Weitere ähnliche Inhalte Ähnlich wie Help Doctor, my application is an onion! (20) Kürzlich hochgeladen (20) Help Doctor, my application is an onion!1. My application is an
onion. Help me Doctor!
© Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.
2. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.
● Sebas Guerrero (@0xroot)
● Sr. Mobile Security Analyst @ NowSecure
● sguerrero@nowsecure.com
Who I am
3. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.
What society think we do
4. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.
● This talk pretends to be a lightning talk, for more detailed
information, please refer to:
● The Nightmare behind the cross platform mobile apps dream
(https://www.blackhat.com/docs/asia-15/materials/asia-15-Grassi-The-
Nightmare-Behind-The-Cross-Platform-Mobile-Apps-Dream.pdf) - Marco Grassi /
Sebas Guerrero
● Android Hacker Protection Level 0 (https://www.defcon.org/images/defcon-
22/dc-22-presentations/Strazzere-Sawyer/DEFCON-22-Strazzere-and-Sawyer-
Android-Hacker-Protection-Level-UPDATED.pdf) Tim Strazzere, Justin Case
NOTE
5. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.
● Motivations
● Frameworks
A. Titanium Framework (Demo)
Kony Framework (Demo)
● Obfuscators
B. ProGuard
C. DexGuard (Demo)
● Conclusions
Agenda
6. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.
● Most of the applications assessments realized during the last
year were packed/obfuscated or using some framework.
● Manual analysis is ok once, twice… but I’m not ‘Chinese’.
● It’s a good challenge to understand its insights and how do
they work.
● “Keep your application away from hackers”.
Motivations
7. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.
Frameworks
When wrappin’ is all what your developers care about.
8. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.
Background
● Mobile market is fragmented. Developers want their app on multiple platform, at least iOS and Android.
● This caused a growth in the number of tools and frameworks available for cross platform development
with different technologies.
● Native code development is from 90’s. HTML5 and JavaScript are the future. They are so trending
topic.
● Money is a scarce resource, even more when you have to hire a dev team for each platform.
● Large companies are getting interested on multi-deployment framework models. They like to be cool.
9. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.
Background
10. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.
Catch’ em all
11. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.
Titanium Framework
Not that stronger.
12. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.
● Open source framework that can be downloaded from its
official website.
● As many other frameworks, brings you the ability to
develop your native mobile application in JavaScript.
● It is a wrapper, that runs the JavaScript code on an
interpreter and uses native UI and other functionalities.
● Comes with its own IDE, which is Eclipse based.
13. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.
Extracting the code
● As mentioned before, the real source code is written in JavaScript.
● The asset data is loaded at runtime through the ‘AssetCryptImpl’ class.
● The assets range are defined in a HashMap in the ‘initAssets’ method. This range
specifies the start and end of a specific file in assets bytes.
● The chunk of data that contains the real assets is a CharBuffer defined in the
‘initAssetsBytes’ method.
14. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.
initAssets
15. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.
initAssetsBytes
16. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.
Defeating the encryption
● The crypto is implemented in the shared library ‘libtiverify.so’, in the JNI function
‘Java_org_appcelerator_titanium_TiVerify_filterDataInRange’.
● Simple AES in ECB mode, using the last 16 bytes of the assetBytes as key for the
decryption process.
● There are multiple approaches to recover the original data. Lets keep it simple.
● The pseudo-code for the filterDataInRange method looks like:
17. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.
Defeating the encryption
18. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.
19. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.
Kony Framework
That ‘startup.js’ file is not the startup you are looking for.
20. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.
● Standard approaches used during application assessment
are no longer useful.
● The framework is a wrapper, but its behavior slightly
changes from versions prior to 6.0, and afterwards to 6.0
Kony Framework
21. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.
LUA Bytecode (Prior to 6.0)
Kony app konyappluabytecode.o.mp3
22. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.
JVSM (Afterwards to 6.0)
Kony app libkonyJSVM.so
startup.js
common-jslibs.kfm
23. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.
● There are multiple approaches available. From massive
device memory dumping to dynamic instrumentation
(Frida).
● In case you are lazy, just use ‘unluac.jar’ and extracts the
LUA code.
● For more detailed information, please refer to our talk at
Black Hat Asia 2015.
Hunting the LUA code
24. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.
● If you are lucky enough, earlier versions of the JSVM,
only require you to unzip the ‘startup.js’ file to extract the
original source code.
● Latest versions prefer to put things harder… Long story
short, the shared library is a trap and the crypter is the
jackpot.
● That is the case we will discuss in this section.
Hunting the JavaScript code
25. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.
Kony Kung-fu KO
It is not over 9000.
26. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.
Kony application
● A couple interesting and encrypted files (‘common-jslibs.kfm’ & ‘startup.js’) can be seen
in the ‘assets/js’ folder.
● File format is not recognizable, and binary analysis does not reveal any clue.
● Reverse engineering process to the ‘classes.dex’ file does not reveal anything related
with crypto operations.
● However, there is a class that caught our attention ‘KonyJavaScriptVM’. The infamous
method ‘System.loadLibrary’ is being used, and it loads the shared library ‘konyjsvm.so’
27. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.
KonyJavaScriptVM method
● It might look sort of black magic to redirect our efforts to this library, but first look at that
previous class got me a hunch.
1. Contains references to ‘common-jslibs.kfm’ and ‘startup.js’ files.
2. Following cross references between calls to a range of obfuscated methods, we
discover buffer allocation, compilation and zipEntry operations that ends in a call
to ‘loadFilesToVM’ function. Such method belongs to ‘konyjsvm’ shared library.
3. Roses are red, Violets are blue, potato.
28. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.
konyjsvm shared library
● A quick look to the procedure ‘KonyJSVM_loadFilesToVM’, reveals multiple calls to EVP cipher routines,
a method named ‘charxor’, and a call to ‘callUnzippingForDex’ method, among others.
1. This method decrypts the encrypted files and loads their content dynamically.
● Best practices during development stage? What is that? First look at its implementation:
2. XOR encryption key embedded in the source code: ‘AnDr/iD2K@nyeN4Calert’.
3. IV embedded in the source code and initialized to 0’s.
4. Yes, the encryption key is also embedded in the source code. What the heck did you expect?
29. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.
What is XOR’ed?
● The string XOR’ed is the key used in the ‘EVP_AES_256_CBC’ cipher, which is generated as follows:
1. Call to ‘getTime’ method, which executes the ‘getTimeStamp’ function. However this value can be
obtained from the file ‘application.properties’ located under the ‘/assets’ folder.
2. Call to ‘getN’ method, according to its implementation returns the the class name for the package located
under ‘/com/kony/labs/android/KonyMain’, which is ‘KonyMain’.
3. A XOR operation is performed between these two values.
4. Call to ‘getPackageName’ method.
5. Another XOR operation is performed between the result from the previous XOR operation and the
package name.
30. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.
Reverting the process
● Again, there are multiple solutions available out there. Static and dynamic approaches do exist.
However, I’ve got another hunch.
1.The application does not include any methods to the encryption and/or decryption process.
2.The crypto operations observed in the library, are merely for decryption purposes.
3.The application has been shipped to the store and it already included the encrypted files.
4.Those files are being encrypted at compilation time, and luckily, there is a trial available for
Kony IDE Framework which can be downloaded.
31. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.
kony_loadfile.exe
encrypt - 1
decrypt - 0
32. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.
kony_loadfile.exe
● The binary expects the following parameters:
startup.js common-jslibs.kfm APPID package_name timestamp
33. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.
34. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.
Obfuscators/Optimizers
Protectors
When wrappin’ is all what your developers care about.
35. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.
● As developer, either you are lazy to implement good
practices, or directly you are not aware of them. However,
they do the job for you, partially.
● Includes security mechanisms such as encryption,
obfuscation and potential use of reflection techniques.
● They try to sell your application would be protected
against hackers.
Why using obfuscators?
36. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.
Catch’ em all
37. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.
ProGuard
Mmm… potato
38. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.
● Way older than Android, specially designed for Java at
the beginning.
● Recommended by Google for Android developers and
quite frequent out there in applications shipped to the Play
Store.
● It is free and bundled in Android SDK.
Quick introduction
39. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.
Optimization?
● At the byte code instruction level:
A. Removes unnecessary/unused code.
B. Renames objects (compact classes/methods/vars names).
C. Restructures code.
D. Performs peephole optimizations.
E. Merges identical code blocks.
F. Removes debug information.
40. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.
Obfuscation?
● Traditional and basic name obfuscation:
A. Rename identifiers: class/field/method names
B. Remove debug information: line numbers, local variable names, …
41. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.
Class renaming
42. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.
.source field annotation
43. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.
Final result
Original Java Source
ProGuard Output
44. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.
Why developers use it?
● It decreases the dex file size and increases the application speed and its performance.
Also reduces memory usage.
● Removes debug information, .source annotation field, lines number, etc. Which might
slightly increase its reversing complexity.
● However it can be seen as an application being developed by an apprentice.
● Doesn’t deploy real obfuscation, and it is trivial to reconstruct original code, it only
requires patience and some extra hours.
45. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.
● Automatic class rename utility based on .source
annotation.
(https://github.com/HamiltonianCycle/ClassNameDeobfusc
ator)
● JEB/JEB2 and its renaming feature.
● Dynamic instrumentation with Frida, Cydia Substrate or
Xposed Framework.
Swiss Toolset
46. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.
DexGuard
Ohh… Boo! Did it scare you?
47. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.
● Paid version of ProGuard. Offers same functionalities as
its predecesor (optimizer, shrinker).
● Includes “low level” techniques that are supposed to
increase notoriously the reverse engineering process.
● It also encrypts and obfuscates application’s assets and
libraries.
● A license might cost around $600 - $1300
Quick introduction
48. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.
What does it do?
● All the features already included in ProGuard
● String encryption
● Tampering detection
● Assets and libraries encryption
● Class encryption (We will cover this point later)
● Automatic reflection
49. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.
Why developers use it?
● In opposition to Proguard, it might increase the dex file size as well as the application speed
and its performance. Including memory usage.
● Includes all the features included in Proguard.
● Performs automatic encryption to the application’s strings, assets, libraries and classes.
● Use of automatic reflection in combination with the protections described above.
● Might give you some headaches when reverse engineering it
● It is really easy to use, and offers a decent grade of protection for its prize.
50. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.
Reflection
Automatic reflection
String Encryption
51. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.
String Encryption
Encrypted strings
array
Obfuscated code
52. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.
Loader
Keys and IV
for 1st DEX
1st Dex
2nd Dex
(Main Code)
1st Embedded dex
Keys and IV
for 2nd DEX
2nd Embedded dex
Main Code
1st Stage
2nd Stage
Class encryption
53. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.
Defeating DexGuard
(Statically)
● Use scripts for JEB like DeCluster (JCase) and DexGuardStringDecoder (AKosterin) to
rename classes, methods and variables and spot the InnerClass function that contains
the string decryption method.
● Spot the respective IVs and encryption keys, grab the dex binaries content embedded
in the loader and first encrypted dec, and revert the process.
● Sounds easy, but in fact, it’s a pain in the ass…
54. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.
Defeating DexGuard
(Statically)
55. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.
Defeating DexGuard
(Statically)
First/Second dex embedded
(encrypted)
Encryption Key
IV
DES/AES
CBF/NP
Encrypt/Decrypts classes.dex
Repeat this process
twice
56. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.
Not gonna happen
57. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.
How to defeat DexGuard
(Dynamically)
Most packers and obfuscators dynamically load dex/apk/jar/zip
files. This means that at some point those files must be written
on disk.
UNPROTECTED, DECRYPTED.
58. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.
BaseDexClassLoader
59. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.
DexFile
60. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.
Conclusions
But… I’ve got mad skillzZz and already paid for these protections!
61. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.
Well…
● Nothing is unbreakable, even if your product
costs a thousand dollars, however you can raise the
bar, always.
● Do not fall on the idea of adding extra layers of
security to your application, just because it will be
more secure. Leave the onions for cooking.
62. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.
Thanks
Special mentions to @revskills a.k.a. ‘My weapon’, @trufae, @pof, @oleavr, @fuzion24,
@strazzere, @jduck, @jcase,@nowsecuremobile, @insitusec, etc…
63. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.
Q&A?