Android Obfuscation and Deobfuscation. Group 11

Transcription

1 Android Obfuscation and Deobfuscation Group 11

2 Password Diary App

3 Overview App - Raj Obfuscation Cam and Jack Deobfuscation Adi and Shon

4 Overview - Concept A password manager that lets you decide whether to encrypt your password or not Add login Encrypt/Decrypt your password Edit your login Delete your login

5 Add Login

6 Encrypt/Decrypt

7 Update and Delete

8 Obfuscation

9 Overview - - Obfuscated using various techniques String Splitting Variable/Class Renaming Control Flow Flattening Method Inlining Resulting source code is magnitudes larger, 100 line class can end up over 10,000 lines of obfuscated code Can be fed into itself multiple times to obfuscate further

10 Variable Renaming - Building mapping of identifiers to randomly generated strings Renaming of variables, methods and classes Different every time Automatic - Issues: Classes and methods defined in android interfaces and classes are not renamed

11 Control Flow Flattening - Splits all statements into individual cases in a switch/case block Can be run over itself multiple times Switches on strings, which means the case variables are generated dynamically with string splitting The case variables are then split into their own switch/case blocks when run over itself Order of statements randomised

12 Example of while loop

13 String Splitting - Strings split into individual characters Rebuilt into string character by character Used in conjunction with control flow flattening If a string is used more than once, it it split up for every occurrence Split all usages of string, except when declared as a property of a class

14 String Splitting

15 Method inling - Automatically replace method calls with method contents Each inlined method is different (variable renaming, control flow flattening) -> Each must be deobfuscated - Issues when method is not defined in same class, or inherited etc

16 Method inling

17 Performance Overhead

18 Storage Overhead No significant storage or performance overhead issues.

19 Deobfuscation

20 Group Obfuscation Techniques Deobfuscation 1 Renaming Control flow flattening String Encryption with AES/CBC Cipher and Base64 Encoding Proguard Unflatten switch cases --> if statements and while loops Base64 decoding + bitwise XOR operations to get key --> Decrypt strings 2 Renaming Prone to SQL injections 3 Renaming Control flow flattening with Dead Code Merging/Splitting classes Opaque predicates Proguard Dead code removal and unflatten switch cases --> simple if statements Opaque predicates are trivial 4 Renaming Opaque predicates Identified method names Removing duplicate if statements 5 Renaming Variable splitting Loop transformations + Dead Code Identified Activity class by familiar methods e.g. oncreate(), onresume() Retransform long do-while loops --> for loops 6 Renaming Encryption with Base64 Encoding Proguard Identified Activity class through oncreate() method and Activity/Intent packages.

21 Example of Control flow flattening deobfuscation

22 Group Obfuscation Techniques Deobfuscation 7 Dead Code Control flow flattening Removal of dead code for easier deobfuscation of switch case blocks. 8 Control flow flattening Dead Code Opaque predicates Simplification of switch statements Removal of dead code. 9 Renaming AES Encryption with Base64 Encoding Control flow flattening Proguard Base64 decoding followed by AES decryption. Replication of string manipulation function to unflatten control flow. 10 Control flow flattening Deobfuscation of switch case blocks through the simplification of a method determining which switch case block to execute. 12 Renaming Proguard 13 Renaming AES Encryption with Base64 Encoding Dead Code + Opaque predicates Proguard Removal of dead code to simplify opaque predicates. Base64 decoding followed by AES decryption.

23 Example of AES Decryption and Base64 Decoding

24 Questions?