[go: up one dir, main page]
Scribd
Upload
200 views72 pages

Android App Reverse Engineering Guide

This document summarizes steps for reversing Android apps, including static analysis, dynamic analysis, and tampering with the app. Static analysis involves decompiling the app's APK file to view code and resources. Dynamic analysis uses a network sniffer like Charles Proxy to observe runtime behavior and network requests. Tampering attempts to bypass protections like certificate pinning by repackaging the app with modified code and resources. The document also provides suggestions for developers to harden apps against reversal, such as obfuscation, native code usage, and detection of rooting/debugging tools.

Uploaded by

jose
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
200 views72 pages

Android App Reverse Engineering Guide

This document summarizes steps for reversing Android apps, including static analysis, dynamic analysis, and tampering with the app. Static analysis involves decompiling the app's APK file to view code and resources. Dynamic analysis uses a network sniffer like Charles Proxy to observe runtime behavior and network requests. Tampering attempts to bypass protections like certificate pinning by repackaging the app with modified code and resources. The document also provides suggestions for developers to harden apps against reversal, such as obfuscation, native code usage, and detection of rooting/debugging tools.

Uploaded by

jose
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 72

Reversing Android Apps

Marc Obrador
Lead Architect @ Build38

Barcelona
marc@build38.com
@marcobrador
/in/marc-obrador
) !
EU
e
th
( in
al
eg
ill
Source: https://en.wikipedia.org/wiki/Reverse_engineering

’s
It
Josep Bernad Albert Sunyer
iOS UI
Artà is in Mallorca

ABF takes place


(usually) in June

COVID-19 pushed it to
…?
Get to know the app
Step 0
Get to know
the app
Get to know
the app
Get to know
the app
Get to know
the app
Static Analysis
Step 1
Static Analysis
Getting the APK
Decompiling the app

https://ibotpeaches.github.io/Apktool/

$ brew install apktool


Decompiling
the app
Let’s keep
looking
around
Wait… “discount
codes”?
App users get a
discount for
events
Let’s take a closer look…
HTTP Basic Authorisation =
Base64(“username:password”)
HTTP Basic Authorisation =
Base64(“username:password”)

username = “string1” xor “string2”


pasword = “string3” xor “string2”
Protecting against static analysis

ProGuard is a good start… for regular apps


• It’s just method renaming and code shrinking
• Tools for reversing ProGuard exist: http://apk-deguard.com/

Other (paid) alternatives exist for obfuscation

Writing sensitve code in native (NDK) is a good idea


Dynamic Analysis
Step 2
Dynamic Analysis
Dynamic Analysis
Network Sniffing
a.k.a MITM
Network Sniffing

https://www.charlesproxy.com/
Setting Up
Charles
Proxy
Setting Up
Charles
Proxy
Setting Up
Charles
Proxy
First
attempt…
First attempt…
Setting Up Charles Proxy
Setting Up
Charles
Proxy
Let’s try
again…
Protecting against dynamic analysis

• Implement Root/Debugger/Emulator/Hooking Framework detection

• Use certificate pinning

• Try to detect app tampering


Using Certificate Pinning

Source: https://developer.android.com/training/articles/security-config
Tampering with the App
Step 3
Assuming the app implemented
Certificate Pinning…
$ adb install “Downloads/Artà Beer Festival_v1.2.5_apkpure.com.apk”
Performing Streamed Install
Success
$ adb shell am start com.marcobrador.android.artabeerfestival/.SplashActivity
Starting: Intent { act=android.intent.action.MAIN cat=[android.intent.category
.LAUNCHER] cmp=com.marcobrador.android.artabeerfestival/.SplashActivity }
Let’s try to remove it
Time to give it a try!
Preventing Repackaging
Looks like we
are done here
This code can be
removed, too!
Closing Thoughts
Thank you!

You might also like