droidcon Greece Thessaloniki September 2015

Similar documents
Ch 7: Mobile Device Management. CNIT 128: Hacking Mobile Devices. Updated

Android Malware Reverse Engineering

Abusing Android In-app Billing feature thanks to a misunderstood integration. Insomni hack 18 22/03/2018 Jérémy MATOS

A Framework for Evaluating Mobile App Repackaging Detection Algorithms

OWASP German Chapter Stammtisch Initiative/Ruhrpott. Android App Pentest Workshop 101

CUHK CSE ADAM: An Automatic & Extensible Platform Stress Test Android Anti-Virus Systems John Spark Patrick C.S. Lui ZHENG Min P.C.

Small footprint inspection techniques for Android

AppSpear: Bytecode Decrypting and DEX Reassembling for Packed Android Malware

Managed. Code Rootkits. Hooking. into Runtime. Environments. Erez Metula ELSEVIER. Syngress is an imprint of Elsevier SYNGRESS

Another difference is that the kernel includes only the suspend to memory mechanism, and not the suspend to hard disk, which is used on PCs.

Breaking and Securing Mobile Apps

AppSpear: Bytecode Decrypting and DEX Reassembling for Packed Android Malware

Technical Report. Verifying the Integrity of Open Source Android Applications. Michael Macnair. RHUL MA March 2015

Android app protection through anti-tampering and anti-debugging Techniques

The Security of Android APKs

Are Your Mobile Apps Well Protected? Daniel Xiapu Luo Department of Computing The Hong Kong Polytechnic Unviersity

ID: Sample Name: YNtbLvNHuo Cookbook: defaultandroidfilecookbook.jbs Time: 14:44:34 Date: 12/01/2018 Version:

IP Protection in Java Based Software

When providing a native mobile app ruins the security of your existing web solution. CyberSec Conference /11/2015 Jérémy MATOS

Mobile hacking. Marit Iren Rognli Tokle

Tale of a mobile application ruining the security of global solution because of a broken API design. SIGS Geneva 21/09/2016 Jérémy MATOS

Reconstructing DALVIK. Applications. Marc Schönefeld CANSECWEST 2009, MAR18

The Research on Security Reinforcement of Android Applications

ANDROID COMPILER FINGERPRINTING

The Terminator to Android Hardening Services. Yueqian Zhang, Xiapu Luo, Haoyang Yin Department of Computing The Hong Kong Polytechnic University

Lecture 1 - Introduction to Android

Server-based code obfuscation scheme for APK tamper detection

Android Analysis Tools. Yuan Tian

Introduction To Android

ID: Sample Name: com.cleanmaster.mguard_ apk Cookbook: defaultandroidfilecookbook.jbs Time: 18:32:59 Date: 27/02/2018 Version: 22.0.

ECOM 5341 Mobile Computing(Android) Eng.Ruba A. Salamah

ID: Sample Name: NEW ORDER LIST.jar Cookbook: default.jbs Time: 10:19:47 Date: 19/02/2018 Version:

ID: Sample Name: flashlight_sky.apk Cookbook: defaultandroidfilecookbook.jbs Time: 16:39:31 Date: 07/02/2018 Version:

ID: Sample Name: SMS_MMS_1.0_1.apk Cookbook: defaultandroidfilecookbook.jbs Time: 14:20:20 Date: 01/12/2017 Version:

Paul Sabanal IBM X-Force Advanced Research. Hiding Behind ART IBM Corporation

AppSpear: Bytecode Decryp0ng and DEX Reassembling for Packed Android Malware

Mobile Hacking & Security. Ir. Arthur Donkers & Ralph Moonen, ITSX

ID: Sample Name: tesseract-ocrsetup exe. Cookbook: default.jbs Time: 16:44:15 Date: 12/02/2018 Version:

ID: Sample Name: com.cleanmaster.mguard_ apk Cookbook: defaultandroidfilecookbook.jbs Time: 18:17:05 Date: 27/02/2018 Version: 22.0.

Comparative Analysis of Mobile App Reverse Engineering Methods on Dalvik and ART

Mobile OS. Symbian. BlackBerry. ios. Window mobile. Android

A Large-Scale Empirical Study on the Effects of Code Obfuscations on Android Apps and Anti-Malware Products

Android Reverse Engineering tools Not the Usual Suspects. Axelle Apvrille - Fortinet

ID: Sample Name: L3sEK5fFCj Cookbook: defaultandroidfilecookbook.jbs Time: 02:53:37 Date: 29/04/2018 Version:

InsomniDroid CrackMe Spoiler Insomni hack 2012

ANDROID HACKER PROTECTION LEVEL 0

TECHNICAL WHITE PAPER Penetration Test. Penetration Test. We help you build security into your software at every stage. 1 Page

ID: Sample Name: VCE.Mobile apk Cookbook: defaultandroidfilecookbook.jbs Time: 22:06:32 Date: 10/01/2018 Version: 20.0.

ID: Sample Name: gsa_wearable.apk Cookbook: defaultandroidfilecookbook.jbs Time: 09:49:05 Date: 16/10/2017 Version:

Version 7.6 PREEMPTIVE SOLUTIONS DASHO. User Guide

Reverse Engineering Malware Binary Obfuscation and Protection

Unpacking the Packed Unpacker

Playing with skype. 4knahs

Android Debugging ART

Thursday, October 25, 12. How we tear into that little green man

The Attacker s POV Hacking Mobile Apps. in Your Enterprise to Reveal Real Vulns and Protect the Business. Tony Ramirez

Mobile application tamper detection scheme using dynamic code injection against repackaging attacks

ID: Sample Name: badoo.apk Cookbook: defaultandroidfilecookbook.jbs Time: 12:51:18 Date: 29/05/2018 Version:

Things You May Not Know About Android (Un)Packers: A Systematic Study based on Whole- System Emulation

Android App Development

Android Reverse Engineering Tools From an anti-virus analyst's perspective

BUILDING A TEST ENVIRONMENT FOR ANDROID ANTI-MALWARE TESTS Hendrik Pilz AV-TEST GmbH, Klewitzstr. 7, Magdeburg, Germany

Android Security. Francesco Mercaldo, PhD

AHNLAB 조주봉 (silverbug)

Practice of Android Reverse Engineering

COLLEGE OF ENGINEERING, NASHIK-4

How to secure your mobile application with RASP

Tackling runtime-based obfuscation in Android with TIRO

Mobile and Ubiquitous Computing: Android Programming (part 1)

Software Protection via Obfuscation

Android Application Sandbox. Thomas Bläsing DAI-Labor TU Berlin

ID: Sample Name: js.jar Cookbook: defaultwindowsfilecookbook.jbs Time: 10:01:15 Date: 26/09/2018 Version:

ID: Sample Name: dronefly.apk Cookbook: defaultandroidfilecookbook.jbs Time: 13:19:28 Date: 14/06/2018 Version:

File System Interpretation

An Effective Android Software Reinforcement Scheme Based on Online Key

Obfuscation-Resilient Code Detection Analyses for Android Apps

Embedded/Connected Device Secure Coding. 4-Day Course Syllabus

ID: Sample Name: eikadagene_ _ _5ac51250.apk Cookbook: defaultandroidfilecookbook.jbs Time: 09:17:09 Date: 05/04/2018 Version:

Introduction. Lecture 1. Operating Systems Practical. 5 October 2016

ID: Sample Name: mimovistar_v3_0_25_1.apk Cookbook: defaultandroidfilecookbook.jbs Time: 15:29:38 Date: 26/02/2018 Version: 22.0.

ID: Sample Name: dronefly.apk Cookbook: default.jbs Time: 10:24:54 Date: 07/06/2018 Version:

Research Article DWroidDump: Executable Code Extraction from Android Applications for Malware Analysis

ID: Sample Name: 21PO jpg...js Cookbook: default.jbs Time: 14:32:06 Date: 21/11/2017 Version:

MobileFindr: Function Similarity Identification for Reversing Mobile Binaries. Yibin Liao, Ruoyan Cai, Guodong Zhu, Yue Yin, Kang Li

Playing Hide and Seek with Dalvik Executables

Android App Protection via Interpretation Obfuscation

CSCI 420: Mobile Application Security. Lecture 15. Prof. Adwait Nadkarni

Tales of Practical Android Penetration Testing (Mobile Pentest Toolkit) Alexander Subbotin OWASP Bucharest AppSec 2018

Access Control for Plugins in Cordova-based Hybrid Applications

T Jarkko Turkulainen, F-Secure Corporation

Version 8.0 PREEMPTIVE SOLUTIONS DASHO. User Guide

CROSS-PLATFORM MOBILE MALWARE: WRITE ONCE, RUN EVERYWHERE William Lee & Xinran Wu Sophos, Australia

Bachelor Thesis Project. Evaluating Dynamic Analysis Methods for Android Applications

WhoamI. Attacking WBC Implementations No con Name 2017

Android Internals and the Dalvik VM!

Investigating the Effectiveness of Obfuscation Against Android Application Reverse Engineering. Rowena Harrison. Technical Report

Just-In-Time Compilation

Android System Architecture. Android Application Fundamentals. Applications in Android. Apps in the Android OS. Program Model 8/31/2015

A Hidden Way of Malware on Android

Android: Under the Hood. GDG-SG DevFest 5th Nov 2016 Jason Zaman

Transcription:

droidcon Greece Thessaloniki 10-12 September 2015

Reverse Engineering in Android Countermeasures and Tools

$ whoami > Dario Incalza (@h4oxer) > Application Security Engineering Analyst > Android Developer

CONTENTS > Motivation > Android App Anatomy and Building Process > Reverse Engineering > Tools with Use Case > Countermeasures

MOTIVATION > Good Guys: > Understand Malware > Security Research > Bad Guys: > Piracy > Steal Intellectual Property > Introduce backdoors

IS IT LEGAL? > Law is a gray area! > Depends on country > Depends on purpose (i.e. achieve interoperability) > End User License Agreement (EULA) > Takes away all doubt > Almost always illegal > For educational purposes ;-)

CONTENTS > Motivation > Android App Anatomy and Building Process > Reverse Engineering > Tools with Use Case > Countermeasures

Android Application Anatomy.zip file Android Package (.apk) Dalvik byte code uncompiled resources classes.dex resources. arsc Compiled resources Third-party.so libraries AndroidManifest.xml Native Libraries Binary version of AndroidManifest.xml

Android Build Process

Application Execution > classes.dex is executed > Dalvik <-> ART (since Android 4.4) > Optimize code for execution > Dalvik: Just-in-Time (JIT) > ART : Ahead-of-Time (AOT)

Application Execution JIT AOT

CONTENTS > Motivation > Android App Anatomy and Building Process > Reverse Engineering > Tools with Use Case > Countermeasures

Reverse Engineering Dalvik ByteCode APK RE Tools Java Code Smali/Jasmin Native Code

Reverse Engineering Dalvik ByteCode Dalvik ByteCode Java Code RE Tools Smali/Jasmin

Reverse Engineering Smali Dalvik ByteCode Java Code RE Tools Smali/Jasmin

Reverse Engineering To which format do I RE the.apk? > Depends on what you want to achieve > Understanding internal mechanisms => Java Code > Instrumenting RE Tools apps => Dalvik/Smali Bytecode/Jasmin > Native libraries => RE the.so library to native code Usually a combination of all Smali/Jasmin Native Code

Reverse Engineering RE Java Code Information < Original Java Code Information Reason: Information RE loss Tools when building classes.dex from.class Smali/Jasmin Consequence: Impossible to rebuild RE Java Code, use Dalvik Byte Code format instead Native Code

Reverse Engineering How does a regular RE process RE Tools looks like? Smali/Jasmin Native Code

Reverse Engineering First Step: Objectives Who wrote the app? What permissions does it use and why does it need them? Is it using crypto, if so, what is it encrypting? Is it using reflection, RE if so, Tools why is it using reflection? Is it using dynamic bytecode loading, if so why is it using it? Is it using obfuscation? Smali/Jasmin Is it malware? Native Code

Reverse Engineering Second Step: Info gathering > Don t jump to looking at code in the wild! > app name, icon, activities, receivers, services, permissions, intents (AndroidManifest.xml) > strings.xml RE Tools > native.so libraries Smali/Jasmin > signature of the app Native Code

Reverse Engineering Third Step: Hacking Time Now experience comes into play > decompile classes.dex or.so libraries > Find entry-points RE Tools > Search for dynamic bytecode Smali/Jasmin loading, permission usage, reflection, crypto code Native Code

CONTENTS > Motivation > Android App Anatomy and Building Process > Reverse Engineering > Tools with Use Case > Countermeasures

Use Case AnserverBot Trojan RE Tools (August 2011 - Yajin Zhou, Xuxian Jiang ) Smali/Jasmin Native Code

Use Case - AnserverBot Trojan Dynamic Bytecode Loading Reflection RE Tools Smali/Jasmin Aggressive Obfuscation Native Code C&C Server

Use Case - AnserverBot Trojan Background Service RE Tools Smali/Jasmin Native Code Dynamically Loaded

Use Case - AnserverBot Trojan $ unzip anserverbot_sample.apk $ cd assets Payload A Payload B

Use Case - APKTool $ apktool d anserverbot_sample.apk

Use Case - AnserverBot Trojan - AndroidManifest SUSPICIOUS

Use Case - AnserverBot Trojan - AndroidManifest SUSPICIOUS

Use Case - AnserverBot Trojan - Payloads Anservera.db and Anserverb.db are not database files. Zip archives? => Android apps

Use Case - AnserverBot Trojan - Payloads $ apktool d anservera.db

Use Case - AnserverBot Trojan Dynamic Bytecode Loading Payloads == Android code => Dynamic Bytecode loading! Use ARES (Android Reverse Engineering Suite) or Androguard!

Use Case - AnserverBot Trojan - ARES Payload A uses Dynamic Bytecode Loading AND Reflection

Use Case - AnserverBot Trojan - ARES Lcom/sec/android/providers/ drm/style -> a() Lcom/sec/android/providers/ drm/style -> b() Lcom/sec/android/providers/ drm/style -> c()

Use Case - AnserverBot Trojan Next steps: > Look at the methods a(), b() and c() > You ll see obfuscation and encryption > Use symbolic execution to get rid off encryption > I.e. Simplify

Use Case Simplify If an app's strings are encrypted, Simplify will interpret the app in its own virtual machine to determine semantics. Then, it uses the apps own code to decrypt the strings and replaces the encrypted strings and the decryption method calls with the decrypted versions. https://github.com/calebfenton/simplify

Use Case Anserverbot Trojan C&C Command & Control (Phone Home) Goal: Keep control, update payloads and push back info Server addresses are hardcoded but encrypted > Custom Base64 encryption What to do?

Use Case Decompile with Simplify Smali Files Classes.dex JAR Smali from Simplify dex2jar JAD APK Eliminates useless code, encryption, makes code more readable

Summary Tools Androguard: Reverse Engineering API written in Python, comes with a shell ARES: Android Reverse Engineering Suite, build on Androguard Simplify: Symbolic code executioner, rewrites code to simplify and eliminate encryption, dead/useless code. DEX2JAR/DEX2JASMIN/DEX2SMALI: Transform classes.dex to intermediate code

Summary Tools JEB: Android Reverse Engineering Suite (Commercial) Radare: Reverse Engineering Tool, Android support APKTool: Automate decompilation of resources and classes.dex to smali APKStudio: An IDE for decompiling/editing & then recompiling of android application binaries.

CONTENTS > Motivation > Android App Anatomy and Building Process > Reverse Engineering > Tools with Use Case > Countermeasures

COUNTERMEASURES How to protect your code once it is distributed? No silver bullet =(

COUNTERMEASURES > Tamper detection > Dynamic Bytecode Loading > Obfuscation > Anti-debugging > Code/String Encryption > Code Guards

COUNTERMEASURES TAMPER DETECTION > Detect app modification/repacking > APKTool makes it easy to repack > What if we could detect rebuild/recompilation/repackaging? Source: BlueBox Security

COUNTERMEASURES TAMPER DETECTION Idea: Use the AndroidManifest.xml > Purpose: provide metadata: permissions, activities, services, etc. > Compiled to binary format in APK > During build: text => binary (aapt) > What about binary to text? (apktool)

COUNTERMEASURES TAMPER DETECTION > When parsed by Android, attributes are identified according to an id: <public type="attr" name="name" id="0x01010003" /> > Inject a name attribute into <application> with an unknown id, Android will not recognize it as a name attribute.

COUNTERMEASURES TAMPER DETECTION > Result: Android will parse manifest just fine, APKTool will include a proper name attribute when rebuilding APK > Executing a rebuild APK with APKTool will execute the injected name (i.e. detect.class) and thus trigger an alarm

COUNTERMEASURES TAMPER DETECTION <application> < android.name= detect.class > <activity android:name= "com.example.manifestexample.mainactivity"> <intent filter> <action android:name= "android.intent.action.main" / > </intent filter > </activity> </application>

COUNTERMEASURES Dynamic Bytecode Loading > Code that is not statically available cannot be RE > Use Dynamic Bytecode Loading for critical code > Ship code as encrypted asset > Attack: dump code from memory > Tool: DABiB Dynamic Android Binary Debugger

COUNTERMEASURES Obfuscation > Idea: transform source or byte code to human unreadable but semantically equivalent code > Inject useless code > Disrupt call graph flow by using reflection and dynamic bytecode loading > Encrypt assets and libraries > Class/String Encryption

COUNTERMEASURES Obfuscation > Tools: ProGuard/DexGuard, Arxan, DashO, Allatori, Stringer > Attack: Decompile code and start with entry-point, refactor through code, use Simplify

COUNTERMEASURES ANTI-DEBUGGING > Idea: detect debugging environment > Different behavior than in non-debugging environment > Only works if you know the execution environment (we do) > Tools: DexGuard Enterprise, Arxan

COUNTERMEASURES Code/String Encryption

COUNTERMEASURES Code/String Encryption Packers Static Dynamic Stub Application Execution Stub Application Hidden Encrypted Code Decrypted Code

COUNTERMEASURES Code/String Encryption Packers (Bangcle, Pangxie) > Static analysis is hard > Code can still be dumped from memory after unpacking on runtime > Slows attacker down > Tools: DexGuard, Arxan, Stringer, Allatori

COUNTERMEASURES Code Guards > Inject guards in bytecode > Protect and check program flow > Re-initialize critical values > Detect hooks > Check signature > Check app checksum > Tool: Arxan

COUNTERMEASURES Conclusion > Security should be a requirement in SDLC > Work towards thin Android apps > Business critical code on server > Deploy countermeasures to slow down RE

Thank you! droidcon Greece Thessaloniki YOUR AVATAR or YOUR PHOTO Dario Incalza Application Security Engineering Analyst LSEC Leaders in Security @h4oxer

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback