Are Your Mobile Apps Well Protected? Daniel Xiapu Luo Department of Computing The Hong Kong Polytechnic Unviersity

Similar documents
The Terminator to Android Hardening Services. Yueqian Zhang, Xiapu Luo, Haoyang Yin Department of Computing The Hong Kong Polytechnic University

Things You May Not Know About Android (Un)Packers: A Systematic Study based on Whole- System Emulation

Adaptive Unpacking of Android Apps

AppSpear: Bytecode Decrypting and DEX Reassembling for Packed Android Malware

AppSpear: Bytecode Decrypting and DEX Reassembling for Packed Android Malware

AppSpear: Bytecode Decryp0ng and DEX Reassembling for Packed Android Malware

VirtualSwindle: An Automated Attack Against In-App Billing on Android

Tackling runtime-based obfuscation in Android with TIRO

Android app protection through anti-tampering and anti-debugging Techniques

A Framework for Evaluating Mobile App Repackaging Detection Algorithms

The Research on Security Reinforcement of Android Applications

droidcon Greece Thessaloniki September 2015

Tackling runtime-based obfuscation in Android with TIRO

Reverse Engineering Malware Binary Obfuscation and Protection

Server-based code obfuscation scheme for APK tamper detection

How to secure your mobile application with RASP

CUHK CSE ADAM: An Automatic & Extensible Platform Stress Test Android Anti-Virus Systems John Spark Patrick C.S. Lui ZHENG Min P.C.

Android Malware Reverse Engineering

ANDROID HACKER PROTECTION LEVEL 0

Android Debugging ART

MOBILE DEFEND. Powering Robust Mobile Security Solutions

MobileFindr: Function Similarity Identification for Reversing Mobile Binaries. Yibin Liao, Ruoyan Cai, Guodong Zhu, Yue Yin, Kang Li

Main idea. Demonstrate how malware can increase its robustness against detection by taking advantage of the ubiquitous Graphics Processing Unit (GPU)

Software Protection via Obfuscation

Detecting Advanced Android Malware by Data Flow Analysis Engine. Xu Hao & pll

SECURITY OF VEHICLE TELEMATICS SYSTEMS. Daniel Xiapu Luo Department of Computing The Hong Kong Polytechnic University

Small footprint inspection techniques for Android

A Security Microcosm Attacking and Defending Shiva

Table 1 lists the projects and teams. If you want to, you can switch teams with other students.

Breaking and Securing Mobile Apps

CTF Workshop. Crim Synopsys, Inc. 1

Mobile application tamper detection scheme using dynamic code injection against repackaging attacks

Automated code extraction from packed android applications.

An Effective Android Software Reinforcement Scheme Based on Online Key

Deliver Strong Mobile App Security and the Ultimate User Experience

OWASP German Chapter Stammtisch Initiative/Ruhrpott. Android App Pentest Workshop 101

Ch 7: Mobile Device Management. CNIT 128: Hacking Mobile Devices. Updated

Comparative Analysis of Mobile App Reverse Engineering Methods on Dalvik and ART

Adaptive Android Kernel Live Patching

SECURE2013 ANDROTOTAL A SCALABLE FRAMEWORK FOR ANDROID ANTIMALWARE TESTING

Unpacking the Packed Unpacker

L.C.Smith. Privacy-Preserving Offloading of Mobile App to the Public Cloud

Abusing Android In-app Billing feature thanks to a misunderstood integration. Insomni hack 18 22/03/2018 Jérémy MATOS

Access Control for Plugins in Cordova-based Hybrid Applications

IP Protection in Java Based Software

The Android security jungle: pitfalls, threats and survival tips. Scott

Emulating Code In Radare2. pancake Lacon 2015

ATLANTIS - Assembly Trace Analysis Environment

Honey, I Shrunk Your App Security: The State of Android App Hardening

Mobile Payment Application Security. Security steps to take while developing Mobile Application s. SISA Webinar.

Reverse Engineering Malware Dynamic Analysis of Binary Malware II

THE POWER AND RISK OF MOBILE. White paper

EU GENERAL DATA PROTECTION: TIME TO ACT. Laurent Vanderschrick Channel Manager Belgium & Luxembourg Stefaan Van Hoornick Technical Manager BeNeLux

T Jarkko Turkulainen, F-Secure Corporation

Trusted Computing and O/S Security. Aggelos Kiayias Justin Neumann

Software Protection: How to Crack Programs, and Defend Against Cracking Lecture 4: Code Obfuscation Minsk, Belarus, Spring 2014

ID: Sample Name: tesseract-ocrsetup exe. Cookbook: default.jbs Time: 16:44:15 Date: 12/02/2018 Version:

Coordinated Disclosure of Vulnerabilities in McAfee Security Android

Romain Thomas - Static instrumentation based on executable file formats

LIEF: Library to Instrument Executable Formats

Research Article DWroidDump: Executable Code Extraction from Android Applications for Malware Analysis

Android Analysis Tools. Yuan Tian

Obfuscator-LLVM. - Software Obfuscation for the Masses. area41 // Zürich //

SentinelOne Technical Brief

File System Interpretation

Mobile and Ubiquitous Computing: Android Programming (part 1)

CryptoAuthentication Firmware Protection

ConnectWise Automate. What is ConnectWise Automate?

SentinelOne Technical Brief

Managed. Code Rootkits. Hooking. into Runtime. Environments. Erez Metula ELSEVIER. Syngress is an imprint of Elsevier SYNGRESS

Android App Protection via Interpretation Obfuscation

Android Reverse Engineering tools Not the Usual Suspects. Axelle Apvrille - Fortinet

Analysis of Java Code Protector

Computer Security. 10. Exam 2 Review. Paul Krzyzanowski. Rutgers University. Spring 2017

Nifty stuff that you can still do with Android. Xavier 'xeu' Martin HES 2013 May 2th 2013

Technical Report. Verifying the Integrity of Open Source Android Applications. Michael Macnair. RHUL MA March 2015

Android Application Sandbox. Thomas Bläsing DAI-Labor TU Berlin

CSE Fall Project 1: Password Management

Securing the SMB Cloud Generation

Danny Quist. Blackhat USA 2008

Coordinated Disclosure of Vulnerabilities in AVG Antivirus Free Android

The missing link in the chain? Android network analysis. Rowland Yu Senior Threat Researcher II

SECURITY ARCHITECTURES CARSTEN WEINHOLD

Lecture 14. System Integrity Services Obfuscation

When providing a native mobile app ruins the security of your existing web solution. CyberSec Conference /11/2015 Jérémy MATOS

Obfuscation-Resilient Code Detection Analyses for Android Apps

Software Protection: How to Crack Programs, and Defend Against Cracking Lecture 5: Code Obfuscation II Moscow State University, Spring 2014

White-Box Cryptography

Tongbo Luo Cong Zheng Zhi Xu Xin Ouyang ANTI-PLUGIN: DON T LET YOUR APP PLAY AS AN ANDROID PLUGIN

Playing Hide and Seek with Dalvik Executables

Portable Executable format, TitaniumCore report and packers. Katja Pericin

Porting mobile web application engine to the Android platform

CHAPTER 2: SYSTEM STRUCTURES. By I-Chen Lin Textbook: Operating System Concepts 9th Ed.

Chapter 2: Operating-System Structures

CuriousDroid: Automated User Interface Interaction for Android Application Analysis Sandboxes

Digital Signature Records for the NFC Data Exchange Format

McAfee Advanced Threat Defense

Identifying the Applied Obfuscation Method towards De-obfuscation

Mobile Devices prioritize User Experience

Mobile Trends And The New Threats Is Your SAP System Vulnerable to Cyber Attacks? Stephen Lamy, Virtual Forge

Transcription:

Are Your Mobile Apps Well Protected? Daniel Xiapu Luo csxluo@comp.polyu.edu.hk Department of Computing The Hong Kong Polytechnic Unviersity 1

What if your mobile app is reverse-engineered by others? Core business logic and major algorithms could be learnt by your competitors. Credentials in apps. 2

Turn your app into a malware Source: businessinsider.com 3

Secure, no ads Save $6.99, but get ads 4

Source: Trend Micro Percentage of top 10 apps in each category which have repacked version: 100% of the apps of Widgets, Media & Video, etc. 90% of the apps of Business, Music & Audio, etc. 5 5

6

7

8

Can they protect your app? 9

Outline Android App Protection You Can Run But You Cannot Hide Suggestions 10

Android App Protection Goal Raise the bar for attackers Hide the code Make the code hard to be understood. m4k3 7h3 (0d3 h4rd 70 83 und3r5700d 11

Android App Protection Techniques used by packers Obfuscation Dynamic class loading Java reflection Dex file modification Native code Emulator detection Anti-debug Hide the code 12

Obfuscation Transform the code to make it difficult to understand or change while keeping its functionalities. Renaming identifier Equivalent expression Encrypting data Splitting and merging functions Complicating control flow Inserting bogus codes ProGuard 13

Dynamic class loading A feature supported by Java Implement the core business logic in a separated class. The class can be located in the server or released from a native library. Load the class into the runtime when the class is used. 14

Java reflection A feature supported by Java An app can use it to Inspect classes, interfaces, fields and methods at runtime without knowing their names, Instantiate new objects dynamically, Invoke methods dynamically, 15

Dex file modification Hide the method. Bad code to make reverse-engineering tools crash. Opcodes AXML Resource files Source: Hu et al. 16

Native code App can invoke native code through Java native interface (JNI). Native code can modify the dex file in the memory. Source: A. Blaich 17

Emulator detection The adversary can observe how an app executes by running it in an emulator (e.g., Qemu). Emulator is a software that usually has fixed configuration. So it is different from a real smartphone. Device ID 000000000000000 18

Outline Android App Protection You Can Run But You Cannot Hide Suggestions 19

Dex file The executable of an App Java source code - > Java class -> dex Java class: each file contains one class dex: one file contains all classes 20

You Can Run But You Cannot Hide Can we extract the dex file from a packed app? Yes! DexHunter Yueqian Zhang, Xiapu Luo, and Haoyang Yin, DexHunter: Toward Extracting Hidden Code from Packed Android Applications, Proceedings of the 20th European Symposium on Research in Computer Security (ESORICS), Vienna, Austria, Sept. 2015. Paper: http://www4.comp.polyu.edu.hk/~csxluo/dexhunter.pdf Source code and demo: https://github.com/zyq8709/dexhunter Key insight Dex file will be loaded and run by Android runtime, including Dalvik virtual machine (DVM) and the new Android Runtime (ART), which controls everything. 21

DexHunter Modify Android runtime (i.e., DVM and ART) to extract the dex file. Dex File The header contains the length and the offset for each section. class_defs section contains class_def_items, each of which describes a class. 22

When to unpack the app? When the first class of the app is being loaded. Why? Before a class is loaded, the content of the class should be available in the memory; When the class has been initialized, some content in memory may be modified dynamically; Just before a method is invoked, its code_item or instructions should be available. How? Load and initialize all classes proactively. 23

How to unpack the app? Integrate our tool into Android runtime including DVM and ART. Wait for the time when the first class of the app is being loaded. Locate the target memory region. Dump the selected memory area. Correct and reconstruct the dex file. 24

Loading & initializing classes Traverse all class_def_items in the dex file. For each one, DexHunter loads it with FindClass function (ART) or dvmdefineclass function (DVM). DexHunter initializes it with EnsureInitialized function (ART) or dvmisclassinitialized & dvminitclass functions (DVM). 25

Locating the target memory region The target memory region contains the dex file. DexHunter uses a special string to determine whether the current dex file is what we want. ART: the string location_ in DexFile objects. DVM: the string filename in DexOrJar objects. 26

27

Dumping the dex file in memory Divide the target memory region Part 1: the content before the class_defs section Part 2: the class_defs section Part 3: the content after the class_defs section Dump part 1 into a file named part1 and part 3 into a file named data. 28

Correcting and collecting Why? Packing services may modify the memory dynamically. The memory consists of the region containing the dex file and the method objects (i.e., ArtMethod in ART, Method in DVM) managed by runtime. The runtime executes instructions according to the managed method objects. 29

Reconstructing the dex file Eventually, DexHunter has four files: part1, classdef, data, extra. It combines them according to the following sequence to construct a dex file. part1 classdef data extra 30

Products under Investigation 360 http://jiagu.360.cn/ Ali http://jaq.alibaba.com/ Baidu http://apkprotect.baidu.com/ Bangcle http://www.bangcle.com/ Tencent http://jiagu.qcloud.com/ ijiami http://www.ijiami.cn/ 31

Experiment Setup 32

Anti-debugging All products detect debugger Anti-ptrace Anti-JWDP. They cannot detect DexHunter. 33

360 Version: 06-21-2015 It encrypts the dex file and saves it in libjiagu.so/libjiagu_art.so. It releases the data into memory and decrypts it while running. 34

Ali Version: 21-06-2015 It splits the original dex file into two parts One is the main body saved in libmobisecy.so The other one contains the class_data_item and the code_item of some class_def_items. It releases both two parts into memory as plain text and corrects some offset values in the main body while running. Some annotation_offs are set to incorrect values. 35

Baidu Version: 21-06-2015 It moves some class data items to other places outside the dex file. It wipes the magic numbers, checksum and signature in the header after the dex file has been opened. 36

Baidu It fills in an empty method just before it is invoked and erases the content after the method is finished. DexHunter instruments method invocation to dump these methods which is available only just before invoking. doinvoke (ART) dvmmterp_invokemethod (DVM) 37

Bangcle Version: 21-06-2015 It prepares the odex file or oat file in advance. It encrypts the file and stores it in an external jar file. It decrypts the data while running It hooks several functions in libc.so, such as fwrite, mmap, 38

ijiami Version: 21-06-2015 Similar to Bangcle. The string changes every time the app runs. It releases the decrypted file, which is also encrypted as a jar file, with different file names each time while they are in the same directory. 39

Tencent Version: 25-05-2015 It can protect the methods selected by users. If a method is selected, it cannot be found in the relevant class_data_item. It releases the real class_data_item and adjusts the offset. The code_item of the selected method is still in the data section. Some annotation_offs are set to 0xFFFFFFFF. It can only runs in DVM. 40

Outline Android App Protection You Can Run But You Cannot Hide Suggestions 41

Suggestions Do not assume that your app cannot be reverse-engineered by others. Do not put secrete into your app. Protect your apps using various techniques Strong obfuscation algorithms Implement core business logics into native code and then pack the native code Server side verification Customized hardening services 42

Suggestions Detect repackaged apps from markets Simple approach Finding apps with similar descriptions, etc. Advanced approach Detect repackaged apps by comparing their codes. It may be affected by the app hardening techniques. Detect repackaged apps by comparing their resources. 43

ResDroid A scalable approach to detect repackaged apps by leveraging resource features (e.g., GUI, etc.) instead of code. Use statistical features for the coarse-grained processing Use structural features for the fine-grained processing http://www4.comp.polyu.edu.hk/~csxluo/resdroid.pdf 44

Thanks my group members and collaborators for contributing to this research: Yueqian Zhang Wenjun Hu Yuru Shao Haoyang Yin Xiaobo Ma Xian Zhan 45

DexHunter Paper: http://www4.comp.polyu.edu.hk/~csxluo/dexhunter.pdf Source code and demo : https://github.com/zyq8709/dexhunter ResDroid Paper: http://www4.comp.polyu.edu.hk/~csxluo/resdroid.pdf Our other tools and papers on Android security: http://www4.comp.polyu.edu.hk/~csxluo 46

References Christian Collberg and Jasvir Nagra, Surreptitious Software: Obfuscation, Watermarking, and Tamperproofing for Software Protection, Addison- Wesley, 2009 Yuru Shao, Xiapu Luo, Chenxiong Qian, Pengfei Zhu, and Lei Zhang, Towards a Scalable Resource-driven Approach for Detecting Repackaged Android Applications, Proceedings of the 30th Annual Computer Security Applications Conference (ACSAC), New Orleans, USA, December 2014. A. Apvrille and R. Nigam, Obfuscation in android malware, and how to fight back, Virus Bulletin, July 2014. M. Grassi, Reverse engineering, pentesting, and hardening of android apps. DroidCon, 2014. T. Strazzere and J. Sawyer, Android hacker protection level 0, DefCon, 2014. (android-unpacker, https://github.com/strazzere/android-unpacker) ZjDroid, http://blog.csdn.net/androidsecurity/article/details/38121585 Y. Park, We can still crack you! general unpacking method for android packer (no root), Blackhat Asia, 2015. 47

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback