VictoriaMetrics Q1 Meet Up '24 - Community & News Update
михаил дударев
1. Android
applica,ons
in
the
cruel
world
Defence
Against
the
Dark
Forces:
how
to
save
an
Android
applica,on
from
threats?
Mikhail
Dudarev,
Ivan
Kinash
Licel,
2014,
DroidCon
Moscow
2014
2. • Mikhail
Dudarev,
old-‐school
java
security
guy,
founder
of
jCardSim,
a
Java
Card
simulator,
has
won
the
2013
Duke's
Choice
Award,
co-‐founder
Licel.
• Ivan
Kinash,
co-‐founder
&
CEO
at
Licel
• Licel
creates
applica,on
protec,on
solu,ons
for
Java
and
Android
plaQorms.
About
3. Report
Mobile
Techworld
Report:
Looking
at
a
total
of
230
apps
–
the
top
100
paid
apps
and
top
15
free
apps
for
Android
and
iOS
–
Arxan
found
that
100
percent
of
the
top
paid
apps
on
Android
and
56
percent
on
iOS
were
being
impersonated
in
a
compromised
form
on
grey
markets.
hDp://goo.gl/mW1WxZ
4. Android
Applica,on
Security
Model
• There
is
no
standard
EULA,
every
publisher
is
sole
responsible
for
one
(Google
Play)
• Installed
APK
is
stored
on
a
device
• It
is
signed
with
a
publisher’s
signature
• There
is
a
privilege
system
(users
do
not
take
it
seriously,
or
they
simply
have
no
choice)
• APKs
stored
on
devices
are
accessible
even
without
root
privileges
5. Android
Applica,on
Security
Model
• Signature
is
designed
to
confirm
integrity
of
an
applica,on
• Truth
is
that
it
gives
you
absolutely
nothing
• A
couple
of
minutes
needed
to
resign
an
applica,on
• Then
put
it
to
grey
markets,
p2p,
warez
sites…
Or
even
to
the
same
market
where
original
one
is
(was)
7. Dalvik
bytecode
• Is
it
protected?
• Is
it
hard
to
reverse
engineer?
No
and
no
once
again…
8. Example
• Imagine
you
have
an
applica,on
with
ads
• What
malicious
person
have
to
do
to
own
your
app?
• Apktool
disassemble
-‐>
change
ad
id
-‐>
Apktool
assemble
-‐>
add
its
own
signature
-‐>
zipalign
-‐>
distribute
(p2p,
grey
markets,
official
markets,
warez
sites)
=
10
mins
• If
you
are
using
just
name
obfusca,on
technique,
it
will
require
one
extra
minute
to
hack…
12. Applica,on
cloning
• Illegal
publishing
on
alterna,ve
app
stores
– App
sales
revenue
loss
• Rerou,ng
of
Ad/IAP
revenue
streams
– Lost
revenue
from
ads
and
purchases
• Malicious
code
injec,on
– Loss
of
reputa,on
and
harm
to
the
app’s
users
13. Stealing
sensi,ve
informa,on
from
an
applica,on
• User’s
Data
– Logins/Passwords/Keys/Credit
card
info…
– Social
Network
data
– Loca,on
• Applica,on
Data
– Unique
mul,media
resources
– Informa,on
from
embedded
databases
– Business
Logic
• Corporate
Data
– DBs/Confiden,al
files/…
Cracking
tools
(free):
ApkTool,
Androguard,
Dex2jar
14. Licensing
system
cracking.
Google
Play
LVL
• The
main
app
licensing
service
in
Google
Play
• Based
on
asymmetric
cryptography
– Secret
keys
are
stored
on
the
licensing
server,
public
keys
are
in
an
applica,on’s
code
Automa,c
cracking
tool:
An,LVL
15. Reverse-‐engineering
• Analysis
of
weak/cri,cal
places
in
apps
in
order
to
detect
vulnerabili,es
• Applica,on’s
internal
logic
analysis
– OTP-‐generator
for
a
banking
solu,on
hip://goo.gl/0Dauve
Cracking
tools:
ApkTool,
Androguard,
Dex2jar
16. Reverse
engineering
my
bank's
security
token
• Original
mobile
banking
applica,on
that
generates
OTP
(One
Time
Password)
codes
• Afer
decompiling
with
Dex2Jar
– Detected
OTP
genera,on
algorithm
–
TOTP
TOTP
=
HOTP(SecretKey,
TimeCounter)
– Secret
key
extracted
from
code
– Arduino
clone
created
J
18. Standard
protec,on
and
licensing
techniques
• Name
obfusca,on
(in
par,cular
Proguard)
• Licensing
services
provided
by
app
store
– Google
Play
Licensing
– Amazon
DRM
• Custom
na,ve
libraries
for
license
checking,
string/class
encryp,on
• Server-‐side
computa,on
• Mathema,cal
Jigsaw
Puzzle
Obfusca,on
(keep
ProGuard
op,mizer
away
from
this
parts
of
code)
19. Useful,
but
do
not
work…
Ac,ve
and
Strong
Integrity
Protec,on
Techniques
and
set
of
other
great
approaches
They
do
not
work
without…
20. Cracking
methods
• Automa,c
–
An,LVL
• Tools
for
analysis
and
modifica,on
– ApkTool
– Androlib
– Dex2Jar
– JD-‐GUI/JEB/…
• Text
editor
and
grep
J
21. Advanced
protec,on
techniques
• String
Encryp,on
(e.g.
whiteboxcrypto)
• Hiding
of
API
calls
• Class
Encryp,on
• Resource
Encryp,on
• Strong
and
ac,ve
integrity
protec,on
22. Protec,on
goal
• Have
bytecode
(even
if
it
is
dumped)
as
hard
to
reverse
engineer
as
possible
(strings
are
encrypted,
valuable
algorithms
are
hidden,
API
calls
are
hidden)
• Have
strong
integrity
protec,on
mechanism
in
order
to
block
repackaging
ability
• Have
unique
resources
encrypted
23. Protec,on
scheme
APK
Bytecode
• String
Encryp8on
• Class
Encryp8on
• Hide
API
calls
Resources
• Resource
encryp8on
Signature
• Ac8ve
Integrity
Protec8on
(Repackaging
protec8on)
If
an
app
has
network
abili,es,
you
can
also
change
communica,
on
protocol
from
version
to
version…
24. A
few
important
,ps
If
you
are
developing
mobile
banking/financial/corporate/secure
app:
• Device
fingerprint
• Device-‐related
One
,me
passwords
via
second
communica,on
channel
(SMS)
• Use
secured
communica,on
protocols
and
strong
cryptography
if
it
is
possible
• Sensi,ve
informa,on
stored
on
a
device
should
be
encrypted
(SQLCipher),
keys
must
be
hidden
via
String
Encryp,on
• Keep
in
mind
that
the
balance
between
usability/performance
and
security
is
important
• Think
about
protec,on
and
do
protect
in
advance,
BEFORE
RELEASE
25. A
few
important
,ps
#2
Afer
applying
strong
protec,on
techniques
you
might
think
then
about:
• App
cert
check
(just
in
case)
• Debug
mode
check
• Rooted
device
check
• Emulator
check
26. DexProtector
• Having
huge
exper,ze
we
have
implemented
String
Encryp,on,
Class
Encryp,on,
Resource
Encryp,on,
Hide
Access
and
Integrity
Control
mechanisms
on
a
technology
leading
level
• That
is
why
I
would
love
to
recommend
DexProtector
for
protec,ng
your
apps
from
threats
• If
you
are
applying
addi,onal
security
prac,ces
DexProtector
will
help
you
to
protect
them
from
being
reverse
engineered
• It
can
be
used
together
with
ProGuard
27. Conclusion
• Nobody
will
give
you
100%
guarantee
that
your
app
will
not
be
hacked
• Relevance
of
piracy
is
increasing
day
by
day
as
the
Android
market
growth
• Standard
protec,on
techniques
are
not
stand
any
more
against
current
methods
of
analysis
and
cracking
• Must
have
a
set
of
protec,on
techniques
applied
• Integrity
Protec,on
is
very
important
28. Conclusion
#2
• If
you
applied
security
measures
intelligently
you
are
safe
from
more
than
90%
of
poten,al
hackers.
It
is
hoped
that
the
remaining
10
percent
will
not
be
interested
in
breaking
you
app
• Google
is
in
a
difficult
situa,on
with
Android
security
now.
Definitely
there
should
be
some
changes,
especially
in
securing
boot-‐loader,
in
crea,ng
secure
app
execu,on
environment
and
storage
also.
They
tried
in
Jelly
Bean,
but
with
no
luck.
On
the
other
hand
I
see
Nexus
series
has
ability
to
be
legally
rooted
and
do
not
know
what
to
think