SlideShare uma empresa Scribd logo

Cracking the Mobile Application Code

Transferir como PPTX, PDF
c0c0n - International Cyber Security and Policing Conference
c0c0n - International Cyber Security and Policing Conference

Cracking the Mobile Application Code by Sreenarayan A. at c0c0n - International Cyber Security and Policing Conference http://is-ra.org/c0c0n/speakers.html

Tecnologia
1 de 24
Cracking the Mobile Application Code - Sreenarayan A Paladion Mobile Security Team
Take Away for the day • Purpose of Decompiling Mobile Applications • Methodology of Decompilation • Live Demo’s: – Android App – iOS (iPhone / iPad App) – Blackberry Apps / Nokia App
Why is security relevant for Mobile Platform? • 400% Increase in the number for Organizations Developing Mobile Platform based applications. • 300% Increase in the no of Mobile Banking Applications. • 500% Increase in the number of people using the Mobile Phones for their day to day transactions. • 82% Chances of end users not using their Mobile Phones with proper caution. • 79% Chances of Mobile Phone users Jail Breaking their Phones. • 65% Chances of Mobile Phone users not installing Anti-virus on their Mobile Phones. • 71% Chances of any application to get misused. • 57% Chances of a user losing his sensitive credentials to a hacker.
Market Statistics of Mobile Users
Mobile Market Trends
Different Types of Mobile Applications • WAP Mobile Applications • Native Mobile Applications • Hybrid Mobile Applications
Different Types of Mobile Applications
Different Types of Mobile Architecture
Why did we learn the above types?? • Which applications can be Decompiled? – WAP Mobile Applications ? – Native Mobile Applications ? – Hybrid Mobile Applications ? • We have to get to know of the basics!
Cracking the Mobile Application Code
Cracking the Mobile Application Code •What do you mean by Reverse Engineering? •What do you mean by Decompilation? -> What is Compilation? Questions to be answered: •What are the goals/purpose of Cracking the code? •What is the methodology of Decompilation? •What the tools which can be used to Decompile? •Can Decompilation be done on all platforms? 1. ANDROID ? 2. iPHONE / iPAD ? 3. BLACKBERRY ? 4. NOKIA ?
Goal of cracking the Mobile Application Code
Goals of Cracking the Source Code •“UNDERSTAND THE WORKING OF THE APPLICATION AND TO FIGURE OUT THE LOOPHOLES!” •To find Treasure Key Words (password , keys , sql, algo, AES, DES, Base64, etc) •Figure out the Algorithms Used and their keys. •By-passing the client side checks by rebuilding the app. •E.g. Password in Banking Application (Sensitive Information) •E.g. Angry Birds Malware (Stealing Data) •E.g. Zitmo Malware (Sending SMS) •We have understood the goals, how to achieve them? Methodology.
Methodology of Cracking
Methodology / Study S1: Gaining access to the executable S2: Understanding the Technology used to code the application. S3: Finding out ways to derive the Object Code from the Executable. S4: Figuring out a way to derive the Class Files from the Object Code. S5: Figuring out a way to derive the Function Definitions from the Object Code
JUMP TO DEMO’s
Demo - Reverse Engineer the Android Application •Tools used: -De-compresser (Winrar / Winzip / 7zip) -Dex2jar -Jar Decompiler •Steps 1. .apk -> .dex 2. .dex -> .jar 3. .jar -> .java • Demo • Limitations
Demo - Reverse Engineer the iOS Application •Tools used: -iExplorer -Windows Explorer -oTool -Classdumpz •Steps 1. .app -> Garbage (Object Code) (DVM) 2. Object Code -> .Class • Demo • Limitations
Demo - Reverse Engineer the Blackberry Application •Tools used: -JD – GUI (Java Decompiler) -Notepad •There are two types of Application files found in Blackberry: 1. .Jar (.jad -> .jar) 2. .Cod (.jad -> .cod (Blackberry Code Files) •Steps 1. .jar -> .java (JD-GUI) Or 1. Notepad to open .cod (No luck!) • Demo • Limitation
Tip - Reverse Engineer the Windows Phone Application •Tools used: -.net decompiler -Visual Studio with Windows Phone SDK
Palisade Articles • iOS vs Android Testing • Mobile Data Encryption • Mobile Application Security Testing • Demystifying the Android • And … • Website link: palpapers.paladion.net
• Questions and Answers • Quiz • Feedback
Thank You Sreenarayan.india@gmail.com Sreenarayan.a@paladion.net Twitter: Ace_Sree

Recomendados

Mobile testing. Tips and Tricks
Mobile testing. Tips and TricksMobile testing. Tips and Tricks
Mobile testing. Tips and Tricks
Artem Pinchuk
 
Attacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesAttacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS Devices
Tom Eston
 
CrikeyCon 2015 - iOS Runtime Hacking Crash Course
CrikeyCon 2015 - iOS Runtime Hacking Crash CourseCrikeyCon 2015 - iOS Runtime Hacking Crash Course
CrikeyCon 2015 - iOS Runtime Hacking Crash Course
eightbit
 
Security Best Practices for Mobile Development
Security Best Practices for Mobile DevelopmentSecurity Best Practices for Mobile Development
Security Best Practices for Mobile Development
Salesforce Developers
 
OWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration TestingOWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration Testing
eightbit
 
Malware could steal data from i phones using siri
Malware could steal data from i phones using siriMalware could steal data from i phones using siri
Malware could steal data from i phones using siri
Edward Perea
 
Penetrating Android Aapplications
Penetrating Android AapplicationsPenetrating Android Aapplications
Penetrating Android Aapplications
Roshan Thomas
 
The Password Is Dead: An Argument for Multifactor Biometric Authentication
The Password Is Dead: An Argument for Multifactor Biometric AuthenticationThe Password Is Dead: An Argument for Multifactor Biometric Authentication
The Password Is Dead: An Argument for Multifactor Biometric Authentication
Veridium
 

Recomendados

Mobile testing. Tips and Tricks
Mobile testing. Tips and TricksMobile testing. Tips and Tricks
Mobile testing. Tips and Tricks
Artem Pinchuk
 
Attacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesAttacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS Devices
Tom Eston
 
CrikeyCon 2015 - iOS Runtime Hacking Crash Course
CrikeyCon 2015 - iOS Runtime Hacking Crash CourseCrikeyCon 2015 - iOS Runtime Hacking Crash Course
CrikeyCon 2015 - iOS Runtime Hacking Crash Course
eightbit
 
Security Best Practices for Mobile Development
Security Best Practices for Mobile DevelopmentSecurity Best Practices for Mobile Development
Security Best Practices for Mobile Development
Salesforce Developers
 
OWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration TestingOWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration Testing
eightbit
 
Malware could steal data from i phones using siri
Malware could steal data from i phones using siriMalware could steal data from i phones using siri
Malware could steal data from i phones using siri
Edward Perea
 
Penetrating Android Aapplications
Penetrating Android AapplicationsPenetrating Android Aapplications
Penetrating Android Aapplications
Roshan Thomas
 
The Password Is Dead: An Argument for Multifactor Biometric Authentication
The Password Is Dead: An Argument for Multifactor Biometric AuthenticationThe Password Is Dead: An Argument for Multifactor Biometric Authentication
The Password Is Dead: An Argument for Multifactor Biometric Authentication
Veridium
 
iOS 6 Exploitation: 280 days later
iOS 6 Exploitation: 280 days lateriOS 6 Exploitation: 280 days later
iOS 6 Exploitation: 280 days later
Seguridad Apple
 
Team 3 status report#4
Team 3 status report#4Team 3 status report#4
Team 3 status report#4
Joaquim Jaime
 
iOS Developer Concept introduction
iOS Developer Concept introductioniOS Developer Concept introduction
iOS Developer Concept introduction
Banyapon Poolsawas
 
Tech savvy seniors term 4 introduction
Tech savvy seniors term 4 introductionTech savvy seniors term 4 introduction
Tech savvy seniors term 4 introduction
Marni3Bridges
 
Introduction to Mobile Apps
Introduction to Mobile Apps Introduction to Mobile Apps
Introduction to Mobile Apps
Shahryar Khan
 
Ios forensics
Ios forensicsIos forensics
Ios forensics
Kamal Patel
 
Android malware analysis
Android malware analysisAndroid malware analysis
Android malware analysis
Jason Ross
 
Dynamic Security Analysis & Static Security Analysis for Android Apps.
Dynamic Security Analysis & Static Security Analysis for Android Apps.Dynamic Security Analysis & Static Security Analysis for Android Apps.
Dynamic Security Analysis & Static Security Analysis for Android Apps.
VodqaBLR
 
UI-Redressing Attacks - The Process & Exploitation
UI-Redressing Attacks - The Process & ExploitationUI-Redressing Attacks - The Process & Exploitation
UI-Redressing Attacks - The Process & Exploitation
c0c0n - International Cyber Security and Policing Conference
 
Web Application Security 101 - 02 The Basics
Web Application Security 101 - 02 The BasicsWeb Application Security 101 - 02 The Basics
Web Application Security 101 - 02 The Basics
Websecurify
 
Leveraging mobile & wireless technology for Law and Order
Leveraging mobile & wireless technology for Law and OrderLeveraging mobile & wireless technology for Law and Order
Leveraging mobile & wireless technology for Law and Order
c0c0n - International Cyber Security and Policing Conference
 
Marine and Freshwater Ecology Revision
Marine and Freshwater Ecology RevisionMarine and Freshwater Ecology Revision
Marine and Freshwater Ecology Revision
anigvanderanal
 
OWASP A1 - Injection | The art of manipulation
OWASP A1 - Injection | The art of manipulationOWASP A1 - Injection | The art of manipulation
OWASP A1 - Injection | The art of manipulation
Pavan M
 
Hacker's jargons
Hacker's jargonsHacker's jargons
Hacker's jargons
Pavan M
 
OWASP A7 and A8
OWASP A7 and A8OWASP A7 and A8
OWASP A7 and A8
Pavan M
 
Web-App Remote Code Execution Via Scripting Engines
Web-App Remote Code Execution Via Scripting EnginesWeb-App Remote Code Execution Via Scripting Engines
Web-App Remote Code Execution Via Scripting Engines
c0c0n - International Cyber Security and Policing Conference
 
Cracking the mobile application code
Cracking the mobile application codeCracking the mobile application code
Cracking the mobile application code
Sreenarayan A
 
Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2
drewz lin
 
I haz you and pwn your maal
I haz you and pwn your maalI haz you and pwn your maal
I haz you and pwn your maal
c0c0n - International Cyber Security and Policing Conference
 
I haz you and pwn your maal
I haz you and pwn your maalI haz you and pwn your maal
I haz you and pwn your maal
Harsimran Walia
 
SmartDevCon - Katowice - 2013
SmartDevCon - Katowice - 2013SmartDevCon - Katowice - 2013
SmartDevCon - Katowice - 2013
Petr Dvorak
 
михаил дударев
михаил дударевмихаил дударев
михаил дударев
apps4allru
 

Mais conteúdo relacionado

Mais procurados

Team 3 status report#4
Team 3 status report#4Team 3 status report#4
Team 3 status report#4
Joaquim Jaime
 
Tech savvy seniors term 4 introduction
Tech savvy seniors term 4 introductionTech savvy seniors term 4 introduction
Tech savvy seniors term 4 introduction
Marni3Bridges
 

Mais procurados (8)

iOS 6 Exploitation: 280 days later
iOS 6 Exploitation: 280 days lateriOS 6 Exploitation: 280 days later
iOS 6 Exploitation: 280 days later
 
Team 3 status report#4
Team 3 status report#4Team 3 status report#4
Team 3 status report#4
 
iOS Developer Concept introduction
iOS Developer Concept introductioniOS Developer Concept introduction
iOS Developer Concept introduction
 
Tech savvy seniors term 4 introduction
Tech savvy seniors term 4 introductionTech savvy seniors term 4 introduction
Tech savvy seniors term 4 introduction
 
Introduction to Mobile Apps
Introduction to Mobile Apps Introduction to Mobile Apps
Introduction to Mobile Apps
 
Ios forensics
Ios forensicsIos forensics
Ios forensics
 
Android malware analysis
Android malware analysisAndroid malware analysis
Android malware analysis
 
Dynamic Security Analysis & Static Security Analysis for Android Apps.
Dynamic Security Analysis & Static Security Analysis for Android Apps.Dynamic Security Analysis & Static Security Analysis for Android Apps.
Dynamic Security Analysis & Static Security Analysis for Android Apps.
 

Destaque

Destaque (8)

UI-Redressing Attacks - The Process & Exploitation
UI-Redressing Attacks - The Process & ExploitationUI-Redressing Attacks - The Process & Exploitation
UI-Redressing Attacks - The Process & Exploitation
 
Web Application Security 101 - 02 The Basics
Web Application Security 101 - 02 The BasicsWeb Application Security 101 - 02 The Basics
Web Application Security 101 - 02 The Basics
 
Leveraging mobile & wireless technology for Law and Order
Leveraging mobile & wireless technology for Law and OrderLeveraging mobile & wireless technology for Law and Order
Leveraging mobile & wireless technology for Law and Order
 
Marine and Freshwater Ecology Revision
Marine and Freshwater Ecology RevisionMarine and Freshwater Ecology Revision
Marine and Freshwater Ecology Revision
 
OWASP A1 - Injection | The art of manipulation
OWASP A1 - Injection | The art of manipulationOWASP A1 - Injection | The art of manipulation
OWASP A1 - Injection | The art of manipulation
 
Hacker's jargons
Hacker's jargonsHacker's jargons
Hacker's jargons
 
OWASP A7 and A8
OWASP A7 and A8OWASP A7 and A8
OWASP A7 and A8
 
Web-App Remote Code Execution Via Scripting Engines
Web-App Remote Code Execution Via Scripting EnginesWeb-App Remote Code Execution Via Scripting Engines
Web-App Remote Code Execution Via Scripting Engines
 

Semelhante a Cracking the Mobile Application Code

Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2
drewz lin
 
I haz you and pwn your maal
I haz you and pwn your maalI haz you and pwn your maal
I haz you and pwn your maal
Harsimran Walia
 
михаил дударев
михаил дударевмихаил дударев
михаил дударев
apps4allru
 
Software quality and mobile apps
Software quality and mobile appsSoftware quality and mobile apps
Software quality and mobile apps
Prawesh Shrestha
 
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud XiaoFruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Shakacon
 

Semelhante a Cracking the Mobile Application Code (20)

Cracking the mobile application code
Cracking the mobile application codeCracking the mobile application code
Cracking the mobile application code
 
Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2
 
I haz you and pwn your maal
I haz you and pwn your maalI haz you and pwn your maal
I haz you and pwn your maal
 
I haz you and pwn your maal
I haz you and pwn your maalI haz you and pwn your maal
I haz you and pwn your maal
 
SmartDevCon - Katowice - 2013
SmartDevCon - Katowice - 2013SmartDevCon - Katowice - 2013
SmartDevCon - Katowice - 2013
 
михаил дударев
михаил дударевмихаил дударев
михаил дударев
 
Software quality and mobile apps
Software quality and mobile appsSoftware quality and mobile apps
Software quality and mobile apps
 
Outsmarting SmartPhones
Outsmarting SmartPhonesOutsmarting SmartPhones
Outsmarting SmartPhones
 
[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101
 
Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)
 
Reading Group Presentation: Why Eve and Mallory Love Android
Reading Group Presentation: Why Eve and Mallory Love AndroidReading Group Presentation: Why Eve and Mallory Love Android
Reading Group Presentation: Why Eve and Mallory Love Android
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013
 
Virtue Security - The Art of Mobile Security 2013
Virtue Security - The Art of Mobile Security 2013Virtue Security - The Art of Mobile Security 2013
Virtue Security - The Art of Mobile Security 2013
 
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationDEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
 
How to Test Security and Vulnerability of Your Android and iOS Apps
How to Test Security and Vulnerability of Your Android and iOS AppsHow to Test Security and Vulnerability of Your Android and iOS Apps
How to Test Security and Vulnerability of Your Android and iOS Apps
 
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud XiaoFruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
 
Yow connected developing secure i os applications
Yow connected developing secure i os applicationsYow connected developing secure i os applications
Yow connected developing secure i os applications
 
Hacking your Droid (Aditya Gupta)
Hacking your Droid (Aditya Gupta)Hacking your Droid (Aditya Gupta)
Hacking your Droid (Aditya Gupta)
 
Barcode scanning on Android
Barcode scanning on AndroidBarcode scanning on Android
Barcode scanning on Android
 
Android Penetration testing - Day 2
Android Penetration testing - Day 2 Android Penetration testing - Day 2
Android Penetration testing - Day 2
 

Último

A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Roshan Dwivedi
 

Último (20)

A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 

Cracking the Mobile Application Code

  • 1. Cracking the Mobile Application Code - Sreenarayan A Paladion Mobile Security Team
  • 2. Take Away for the day • Purpose of Decompiling Mobile Applications • Methodology of Decompilation • Live Demo’s: – Android App – iOS (iPhone / iPad App) – Blackberry Apps / Nokia App
  • 3. Why is security relevant for Mobile Platform? • 400% Increase in the number for Organizations Developing Mobile Platform based applications. • 300% Increase in the no of Mobile Banking Applications. • 500% Increase in the number of people using the Mobile Phones for their day to day transactions. • 82% Chances of end users not using their Mobile Phones with proper caution. • 79% Chances of Mobile Phone users Jail Breaking their Phones. • 65% Chances of Mobile Phone users not installing Anti-virus on their Mobile Phones. • 71% Chances of any application to get misused. • 57% Chances of a user losing his sensitive credentials to a hacker.
  • 4. Market Statistics of Mobile Users
  • 6. Different Types of Mobile Applications • WAP Mobile Applications • Native Mobile Applications • Hybrid Mobile Applications
  • 7. Different Types of Mobile Applications
  • 8. Different Types of Mobile Architecture
  • 9.
  • 10. Why did we learn the above types?? • Which applications can be Decompiled? – WAP Mobile Applications ? – Native Mobile Applications ? – Hybrid Mobile Applications ? • We have to get to know of the basics!
  • 11. Cracking the Mobile Application Code
  • 12. Cracking the Mobile Application Code •What do you mean by Reverse Engineering? •What do you mean by Decompilation? -> What is Compilation? Questions to be answered: •What are the goals/purpose of Cracking the code? •What is the methodology of Decompilation? •What the tools which can be used to Decompile? •Can Decompilation be done on all platforms? 1. ANDROID ? 2. iPHONE / iPAD ? 3. BLACKBERRY ? 4. NOKIA ?
  • 13. Goal of cracking the Mobile Application Code
  • 14. Goals of Cracking the Source Code •“UNDERSTAND THE WORKING OF THE APPLICATION AND TO FIGURE OUT THE LOOPHOLES!” •To find Treasure Key Words (password , keys , sql, algo, AES, DES, Base64, etc) •Figure out the Algorithms Used and their keys. •By-passing the client side checks by rebuilding the app. •E.g. Password in Banking Application (Sensitive Information) •E.g. Angry Birds Malware (Stealing Data) •E.g. Zitmo Malware (Sending SMS) •We have understood the goals, how to achieve them? Methodology.
  • 16. Methodology / Study S1: Gaining access to the executable S2: Understanding the Technology used to code the application. S3: Finding out ways to derive the Object Code from the Executable. S4: Figuring out a way to derive the Class Files from the Object Code. S5: Figuring out a way to derive the Function Definitions from the Object Code
  • 18. Demo - Reverse Engineer the Android Application •Tools used: -De-compresser (Winrar / Winzip / 7zip) -Dex2jar -Jar Decompiler •Steps 1. .apk -> .dex 2. .dex -> .jar 3. .jar -> .java • Demo • Limitations
  • 19. Demo - Reverse Engineer the iOS Application •Tools used: -iExplorer -Windows Explorer -oTool -Classdumpz •Steps 1. .app -> Garbage (Object Code) (DVM) 2. Object Code -> .Class • Demo • Limitations
  • 20. Demo - Reverse Engineer the Blackberry Application •Tools used: -JD – GUI (Java Decompiler) -Notepad •There are two types of Application files found in Blackberry: 1. .Jar (.jad -> .jar) 2. .Cod (.jad -> .cod (Blackberry Code Files) •Steps 1. .jar -> .java (JD-GUI) Or 1. Notepad to open .cod (No luck!) • Demo • Limitation
  • 21. Tip - Reverse Engineer the Windows Phone Application •Tools used: -.net decompiler -Visual Studio with Windows Phone SDK
  • 22. Palisade Articles • iOS vs Android Testing • Mobile Data Encryption • Mobile Application Security Testing • Demystifying the Android • And … • Website link: palpapers.paladion.net
  • 23. • Questions and Answers • Quiz • Feedback