Post on 02-Jun-2018
8/11/2019 Android Sec
1/63
!"#"$%&'( *'+$,&+ *--%
./01&'( /'+ 0$/01&'( *'+$,&+ /--% &% "/%2
8/11/2019 Android Sec
2/63
*("'+/
3%%4"% 5&' 67" -/%68
*'+$,&+ %"04$&62 9 0,+" 0,'0"-6
:"07'&;4"% -"$&"'0"% /'+ 67" ("'"$/? ;4/?&62 ,"+
@$,C%"$ #4?'"$/N&?&62 50,,1&" %6"/?&'(8P Q DE]E^
_"C 6"07'&;4" (,&'( 6, N" $"?"/%"+ &' _,#"KN"$
YN"$7"&+"9J/'&"P X,4$0" @/$0"?,'/
8/11/2019 Android Sec
10/63
Y67"$ &%%4"%
H/0"N,,1`*-- aE GEb &% /N?" 6, $"/+9C$&6"9"+&6
X=X9==X
M?/&' /467"'L0/L,' 6,1"'%P \>"+
X=X $"0""$ &'0,$$"06P \>"+
.60?,(("$P .:A ,'?2
*-- $"#"$%&'( =/'2 K,$"
8/11/2019 Android Sec
11/63
_40?"/$ 07/&' ,< 0,KK/'+EEE
>10+E0,K
8/11/2019 Android Sec
12/63
EEE &% %&K&?/$ 6, 67" *'+$,&+ 07/&' , Y'" /-- R ,'" J&'4> 4%"$
8/11/2019 Android Sec
16/63
*'+$,&+ 0,+"
e$&6" /-- &' d/#/ /'+ .:=J9d/#/%0$&-6 5*'+$,&+ XBf8 :7" ,N#&,4% /--$,/07
=,%6 /--%
8/11/2019 Android Sec
17/63
:"07'&;4"%
8/11/2019 Android Sec
18/63
GE S"h'( 74'+$"6% ,< *'+$,&+
*--% 5/-1 \?"%8
8/11/2019 Android Sec
19/63
YN#&,4% +,C'?,/+ /--$,/07
Y-"' K/$1"6 /-- ,' K,N&?"
A?&01 /-- /'+ &'%6/??
XAM /-1 \?"
8/11/2019 Android Sec
20/63
.,C 6, +,C'?,/+ /?? *'+$,&+ /--%
A,''"06 K,N&?" 6, ?/-6,- e&\ C&67 /&$N/%"`
'( 9 +'%K/%;
W%" &-6/N?"% 6, $"+&$"06 6, ?,0/? @4$-
67> *'+$,&+ 2 ,-L,'
@4$-g>6"'+"$ 6, %/#" $"%-,'%"% C&67 /-1 \?"%
X"'+ K,N&?" / .::M iFi ',6
8/11/2019 Android Sec
21/63
3'%6/?? /?? /--%I
Y'" .::MX $";4"%6 6, K/$1"6E/'+$,&+E0,K
A7/'(" 67" /-- '/K"
0,KE(,,(?"E/'+$,&+E2,464N"
=,+&\"+ C]/< %-&+"$ 9 $"("> -?4(&'
X"/$07
8/11/2019 Android Sec
22/63
B,C'?,/+ "'#&$,'K"'6
8/11/2019 Android Sec
23/63
="6/+/6/
*N,46 ]FFkFFF /--% &' K/$1"6
A$/C?"+ /N,46 GFkFFF /-- '/K"%
X400"%%
8/11/2019 Android Sec
24/63
DE B"0,K-&?"9+&%/%%"KN?"
8/11/2019 Android Sec
25/63
:7" /-16,,? +&%/%%"KN?"+ %6$4064$"
+assets
+res
+drawable
-icon.png
+layout
-main.xml
+values
-strings.xml
+META-INF
-AndroidManifest.xml
-classes.dex
*-1 4'l&--"+
+assets
+res
+drawable
-icon.png
+layout
-main.xml
+values
-strings.xml
-AndroidManifest.xml
+smali
+com
+...
-apktool.yml
! /-16,,? +&%/%%"KN?"+
8/11/2019 Android Sec
26/63
:C, /--$,/07"%
B&%/%%"KN?&'( 6, %K/?&
X&K&?/$ 6, d/%K&' %2'6/> 5d/#/ /%%"KN?"$ 0,+"8
*-16,,?
A,$$"06 %K/?& 0,+"
B&+'k6 4%" +">+4K-9+"+">"$
B"0,K-&?&'( 6, d/#/
B">Dd/$ m d/#/`B"0,K-&?"$ X,K"LK"% &'0,$$"06 d/#/ 0,+"
8/11/2019 Android Sec
27/63
B&%/%%"KN?&'( 7,C6,
*-16,,?
me$ java -jar apktool.jar d app.apk output-folder
8/11/2019 Android Sec
28/63
B&%/%%"KN?"+ ">/K-?"
8/11/2019 Android Sec
29/63
!"/%%%"KN?&'( 7,C6,
*-16,,?
me$ echo "change something"
change something
me$ java -jar apktool.jar b output-folder/ fake-app.apk
[]me$ keytool -genkey -alias someone -validity 100000 -
keystore someone.keystore
[]
me$ jarsigner -keystore someone.keystore fake.apk someone
me$ adb install fake-app.apk
8/11/2019 Android Sec
30/63
]E Y67"$ 6"07'&;4"%
8/11/2019 Android Sec
31/63
."/- +4K-
me$ su
me# ps | grep kee
949 10082 183m S com.android.keepass
960 0 1964 S grep kee
me# kill -10 949
me# grep password /data/misc/heap-dump-tm1312268434-
pid949.hprof
thisisasecretpassword
3' *'+$,&+ n DE]
@4O,' &' BB=X 6,,? ,$ 0/??
/'+$,&+E,%EB"N4(E+4K-.-$,
8/11/2019 Android Sec
32/63
3'#,1&'( *0L#&L"%
*0L#&L"% /$" N/%&0/??2 4%"$ &'6"$/K-?" +,"%'o6 C,$1
me$ dumpsys package > packages.txtme$ am start -n com.android.keepass/
com.keepassdroid.PasswordActivity
8/11/2019 Android Sec
33/63
:,'% ,< ,67"$ 6,,?%
*'+$,(4/$+
*-1&'%-"06,$ SW3 0,KN&'&'( /-16,,?P +">Dp/$P / d/#/ +"0,K-&?"$P N26"
0,+"P "60E
BgB
/'+$,&+*4+&6:,,?%
XK/$6-7,'"%+4KN/--%
:/&'6+$,&+ 5M$/02 &%%4"%8
*'+$,&+ H,$"'%&0 :,,?1&6 #&/g>6$/06
=,$"
8/11/2019 Android Sec
34/63
g>-"$&"'0"% C7"' +"0,K-&?&'(9
+&%/%%"KN?&'( ]o^FF /--%
H&'+&'( %"04$&62 $"?/6"+ &%%4"%
8/11/2019 Android Sec
35/63
="6/+/6/
*N,46 ]k^FF /--%
Dk]FF 4'&;4" "K/&? /++$"%%"%
GkFFF q
8/11/2019 Android Sec
36/63
J,C 7/'(&'(
8/11/2019 Android Sec
37/63
./%7&'( /'+ "'0$2-L,' Z / %7,$6 N"%6
-$/0L0"% $"
8/11/2019 Android Sec
38/63
8/11/2019 Android Sec
39/63
f"2c=X@/?C/2%F
W%"+
8/11/2019 Android Sec
40/63
W%"+6,%&('/?&%"67"%"$#"$6
7/6&'`
(/K"(,,+%C"$"-4$07/%"+
8/11/2019 Android Sec
41/63
8/11/2019 Android Sec
42/63
8/11/2019 Android Sec
43/63
YN
8/11/2019 Android Sec
44/63
YN
8/11/2019 Android Sec
45/63
:"%6[[[[[Ep/#/
t"/7P ?"6k% 0,-29-/%6" / 6"%6 "K/&?u
8/11/2019 Android Sec
46/63
:"%6[[[[[DEp/#/
*'+ 0$"+"'L/?%
8/11/2019 Android Sec
47/63
X,K" /--% 3 ?,,1"+ /6 K,$"
0?,%"?2
5&6k% ("h'( C,$%"8
8/11/2019 Android Sec
48/63
*-- G ` N/'1&'( /--
e7, $"/??2 C/'6% N/'1&'( ,' 67" K,N&?"I
* ?,6 ,< N/'1&'( /--%u t/2u
*-- G
_, ,N
8/11/2019 Android Sec
49/63
*-- D
X"$#"$ 7/+ %"?
8/11/2019 Android Sec
50/63
*-- D
*gX 1"2
public byte[] cryptKey42 = {-31, -21, 4, 24, -21,
54, -63, -40, -38, 61, -47, -115, -95, -36, -142,
64, 53, 120, -85, -96, -69, 85, 81, 16, -36, 80,
-102, 95, -20, 110, 36, -11};
8/11/2019 Android Sec
51/63
*-- ] Z $,,6 +"6"0L,'
private boolean deviceRoot(){
try{
Runtime.getRuntime().exec("su");
return true;
}
catch (IOException localIOException){return false;
}
}
8/11/2019 Android Sec
52/63
*-- ] Z A&$04K#"'L'( $,,6 +"6"0L,'
_,6 '"0"%%/$2
8/11/2019 Android Sec
53/63
*-- i Z *',67"$ $,,6 +"6"0L,'
public static boolean isDeviceRooted(){
File f = new File(/system/sbin/su)
return f.exists()
}
8/11/2019 Android Sec
54/63
*-- i ` !"K,#&'( $,,6 +"6"0L,'
me$ java -jar apktool.jar d app.apk source
[]
me$ sed -i "" 's/system\/sbin\/su/system\/sbin\/
CEW1PFSLK/g' source/smali/net/example/checks.smali
me$ java -jar apktool.jar b source/ fake.apk
[]me$ keytool -genkey -alias someone -validity 100000
-keystore someone.keystore
[]
me$ jarsigner -keystore someone.keystore fake.apk
someoneme$ adb install fake.apk
* i e 67 6 + 67 + 6
8/11/2019 Android Sec
55/63
*-- i Z e/% 67/6 / (,,+ K"67,+ 6,
$"K,#" 67" $,,6 +"6"0L,'I
*?6"$&'( 67" /--
_, 4-+/6"%
e" ,'?2 C/'6 6,
8/11/2019 Android Sec
56/63
*-- i ` M$"#"'6 $,,6 +"6"0L,'
me$ adb shell
$ su
# cd /system/bin/; mount -o remount,rw -o rootfs rootfs /;
mount -o remount,rw -o yaffs2 /dev/block/mtdblock3 /system
# echo $PATH
/sbin:/system/sbin:/system/bin:/system/xbin
# mv /system/sbin/su /system/xbin/
$,,6%6/2%$,,6u
8/11/2019 Android Sec
57/63
* %-"0&/? %"0$"6 1"2
ii^ /--% 4%" 67" %/K" *gX 1"2
N26"vw / R x GFP ^^P `GGDP `iyP `bP yP GGP y^P `yP `GDGP
GDGP bzP {FP `bGP G^P ^ |
8/11/2019 Android Sec
58/63
S,,(?" *+%
g'0$2-6 ?/%6 1',C' ?,0/L,'
*?? ?,0/L,' -$,#&+"$% 5SMXP e&\P EEE8
X"'+ #&/ 67" U44?"V dXY_ -/$/K"6"$
_,L\"+ S,,(?" ,' 67" D]67 ,< d4'"
_, $"%-,'%" 2"6
:, N" 7,'"%6 3 7/#"'o6 %""' 67" U44?"V
-/$/K"6"$ &' K2 '"6C,$1 2"6
8/11/2019 Android Sec
59/63
S,,(?" *+%
e72 +&+'o6 67"2 4%" /%2KK"6$&0 0$2-6,I
8/11/2019 Android Sec
60/63
A,4'6"$K"/%4$"%
W%" /%2KK"6$&0 0$2-6, &'%6"/+ ,< %2KK"6$&0C7"' 6$/'%
8/11/2019 Android Sec
61/63
!"6~0&+RN&l~%,0K"+~6C&O"$~
8/11/2019 Android Sec
62/63
:7>u
:C&O"$c s,2+~07
7O-c99s,2+E07
8/11/2019 Android Sec
63/63