Post on 05-Jan-2016
1
Java applications reverse engineering
Antoni BertelAntoni_Bertel@epam.com
AUGUST 4, 2015
2
• Jar (Java Archive) is a package file format typically used to aggregate many
Java class files and associated metadata and resources.
• Java bytecode is the instruction set of the Java virtual machine.
• APK is the package file format used to distribute and install application
software and middleware onto Google's Android operating system.
• Obfuscation is the obscuring of intended meaning in communication,
making the message confusing, willfully ambiguous, or harder to understand.
Introductory
3
Plan
The attack on the two java archive: desktop and mobile applications. 1
Conclusion of business problems.2
Other types of attacks on the jar, demonstration of some of them.
3
Types of jar protection, concentrating on obfuscation.
4
Protecting "Hello, world" java application.5
Answers on questions6
4
Desktop java application
AEM (Adobe Experience Manager) is an enterprise-grade web content management system with a wide array of powerful features.
Info• License costs 50.000 $• Delivered as jar with size ~ 450 mb• Used by Playstation, SAP, Norton• Written by java• Bytecode is not obfuscated
5
The practical part
6
Android application
Dalvik VM is a virtual machine in Google's Android operating system that executes applications written for Android.The Dalvik VM executes files in the Dex (Dalvik Executable) format .
7
Android application
8
Android application
VK (Vkontakte) is a social network that unites people all over the world and helps them communicate comfortably and promptly.
Info• More than 2.000.000 reviews.• Fifty million downloads from android market• Delivered as APK• Written by java• Bytecode is not obfuscated
9
The practical part
10
1. Access to premium content
2. Stealing source code
3. Access to the private application data
4. Declassification of the internal architecture of the application
5. Access to internal application systems (API)
6. Stealing traffic; advertising; mobile botnets…
Technical risks
11
1. Product discrediting
2. Losing money
Business risks
12
• Bytecode decompilation
– JD-GUI– JAD Java Decompiler– Bytecode viewer
• Bytecode modification
– Java Bytecode Editor– reJ– Javassist– Byte Buddy
• Bytecode debugging
– Java ByteCode Debugger– Bytecode Visualizer
Tools
13
Solutions
Bytecode obfuscation 1
Anti-debugging2
Own protection of business logic3
14
The practical part
15
Questions?