SlideShare ist ein Scribd-Unternehmen logo

Cracking the mobile application code

Sreenarayan A
Sreenarayan A

Presentation presented at OWASP Appsec USA 2012, Austin, Texas.

Bildung
1 von 23
Cracking the Code of Mobile Application OWASP APPSEC USA 2012 - Sreenarayan A Paladion Mobile Security Team
Take Away for the day • Why Mobile Security? • Purpose of Decompiling Mobile Applications?! • Methodology of Decompilation • Live Demo’s: – Windows Phone App – Android App – iOS (iPhone / iPad App) – Blackberry Apps / Nokia App [Jar Files] – Blackberry Apps [COD Files]
Why is security relevant for Mobile Platform? • 400% Increase in the number for Organizations Developing Mobile Platform based applications. • 300% Increase in the no of Mobile Banking Applications. • 500% Increase in the number of people using the Mobile Phones for their day to day transactions. • 82% Chances of end users not using their Mobile Phones with proper caution. • 79% Chances of Mobile Phone users Jail Breaking their Phones. • 65% Chances of Mobile Phone users not installing Anti-virus on their Mobile Phones. • 71% Chances of any application to get misused. • 57% Chances of a user losing his sensitive credentials to a hacker.
Market Statistics of Mobile Users
Mobile Market Trends
Different Types of Mobile Applications • Mobile Browser based Mobile Applications • Native Mobile Applications • Hybrid Mobile Applications
Different Types of Mobile Applications
Different Types of Mobile Architecture Browser Hybrid App App
Why did we learn the above types?? • Which applications can be Decompiled? – Browser based Mobile Applications ? – Native Mobile Applications ? – Hybrid Mobile Applications ? • We have to get to know of the basics!
Cracking the Mobile Application Code
Cracking the Mobile Application Code •What do you mean by Decompilation? -> What is Compilation? •What do you mean by Reverse Engineering? Questions to be answered ahead: •What are the goals/purpose of Cracking the code? •What is the methodology of Decompilation? •What the tools which can be used to Decompile? •Can Decompilation be done on all platforms? 1. WINDOWS PHONE / WINDOWS MOBILE ? 2. ANDROID ? 3. iPHONE / iPAD ? 4. BLACKBERRY ? 5. NOKIA ?
Goal of Cracking the Mobile Application Code
Goals of Cracking the Source Code •“UNDERSTAND THE WORKING OF THE APPLICATION AND TO FIGURE OUT THE LOOPHOLES!” •To find Treasure Key Words like: password , keys , sql, algo, AES, DES, Base64, etc •Figure out the Algorithms Used and their keys. •By-passing the client side checks by rebuilding the app. •E.g. Password in Banking Application (Sensitive Information) •E.g. Angry Birds Malware (Stealing Data) •E.g. Zitmo Malware (Sending SMS) •We have understood the goals, how to achieve them? Methodology.
Methodology of Cracking
Methodology / Study • Gaining access to the executable (.apk / .xap / .jar / .cod / .jad .. ) Step 1 • Understanding the Technology used to code the application. Step 2 • Finding out ways to derive the Object Code from the Executable. Step 3 • Figuring out a way to derive the Class Files from the Object Code. Step 4 • Figuring out a way to derive the Function Definitions from the Object Step 5 Code
JUMP TO DEMO’s Lets us understand the methodology in all platforms..
Demo - Reverse Engineer the Windows Phone Application •Tools used: -De-compresser (Winrar / Winzip / 7zip) -.Net Decompiler (ILSpy) -Visual Studio / Notepad •Steps 1. . xap -> .dll 2. .dll -> .csproject • Demo • Mitigation 1. Free Obfuscator (diff. to read): http://confuser.codeplex.com/ 2. Dotfuscator (program flow) : Link
Demo - Reverse Engineer the Android Application •Tools used: -De-compresser (Winrar / Winzip / 7zip) -Dex2jar Tool (Command Line) -Java Decompiler / Jar decompiler (JD-GUI, etc) •Steps 1. .apk -> .dex 2. .dex -> .jar 3. .jar -> .java • Demo • Mitigation 1. Obfuscation Free Tool: http://proguard.sourceforge.net/
Demo - Reverse Engineer the Blackberry Application •Tools used: -JD – GUI (Java Decompiler) -Notepad •There are two types of Application files found in Blackberry: 1. .Jar (.jad -> .jar) 2. .Cod (.jad -> .cod (Blackberry Code Files) •Steps 1. .jar -> .java (JD-GUI) -> Notepad Or 1. .cod -> codec Tool -> Notepad • Demo • Mitigation 1. Obfuscation Free Tool: http://proguard.sourceforge.net/
Demo - Reverse Engineer the iOS Application •Tools used: -iExplorer -Windows Explorer -oTool -Class-dump-z •Steps 1. .app -> Garbage (Object Code) (DVM) 2. Object Code -> Class definitions • Demo • Limitations: Apple changes the IDE every release leading to challenges. • Mitigation 1. Obfuscation Free Tool: http://proguard.sourceforge.net/
Palisade Articles • iOS vs Android Testing • Mobile Data Encryption • Mobile Application Security Testing • Demystifying the Android Malware • And … • Website link: palizine.plynt.com
• Questions and Answers • Quiz • Feedback
Thank You Sreenarayan.a@paladion.net Twitter: Ace_Sree

Empfohlen

Enfilade: Tool to Detect Infections in MongoDB Instances
Enfilade: Tool to Detect Infections in MongoDB InstancesEnfilade: Tool to Detect Infections in MongoDB Instances
Enfilade: Tool to Detect Infections in MongoDB InstancesAditya K Sood
 
Detecting Ransomware/Bot Infections in Elasticsearch
Detecting Ransomware/Bot Infections in ElasticsearchDetecting Ransomware/Bot Infections in Elasticsearch
Detecting Ransomware/Bot Infections in ElasticsearchAditya K Sood
 
Understanding ransomware
Understanding ransomwareUnderstanding ransomware
Understanding ransomwarePrathan Phongthiproek
 
Reduce the Risk of Open Source Security Vulnerabilities
Reduce the Risk of Open Source Security VulnerabilitiesReduce the Risk of Open Source Security Vulnerabilities
Reduce the Risk of Open Source Security VulnerabilitiesProtecode
 
Brucon presentation
Brucon presentationBrucon presentation
Brucon presentationwremes
 
Android Malware Detection Mechanisms
Android Malware Detection MechanismsAndroid Malware Detection Mechanisms
Android Malware Detection MechanismsTalha Kabakus
 
Android malware analysis
Android malware analysisAndroid malware analysis
Android malware analysisJason Ross
 
The difference between Penetration Testing and Red Team
The difference between Penetration Testing and Red TeamThe difference between Penetration Testing and Red Team
The difference between Penetration Testing and Red TeamNimrod Levy
 

Empfohlen

Enfilade: Tool to Detect Infections in MongoDB Instances
Enfilade: Tool to Detect Infections in MongoDB InstancesEnfilade: Tool to Detect Infections in MongoDB Instances
Enfilade: Tool to Detect Infections in MongoDB InstancesAditya K Sood
 
Detecting Ransomware/Bot Infections in Elasticsearch
Detecting Ransomware/Bot Infections in ElasticsearchDetecting Ransomware/Bot Infections in Elasticsearch
Detecting Ransomware/Bot Infections in ElasticsearchAditya K Sood
 
Understanding ransomware
Understanding ransomwareUnderstanding ransomware
Understanding ransomwarePrathan Phongthiproek
 
Reduce the Risk of Open Source Security Vulnerabilities
Reduce the Risk of Open Source Security VulnerabilitiesReduce the Risk of Open Source Security Vulnerabilities
Reduce the Risk of Open Source Security VulnerabilitiesProtecode
 
Brucon presentation
Brucon presentationBrucon presentation
Brucon presentationwremes
 
Android Malware Detection Mechanisms
Android Malware Detection MechanismsAndroid Malware Detection Mechanisms
Android Malware Detection MechanismsTalha Kabakus
 
Android malware analysis
Android malware analysisAndroid malware analysis
Android malware analysisJason Ross
 
The difference between Penetration Testing and Red Team
The difference between Penetration Testing and Red TeamThe difference between Penetration Testing and Red Team
The difference between Penetration Testing and Red TeamNimrod Levy
 
Vulnerability and Exploit Trends: Combining behavioral analysis and OS defens...
Vulnerability and Exploit Trends: Combining behavioral analysis and OS defens...Vulnerability and Exploit Trends: Combining behavioral analysis and OS defens...
Vulnerability and Exploit Trends: Combining behavioral analysis and OS defens...EndgameInc
 
Android malware overview, status and dilemmas
Android malware overview, status and dilemmasAndroid malware overview, status and dilemmas
Android malware overview, status and dilemmasTech and Law Center
 
Ian Powers Resume
Ian Powers ResumeIan Powers Resume
Ian Powers ResumeIan Powers
 
Malware Detection in Android Applications
Malware Detection in Android ApplicationsMalware Detection in Android Applications
Malware Detection in Android Applicationsijtsrd
 
Penetration testing tools and phases
Penetration testing tools and phasesPenetration testing tools and phases
Penetration testing tools and phasesTestingXperts
 
Android malware presentation
Android malware presentationAndroid malware presentation
Android malware presentationSandeep Joshi
 
Bug bounty
Bug bountyBug bounty
Bug bountyRamin Farajpour Cami
 
DLL Preloading Attack
DLL Preloading AttackDLL Preloading Attack
DLL Preloading Attacksecurityxploded
 
20171106 - Privacy Design Lab - LINDDUN
20171106 - Privacy Design Lab - LINDDUN20171106 - Privacy Design Lab - LINDDUN
20171106 - Privacy Design Lab - LINDDUNBrussels Legal Hackers
 
Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]Prathan Phongthiproek
 
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014Anant Shrivastava
 
Pentesting Android Apps
Pentesting Android AppsPentesting Android Apps
Pentesting Android AppsAbdelhamid Limami
 
Malware detection-using-machine-learning
Malware detection-using-machine-learningMalware detection-using-machine-learning
Malware detection-using-machine-learningSecurity Bootcamp
 
Getting started with android
Getting started with androidGetting started with android
Getting started with androidVandana Verma
 
Mmw mac malware-mac
Mmw mac malware-macMmw mac malware-mac
Mmw mac malware-macCyphort
 
Slide jul apcert agm 2016
Slide jul apcert agm 2016Slide jul apcert agm 2016
Slide jul apcert agm 2016Setia Juli Irzal Ismail
 
Continuous security testing - sharing responsibility
Continuous security testing - sharing responsibilityContinuous security testing - sharing responsibility
Continuous security testing - sharing responsibilityVodqaBLR
 
CVE-2021-44228 Log4j (and Log4Shell) Executive Explainer by cje@bugcrowd
CVE-2021-44228 Log4j (and Log4Shell) Executive Explainer by cje@bugcrowdCVE-2021-44228 Log4j (and Log4Shell) Executive Explainer by cje@bugcrowd
CVE-2021-44228 Log4j (and Log4Shell) Executive Explainer by cje@bugcrowdCasey Ellis
 
Cyber espionage nation state-apt_attacks_on_the_rise
Cyber espionage nation state-apt_attacks_on_the_riseCyber espionage nation state-apt_attacks_on_the_rise
Cyber espionage nation state-apt_attacks_on_the_riseCyphort
 
Android security
Android securityAndroid security
Android securityMobile Rtpl
 
Cracking the Mobile Application Code
Cracking the Mobile Application CodeCracking the Mobile Application Code
Cracking the Mobile Application Codec0c0n - International Cyber Security and Policing Conference
 
I haz you and pwn your maal
I haz you and pwn your maalI haz you and pwn your maal
I haz you and pwn your maalc0c0n - International Cyber Security and Policing Conference
 

Weitere ähnliche Inhalte

Was ist angesagt?

Vulnerability and Exploit Trends: Combining behavioral analysis and OS defens...
Vulnerability and Exploit Trends: Combining behavioral analysis and OS defens...Vulnerability and Exploit Trends: Combining behavioral analysis and OS defens...
Vulnerability and Exploit Trends: Combining behavioral analysis and OS defens...EndgameInc
 
Android malware overview, status and dilemmas
Android malware overview, status and dilemmasAndroid malware overview, status and dilemmas
Android malware overview, status and dilemmasTech and Law Center
 
Ian Powers Resume
Ian Powers ResumeIan Powers Resume
Ian Powers ResumeIan Powers
 
Malware Detection in Android Applications
Malware Detection in Android ApplicationsMalware Detection in Android Applications
Malware Detection in Android Applicationsijtsrd
 
Penetration testing tools and phases
Penetration testing tools and phasesPenetration testing tools and phases
Penetration testing tools and phasesTestingXperts
 
Android malware presentation
Android malware presentationAndroid malware presentation
Android malware presentationSandeep Joshi
 
20171106 - Privacy Design Lab - LINDDUN
20171106 - Privacy Design Lab - LINDDUN20171106 - Privacy Design Lab - LINDDUN
20171106 - Privacy Design Lab - LINDDUNBrussels Legal Hackers
 
Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]Prathan Phongthiproek
 
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014Anant Shrivastava
 
Malware detection-using-machine-learning
Malware detection-using-machine-learningMalware detection-using-machine-learning
Malware detection-using-machine-learningSecurity Bootcamp
 
Getting started with android
Getting started with androidGetting started with android
Getting started with androidVandana Verma
 
Mmw mac malware-mac
Mmw mac malware-macMmw mac malware-mac
Mmw mac malware-macCyphort
 
Continuous security testing - sharing responsibility
Continuous security testing - sharing responsibilityContinuous security testing - sharing responsibility
Continuous security testing - sharing responsibilityVodqaBLR
 
CVE-2021-44228 Log4j (and Log4Shell) Executive Explainer by cje@bugcrowd
CVE-2021-44228 Log4j (and Log4Shell) Executive Explainer by cje@bugcrowdCVE-2021-44228 Log4j (and Log4Shell) Executive Explainer by cje@bugcrowd
CVE-2021-44228 Log4j (and Log4Shell) Executive Explainer by cje@bugcrowdCasey Ellis
 
Cyber espionage nation state-apt_attacks_on_the_rise
Cyber espionage nation state-apt_attacks_on_the_riseCyber espionage nation state-apt_attacks_on_the_rise
Cyber espionage nation state-apt_attacks_on_the_riseCyphort
 
Android security
Android securityAndroid security
Android securityMobile Rtpl
 

Was ist angesagt? (20)

Vulnerability and Exploit Trends: Combining behavioral analysis and OS defens...
Vulnerability and Exploit Trends: Combining behavioral analysis and OS defens...Vulnerability and Exploit Trends: Combining behavioral analysis and OS defens...
Vulnerability and Exploit Trends: Combining behavioral analysis and OS defens...
 
Android malware overview, status and dilemmas
Android malware overview, status and dilemmasAndroid malware overview, status and dilemmas
Android malware overview, status and dilemmas
 
Ian Powers Resume
Ian Powers ResumeIan Powers Resume
Ian Powers Resume
 
Malware Detection in Android Applications
Malware Detection in Android ApplicationsMalware Detection in Android Applications
Malware Detection in Android Applications
 
Penetration testing tools and phases
Penetration testing tools and phasesPenetration testing tools and phases
Penetration testing tools and phases
 
Android malware presentation
Android malware presentationAndroid malware presentation
Android malware presentation
 
Bug bounty
Bug bountyBug bounty
Bug bounty
 
DLL Preloading Attack
DLL Preloading AttackDLL Preloading Attack
DLL Preloading Attack
 
20171106 - Privacy Design Lab - LINDDUN
20171106 - Privacy Design Lab - LINDDUN20171106 - Privacy Design Lab - LINDDUN
20171106 - Privacy Design Lab - LINDDUN
 
Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]
 
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
 
Pentesting Android Apps
Pentesting Android AppsPentesting Android Apps
Pentesting Android Apps
 
Malware detection-using-machine-learning
Malware detection-using-machine-learningMalware detection-using-machine-learning
Malware detection-using-machine-learning
 
Getting started with android
Getting started with androidGetting started with android
Getting started with android
 
Mmw mac malware-mac
Mmw mac malware-macMmw mac malware-mac
Mmw mac malware-mac
 
Slide jul apcert agm 2016
Slide jul apcert agm 2016Slide jul apcert agm 2016
Slide jul apcert agm 2016
 
Continuous security testing - sharing responsibility
Continuous security testing - sharing responsibilityContinuous security testing - sharing responsibility
Continuous security testing - sharing responsibility
 
CVE-2021-44228 Log4j (and Log4Shell) Executive Explainer by cje@bugcrowd
CVE-2021-44228 Log4j (and Log4Shell) Executive Explainer by cje@bugcrowdCVE-2021-44228 Log4j (and Log4Shell) Executive Explainer by cje@bugcrowd
CVE-2021-44228 Log4j (and Log4Shell) Executive Explainer by cje@bugcrowd
 
Cyber espionage nation state-apt_attacks_on_the_rise
Cyber espionage nation state-apt_attacks_on_the_riseCyber espionage nation state-apt_attacks_on_the_rise
Cyber espionage nation state-apt_attacks_on_the_rise
 
Android security
Android securityAndroid security
Android security
 

Ähnlich wie Cracking the mobile application code

I haz you and pwn your maal
I haz you and pwn your maalI haz you and pwn your maal
I haz you and pwn your maalHarsimran Walia
 
михаил дударев
михаил дударевмихаил дударев
михаил дударевapps4allru
 
Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2drewz lin
 
Android Penetration testing - Day 2
Android Penetration testing - Day 2 Android Penetration testing - Day 2
Android Penetration testing - Day 2Mohammed Adam
 
Barcode scanning on Android
Barcode scanning on AndroidBarcode scanning on Android
Barcode scanning on AndroidPietro F. Maggi
 
Android village @nullcon 2012
Android village @nullcon 2012 Android village @nullcon 2012
Android village @nullcon 2012 hakersinfo
 
Outsmarting SmartPhones
Outsmarting SmartPhonesOutsmarting SmartPhones
Outsmarting SmartPhonessaurabhharit
 
How to Test Security and Vulnerability of Your Android and iOS Apps
How to Test Security and Vulnerability of Your Android and iOS AppsHow to Test Security and Vulnerability of Your Android and iOS Apps
How to Test Security and Vulnerability of Your Android and iOS AppsBitbar
 
Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)ClubHack
 
Software quality and mobile apps
Software quality and mobile appsSoftware quality and mobile apps
Software quality and mobile appsPrawesh Shrestha
 
SmartDevCon - Katowice - 2013
SmartDevCon - Katowice - 2013SmartDevCon - Katowice - 2013
SmartDevCon - Katowice - 2013Petr Dvorak
 
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
2013 Toorcon San Diego Building Custom Android Malware for Penetration TestingStephan Chenette
 
Security Vulnerabilities in Mobile Applications (Kristaps Felzenbergs)
Security Vulnerabilities in Mobile Applications (Kristaps Felzenbergs)Security Vulnerabilities in Mobile Applications (Kristaps Felzenbergs)
Security Vulnerabilities in Mobile Applications (Kristaps Felzenbergs)TestDevLab
 
Android Seminar BY Suleman Khan.pdf
Android Seminar BY Suleman Khan.pdfAndroid Seminar BY Suleman Khan.pdf
Android Seminar BY Suleman Khan.pdfNomanKhan869872
 
Android Security Humla Part 1
Android Security Humla Part 1Android Security Humla Part 1
Android Security Humla Part 1Nikhil Kulkarni
 

Ähnlich wie Cracking the mobile application code (20)

Cracking the Mobile Application Code
Cracking the Mobile Application CodeCracking the Mobile Application Code
Cracking the Mobile Application Code
 
I haz you and pwn your maal
I haz you and pwn your maalI haz you and pwn your maal
I haz you and pwn your maal
 
I haz you and pwn your maal
I haz you and pwn your maalI haz you and pwn your maal
I haz you and pwn your maal
 
михаил дударев
михаил дударевмихаил дударев
михаил дударев
 
Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2
 
Android Penetration testing - Day 2
Android Penetration testing - Day 2 Android Penetration testing - Day 2
Android Penetration testing - Day 2
 
Barcode scanning on Android
Barcode scanning on AndroidBarcode scanning on Android
Barcode scanning on Android
 
Android village @nullcon 2012
Android village @nullcon 2012 Android village @nullcon 2012
Android village @nullcon 2012
 
Outsmarting SmartPhones
Outsmarting SmartPhonesOutsmarting SmartPhones
Outsmarting SmartPhones
 
How to Test Security and Vulnerability of Your Android and iOS Apps
How to Test Security and Vulnerability of Your Android and iOS AppsHow to Test Security and Vulnerability of Your Android and iOS Apps
How to Test Security and Vulnerability of Your Android and iOS Apps
 
Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)
 
Software quality and mobile apps
Software quality and mobile appsSoftware quality and mobile apps
Software quality and mobile apps
 
SmartDevCon - Katowice - 2013
SmartDevCon - Katowice - 2013SmartDevCon - Katowice - 2013
SmartDevCon - Katowice - 2013
 
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
 
Security Vulnerabilities in Mobile Applications (Kristaps Felzenbergs)
Security Vulnerabilities in Mobile Applications (Kristaps Felzenbergs)Security Vulnerabilities in Mobile Applications (Kristaps Felzenbergs)
Security Vulnerabilities in Mobile Applications (Kristaps Felzenbergs)
 
Android Seminar BY Suleman Khan.pdf
Android Seminar BY Suleman Khan.pdfAndroid Seminar BY Suleman Khan.pdf
Android Seminar BY Suleman Khan.pdf
 
Android ppt
Android ppt Android ppt
Android ppt
 
Android Applications
Android ApplicationsAndroid Applications
Android Applications
 
Android ppt
Android pptAndroid ppt
Android ppt
 
Android Security Humla Part 1
Android Security Humla Part 1Android Security Humla Part 1
Android Security Humla Part 1
 

Kürzlich hochgeladen

Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...christianmathematics
 
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptxHMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptxEsquimalt MFRC
 
Graduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - EnglishGraduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - Englishneillewis46
 
Fostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the ClassroomFostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the ClassroomPooky Knightsmith
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...Poonam Aher Patil
 
Towards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxTowards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxJisc
 
How to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSHow to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSCeline George
 
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...pradhanghanshyam7136
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfagholdier
 
Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...Association for Project Management
 
Micro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfMicro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfPoh-Sun Goh
 
On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsMebane Rash
 
Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Jisc
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfciinovamais
 
This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.christianmathematics
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxheathfieldcps1
 
Unit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptxUnit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptxVishalSingh1417
 
Understanding Accommodations and Modifications
Understanding Accommodations and ModificationsUnderstanding Accommodations and Modifications
Understanding Accommodations and ModificationsMJDuyan
 
Google Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptxGoogle Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptxDr. Sarita Anand
 

Kürzlich hochgeladen (20)

Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
 
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptxHMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
 
Graduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - EnglishGraduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - English
 
Fostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the ClassroomFostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the Classroom
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...
 
Towards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxTowards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptx
 
Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024
 
How to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSHow to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POS
 
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
 
Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...
 
Micro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfMicro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdf
 
On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan Fellows
 
Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
 
This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptx
 
Unit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptxUnit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptx
 
Understanding Accommodations and Modifications
Understanding Accommodations and ModificationsUnderstanding Accommodations and Modifications
Understanding Accommodations and Modifications
 
Google Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptxGoogle Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptx
 

Cracking the mobile application code

  • 1. Cracking the Code of Mobile Application OWASP APPSEC USA 2012 - Sreenarayan A Paladion Mobile Security Team
  • 2. Take Away for the day • Why Mobile Security? • Purpose of Decompiling Mobile Applications?! • Methodology of Decompilation • Live Demo’s: – Windows Phone App – Android App – iOS (iPhone / iPad App) – Blackberry Apps / Nokia App [Jar Files] – Blackberry Apps [COD Files]
  • 3. Why is security relevant for Mobile Platform? • 400% Increase in the number for Organizations Developing Mobile Platform based applications. • 300% Increase in the no of Mobile Banking Applications. • 500% Increase in the number of people using the Mobile Phones for their day to day transactions. • 82% Chances of end users not using their Mobile Phones with proper caution. • 79% Chances of Mobile Phone users Jail Breaking their Phones. • 65% Chances of Mobile Phone users not installing Anti-virus on their Mobile Phones. • 71% Chances of any application to get misused. • 57% Chances of a user losing his sensitive credentials to a hacker.
  • 4. Market Statistics of Mobile Users
  • 6. Different Types of Mobile Applications • Mobile Browser based Mobile Applications • Native Mobile Applications • Hybrid Mobile Applications
  • 7. Different Types of Mobile Applications
  • 8. Different Types of Mobile Architecture Browser Hybrid App App
  • 9. Why did we learn the above types?? • Which applications can be Decompiled? – Browser based Mobile Applications ? – Native Mobile Applications ? – Hybrid Mobile Applications ? • We have to get to know of the basics!
  • 10. Cracking the Mobile Application Code
  • 11. Cracking the Mobile Application Code •What do you mean by Decompilation? -> What is Compilation? •What do you mean by Reverse Engineering? Questions to be answered ahead: •What are the goals/purpose of Cracking the code? •What is the methodology of Decompilation? •What the tools which can be used to Decompile? •Can Decompilation be done on all platforms? 1. WINDOWS PHONE / WINDOWS MOBILE ? 2. ANDROID ? 3. iPHONE / iPAD ? 4. BLACKBERRY ? 5. NOKIA ?
  • 12. Goal of Cracking the Mobile Application Code
  • 13. Goals of Cracking the Source Code •“UNDERSTAND THE WORKING OF THE APPLICATION AND TO FIGURE OUT THE LOOPHOLES!” •To find Treasure Key Words like: password , keys , sql, algo, AES, DES, Base64, etc •Figure out the Algorithms Used and their keys. •By-passing the client side checks by rebuilding the app. •E.g. Password in Banking Application (Sensitive Information) •E.g. Angry Birds Malware (Stealing Data) •E.g. Zitmo Malware (Sending SMS) •We have understood the goals, how to achieve them? Methodology.
  • 15. Methodology / Study • Gaining access to the executable (.apk / .xap / .jar / .cod / .jad .. ) Step 1 • Understanding the Technology used to code the application. Step 2 • Finding out ways to derive the Object Code from the Executable. Step 3 • Figuring out a way to derive the Class Files from the Object Code. Step 4 • Figuring out a way to derive the Function Definitions from the Object Step 5 Code
  • 16. JUMP TO DEMO’s Lets us understand the methodology in all platforms..
  • 17. Demo - Reverse Engineer the Windows Phone Application •Tools used: -De-compresser (Winrar / Winzip / 7zip) -.Net Decompiler (ILSpy) -Visual Studio / Notepad •Steps 1. . xap -> .dll 2. .dll -> .csproject • Demo • Mitigation 1. Free Obfuscator (diff. to read): http://confuser.codeplex.com/ 2. Dotfuscator (program flow) : Link
  • 18. Demo - Reverse Engineer the Android Application •Tools used: -De-compresser (Winrar / Winzip / 7zip) -Dex2jar Tool (Command Line) -Java Decompiler / Jar decompiler (JD-GUI, etc) •Steps 1. .apk -> .dex 2. .dex -> .jar 3. .jar -> .java • Demo • Mitigation 1. Obfuscation Free Tool: http://proguard.sourceforge.net/
  • 19. Demo - Reverse Engineer the Blackberry Application •Tools used: -JD – GUI (Java Decompiler) -Notepad •There are two types of Application files found in Blackberry: 1. .Jar (.jad -> .jar) 2. .Cod (.jad -> .cod (Blackberry Code Files) •Steps 1. .jar -> .java (JD-GUI) -> Notepad Or 1. .cod -> codec Tool -> Notepad • Demo • Mitigation 1. Obfuscation Free Tool: http://proguard.sourceforge.net/
  • 20. Demo - Reverse Engineer the iOS Application •Tools used: -iExplorer -Windows Explorer -oTool -Class-dump-z •Steps 1. .app -> Garbage (Object Code) (DVM) 2. Object Code -> Class definitions • Demo • Limitations: Apple changes the IDE every release leading to challenges. • Mitigation 1. Obfuscation Free Tool: http://proguard.sourceforge.net/
  • 21. Palisade Articles • iOS vs Android Testing • Mobile Data Encryption • Mobile Application Security Testing • Demystifying the Android Malware • And … • Website link: palizine.plynt.com
  • 22. • Questions and Answers • Quiz • Feedback