectshttp://developer.android.com/tools/building/index.html#detailed-build
  5. Lets Reverse engineer an android app
  6. Federal offence in some countriesUse this tools for securing your own apps
  7. ReadSmali when de-compilation fails (Dex to smali)Multiple methods to extract APK1 pulling from device – Connect USB-Cable– Use ADB (Android Debug Bridge) from SDK– No Google Play on emulator (AVD)2. Directly downloading via googleplaypythonapi from Google Play– Configured Google Account with connected https://github.com/egirault/googleplay-apiAndroid ID3. Download from Web– Alternative source– Capture transfer to
  8. Progaurd is simple protection tool available in android SDKIt not only acts as obfuscator but it is also a Shrinker and optimizer You can reduce size of your APK with progaurd.It is free to use and effectiveNo String encryption and advance obfuscation techniquesProgaurd can be configured to run in android during build process when you generate APKLets see how we can enable progaurd
  9. Lets see a sample APK With progaurd enabled
  10. Commercial tool by creator of progaurdAll features of progaurdAdvance obfuscation techniques with String encryption api hiding tamper detection etcLets see a apk obfuscated with dexgaurd
  11. Other techniques to protect your Android App Code
  12. New method for verifying backend calls by google play serviceVery easy to integrate works on all phones running google play services with android 2.2 and aboveNo prompting for asking anything with user runs in background Register your android app in googleapi console make client id for web application and one for android application, give your APK Signing key MD5 to protect unauthorized accessIn Android app call GoogleAuthUtil.getToken() method passing scope argument value as audience:server:client_id:X.apps.googleusercontent.com(where X is client id of your web app)User will not be prompted as system looks your server client id and since you are in the same app it gives you the token. Send this token along with your api parameters In your backend verify Access token signature with google public keyFrom the token (JSON PayLoad) get field name audazp and emailVerify from AUD if it’s the same client id as of your appOptional verification with AZP and emailSample code http://android-developers.blogspot.in/2013/01/verifying-back-end-calls-from-android.html
  13. Simple API protection if you don’t want to use google play services
  14. Encrypt string this will increase the time for understanding the codesEncrypt dbShare preference is also accessibleStore credentials only in encrypted formathttp://android-developers.blogspot.in/2013/02/using-cryptography-to-store-credentials.html