Android reverse-engineering - 0xFF€¦ · Android reverse-engineering review and modify closed...
Transcript of Android reverse-engineering - 0xFF€¦ · Android reverse-engineering review and modify closed...
![Page 1: Android reverse-engineering - 0xFF€¦ · Android reverse-engineering review and modify closed source apps Magnus, Tech-Evangelist @ 0xFF](https://reader034.fdocuments.in/reader034/viewer/2022052612/5f0b5e5c7e708231d4302cf9/html5/thumbnails/1.jpg)
Android reverse-engineering review and modify closed source apps
Magnus, Tech-Evangelist @ 0xFF
![Page 2: Android reverse-engineering - 0xFF€¦ · Android reverse-engineering review and modify closed source apps Magnus, Tech-Evangelist @ 0xFF](https://reader034.fdocuments.in/reader034/viewer/2022052612/5f0b5e5c7e708231d4302cf9/html5/thumbnails/2.jpg)
Why?
0xFF
![Page 3: Android reverse-engineering - 0xFF€¦ · Android reverse-engineering review and modify closed source apps Magnus, Tech-Evangelist @ 0xFF](https://reader034.fdocuments.in/reader034/viewer/2022052612/5f0b5e5c7e708231d4302cf9/html5/thumbnails/3.jpg)
review/auditpatch/modify
exploit
0xFF
![Page 4: Android reverse-engineering - 0xFF€¦ · Android reverse-engineering review and modify closed source apps Magnus, Tech-Evangelist @ 0xFF](https://reader034.fdocuments.in/reader034/viewer/2022052612/5f0b5e5c7e708231d4302cf9/html5/thumbnails/4.jpg)
0xFF
![Page 5: Android reverse-engineering - 0xFF€¦ · Android reverse-engineering review and modify closed source apps Magnus, Tech-Evangelist @ 0xFF](https://reader034.fdocuments.in/reader034/viewer/2022052612/5f0b5e5c7e708231d4302cf9/html5/thumbnails/5.jpg)
Disclaimer
0xFF
![Page 6: Android reverse-engineering - 0xFF€¦ · Android reverse-engineering review and modify closed source apps Magnus, Tech-Evangelist @ 0xFF](https://reader034.fdocuments.in/reader034/viewer/2022052612/5f0b5e5c7e708231d4302cf9/html5/thumbnails/6.jpg)
APK
0xFF
![Page 7: Android reverse-engineering - 0xFF€¦ · Android reverse-engineering review and modify closed source apps Magnus, Tech-Evangelist @ 0xFF](https://reader034.fdocuments.in/reader034/viewer/2022052612/5f0b5e5c7e708231d4302cf9/html5/thumbnails/7.jpg)
ManifestResources
Code
0xFF
![Page 8: Android reverse-engineering - 0xFF€¦ · Android reverse-engineering review and modify closed source apps Magnus, Tech-Evangelist @ 0xFF](https://reader034.fdocuments.in/reader034/viewer/2022052612/5f0b5e5c7e708231d4302cf9/html5/thumbnails/8.jpg)
ManifestResources
Code
0xFF
![Page 9: Android reverse-engineering - 0xFF€¦ · Android reverse-engineering review and modify closed source apps Magnus, Tech-Evangelist @ 0xFF](https://reader034.fdocuments.in/reader034/viewer/2022052612/5f0b5e5c7e708231d4302cf9/html5/thumbnails/9.jpg)
ManifestResources
Code
0xFF
![Page 10: Android reverse-engineering - 0xFF€¦ · Android reverse-engineering review and modify closed source apps Magnus, Tech-Evangelist @ 0xFF](https://reader034.fdocuments.in/reader034/viewer/2022052612/5f0b5e5c7e708231d4302cf9/html5/thumbnails/10.jpg)
ActivitiesServices
Content providersIntents
0xFF
![Page 11: Android reverse-engineering - 0xFF€¦ · Android reverse-engineering review and modify closed source apps Magnus, Tech-Evangelist @ 0xFF](https://reader034.fdocuments.in/reader034/viewer/2022052612/5f0b5e5c7e708231d4302cf9/html5/thumbnails/11.jpg)
demo
0xFF
![Page 12: Android reverse-engineering - 0xFF€¦ · Android reverse-engineering review and modify closed source apps Magnus, Tech-Evangelist @ 0xFF](https://reader034.fdocuments.in/reader034/viewer/2022052612/5f0b5e5c7e708231d4302cf9/html5/thumbnails/12.jpg)
Java/Kotlin > DEX > JIT/Dalvik > ARM/x86/etc
Java/Kotlin > DEX > OAT > ART > ARM/x86/etc
0xFF
![Page 13: Android reverse-engineering - 0xFF€¦ · Android reverse-engineering review and modify closed source apps Magnus, Tech-Evangelist @ 0xFF](https://reader034.fdocuments.in/reader034/viewer/2022052612/5f0b5e5c7e708231d4302cf9/html5/thumbnails/13.jpg)
DEX > Smali
0xFF
![Page 14: Android reverse-engineering - 0xFF€¦ · Android reverse-engineering review and modify closed source apps Magnus, Tech-Evangelist @ 0xFF](https://reader034.fdocuments.in/reader034/viewer/2022052612/5f0b5e5c7e708231d4302cf9/html5/thumbnails/14.jpg)
.class public LHelloWorld;
.super Ljava/lang/Object;
.method public static main([Ljava/lang/String;)V .registers 2
sget-object v0, Ljava/lang/System;->out:Ljava/io/PrintStream;
const-string v1, "Hello World!"
invoke-virtual {v0, v1}, Ljava/io/PrintStream;->println(Ljava/lang/String;)V
return-void.end method
0xFF
![Page 15: Android reverse-engineering - 0xFF€¦ · Android reverse-engineering review and modify closed source apps Magnus, Tech-Evangelist @ 0xFF](https://reader034.fdocuments.in/reader034/viewer/2022052612/5f0b5e5c7e708231d4302cf9/html5/thumbnails/15.jpg)
Data-types
https://github.com/JesusFreke/smali/wiki/TypesMethodsAndFields
0xFF
![Page 16: Android reverse-engineering - 0xFF€¦ · Android reverse-engineering review and modify closed source apps Magnus, Tech-Evangelist @ 0xFF](https://reader034.fdocuments.in/reader034/viewer/2022052612/5f0b5e5c7e708231d4302cf9/html5/thumbnails/16.jpg)
Instructions
https://source.android.com/devices/tech/dalvik/dalvik-bytecode0xFF
![Page 17: Android reverse-engineering - 0xFF€¦ · Android reverse-engineering review and modify closed source apps Magnus, Tech-Evangelist @ 0xFF](https://reader034.fdocuments.in/reader034/viewer/2022052612/5f0b5e5c7e708231d4302cf9/html5/thumbnails/17.jpg)
Smali registers
v0, v1, v2… - local registersp0, p1, p2… - method argument alias
(all 32-bit, so how to pass a 64-bit Long?)
0xFF
![Page 18: Android reverse-engineering - 0xFF€¦ · Android reverse-engineering review and modify closed source apps Magnus, Tech-Evangelist @ 0xFF](https://reader034.fdocuments.in/reader034/viewer/2022052612/5f0b5e5c7e708231d4302cf9/html5/thumbnails/18.jpg)
.class public LHelloWorld;
.super Ljava/lang/Object;
.method public static main([Ljava/lang/String;)V .registers 2
sget-object v0, Ljava/lang/System;->out:Ljava/io/PrintStream;
const-string v1, "Hello World!"
invoke-virtual {v0, v1}, Ljava/io/PrintStream;->println(Ljava/lang/String;)V
return-void.end method
0xFF
![Page 19: Android reverse-engineering - 0xFF€¦ · Android reverse-engineering review and modify closed source apps Magnus, Tech-Evangelist @ 0xFF](https://reader034.fdocuments.in/reader034/viewer/2022052612/5f0b5e5c7e708231d4302cf9/html5/thumbnails/19.jpg)
Obfuscation
Ball.getColor() == a.a()
0xFF
![Page 20: Android reverse-engineering - 0xFF€¦ · Android reverse-engineering review and modify closed source apps Magnus, Tech-Evangelist @ 0xFF](https://reader034.fdocuments.in/reader034/viewer/2022052612/5f0b5e5c7e708231d4302cf9/html5/thumbnails/20.jpg)
demo
0xFF
![Page 21: Android reverse-engineering - 0xFF€¦ · Android reverse-engineering review and modify closed source apps Magnus, Tech-Evangelist @ 0xFF](https://reader034.fdocuments.in/reader034/viewer/2022052612/5f0b5e5c7e708231d4302cf9/html5/thumbnails/21.jpg)
debugging smali
0xFF
![Page 22: Android reverse-engineering - 0xFF€¦ · Android reverse-engineering review and modify closed source apps Magnus, Tech-Evangelist @ 0xFF](https://reader034.fdocuments.in/reader034/viewer/2022052612/5f0b5e5c7e708231d4302cf9/html5/thumbnails/22.jpg)
grep is your friend
0xFF
![Page 23: Android reverse-engineering - 0xFF€¦ · Android reverse-engineering review and modify closed source apps Magnus, Tech-Evangelist @ 0xFF](https://reader034.fdocuments.in/reader034/viewer/2022052612/5f0b5e5c7e708231d4302cf9/html5/thumbnails/23.jpg)
grep is your friend
grep -inr facebook.com --include=*.smali
-i ignores character case-n display line numbers-r recursive, search sub folders--include=*.smali only search files matching--color=always add coloring
0xFF
![Page 24: Android reverse-engineering - 0xFF€¦ · Android reverse-engineering review and modify closed source apps Magnus, Tech-Evangelist @ 0xFF](https://reader034.fdocuments.in/reader034/viewer/2022052612/5f0b5e5c7e708231d4302cf9/html5/thumbnails/24.jpg)
grep is your friend – Trackers
facebook google.com firebase
urbanairship crashlytics bugfender
track* analytic* ads
0xFF
![Page 25: Android reverse-engineering - 0xFF€¦ · Android reverse-engineering review and modify closed source apps Magnus, Tech-Evangelist @ 0xFF](https://reader034.fdocuments.in/reader034/viewer/2022052612/5f0b5e5c7e708231d4302cf9/html5/thumbnails/25.jpg)
grep is your friend – Privacy intrusive API calls
QueryIntentActivities getRunningAppProcesses
ActivityManager PackageManager WifiManager
SensorManager BluetoothAdapter
Address LocationManager
TelephonyManager AdvertisingIdClient0xFF
![Page 26: Android reverse-engineering - 0xFF€¦ · Android reverse-engineering review and modify closed source apps Magnus, Tech-Evangelist @ 0xFF](https://reader034.fdocuments.in/reader034/viewer/2022052612/5f0b5e5c7e708231d4302cf9/html5/thumbnails/26.jpg)
grep is your friend – File I/O
file read write
directory sdcard
document
0xFF
![Page 27: Android reverse-engineering - 0xFF€¦ · Android reverse-engineering review and modify closed source apps Magnus, Tech-Evangelist @ 0xFF](https://reader034.fdocuments.in/reader034/viewer/2022052612/5f0b5e5c7e708231d4302cf9/html5/thumbnails/27.jpg)
grep is your friend – Net I/O
http http:
connect socket uri address
post .com/.net loadUrl
0xFF
![Page 28: Android reverse-engineering - 0xFF€¦ · Android reverse-engineering review and modify closed source apps Magnus, Tech-Evangelist @ 0xFF](https://reader034.fdocuments.in/reader034/viewer/2022052612/5f0b5e5c7e708231d4302cf9/html5/thumbnails/28.jpg)
grep is your friend – Scary stuff
loadLibrary native
install
addJavaScriptInterface
0xFF
![Page 29: Android reverse-engineering - 0xFF€¦ · Android reverse-engineering review and modify closed source apps Magnus, Tech-Evangelist @ 0xFF](https://reader034.fdocuments.in/reader034/viewer/2022052612/5f0b5e5c7e708231d4302cf9/html5/thumbnails/29.jpg)
demo
0xFF
![Page 30: Android reverse-engineering - 0xFF€¦ · Android reverse-engineering review and modify closed source apps Magnus, Tech-Evangelist @ 0xFF](https://reader034.fdocuments.in/reader034/viewer/2022052612/5f0b5e5c7e708231d4302cf9/html5/thumbnails/30.jpg)
OWASP Mobile Top 10
0xFF
![Page 31: Android reverse-engineering - 0xFF€¦ · Android reverse-engineering review and modify closed source apps Magnus, Tech-Evangelist @ 0xFF](https://reader034.fdocuments.in/reader034/viewer/2022052612/5f0b5e5c7e708231d4302cf9/html5/thumbnails/31.jpg)
Exploiting GoatDroid
0xFF
![Page 32: Android reverse-engineering - 0xFF€¦ · Android reverse-engineering review and modify closed source apps Magnus, Tech-Evangelist @ 0xFF](https://reader034.fdocuments.in/reader034/viewer/2022052612/5f0b5e5c7e708231d4302cf9/html5/thumbnails/32.jpg)
Tools used in this talk(free and open source)
ADBApkTool
uber-apk-signerApkStudio
IdeaIdeasmali
0xFF
![Page 33: Android reverse-engineering - 0xFF€¦ · Android reverse-engineering review and modify closed source apps Magnus, Tech-Evangelist @ 0xFF](https://reader034.fdocuments.in/reader034/viewer/2022052612/5f0b5e5c7e708231d4302cf9/html5/thumbnails/33.jpg)
Profiling tools(root required)
FridaIntrospyXposed
0xFF
![Page 34: Android reverse-engineering - 0xFF€¦ · Android reverse-engineering review and modify closed source apps Magnus, Tech-Evangelist @ 0xFF](https://reader034.fdocuments.in/reader034/viewer/2022052612/5f0b5e5c7e708231d4302cf9/html5/thumbnails/34.jpg)
Automated tools
Mobile Security Framework (MobSF)
Quick Android Review Kit (QARK)
Drozer
0xFF
![Page 35: Android reverse-engineering - 0xFF€¦ · Android reverse-engineering review and modify closed source apps Magnus, Tech-Evangelist @ 0xFF](https://reader034.fdocuments.in/reader034/viewer/2022052612/5f0b5e5c7e708231d4302cf9/html5/thumbnails/35.jpg)
ResourcesSmali/Smalideahttps://github.com/JesusFreke/smali/
Dalvik instructionshttps://source.android.com/devices/tech/dalvik/dalvik-bytecode
ADBhttps://developer.android.com/studio/releases/platform-tools
ApkStudiohttps://github.com/vaibhavpandeyvpz/apkstudio
OWASP Mobile Top 10https://www.owasp.org/index.php/Mobile_Top_10_2016-Top_10
0xFF
Thank [email protected]
@0xFFse https://0xff.se/