This document outlines Ron Munitz's presentation on Android reverse engineering. Some key points:
- Ron will demonstrate the Android build process and then the "unbuild" or reverse engineering process. This will include using tools like apktool, dex2jar, and jd-gui.
- The presentation will be 50 minutes and cover decompiling an app's resources, converting dex files to jars and class files, and using a Java decompiler to view source code.
- If time allows, Ron may also demonstrate network analysis using packet interceptors.
- The slides for the presentation are available online but the focus should be on the terminal demonstration and explanation.
- Reverse engineering Android apps can
9999266834 Call Girls In Noida Sector 52 (Delhi) Call Girl Service
Voxxed days Vilnius 2015 - Android Reverse Engineering Lab
1. PSCG
Ron Munitz
Founder & CEO - The PSCG
ron@thepscg.com
Voxxed Days
Vilnius
18 September 2015
@ronubo
Android Reverse
Engineering Lab
(Un)Build recipes
The slides are available online at:
thepscg.com/talks/
3. about://Ron Munitz
● Founder and CEO of the PSCG
○ The Premium Embedded/Android consulting and Training firm
● Android*, Linux*, Security* Trainer and Instructor
○ The PSCG, NewCircle and the Linux Foundation
● Senior Lecturer at Afeka College of Engineering and
Holon Institute of Technology
● Founder and (former) CTO of Nubo Software
○ The first Remote Android Workspace
● Always up for something new. Builder, Adviser.
● Building up on diverse engineering experience:
○ Distributed Fault Tolerant Avionic Systems
○ Highly distributed video routers
○ Real Time, Embedded, Server bringups
○ Operating Systems, very esoteric libraries, 0’s, 1’s and lots of them.
PSCG
4. Agenda: 50 minutes on fire
● This is an Android Reverse Engineering lab.
● That does not require profound knowledge in
Android
● Yet in order to understand unbuilding, we will
first explain the Android build process
● And then explain and show the unbuild process.
● The lab is Studio/Eclipse/Gradle/Studio
agnostic.
● If time permits (and it won’t), we’ll show Network
analysis using network packet interceptors.
PSCG
5. Agenda: 50 minutes on fire
● The slides are published in the URL in the
title slide
● But don’t (completely) rely on them. The only
thing you should really care about is the
terminal, and the spoken words.
● Feel free to record.
PSCG
8. Android Application Build Process
● The Android Asset Packaging Tool (aapt) takes your
application resource files, such as the
AndroidManifest.xml file and the XML files for your
Activities, and compiles them. An R.java is also
produced so you can reference your resources from
your Java code.
● The aidl tool converts any .aidl interfaces that you
have into Java interfaces.
● All of your Java code, including the R.java and .aidl
files, are compiled by the Java compiler and .class
files are output.
● The dex tool converts the .class files to Dalvik byte
code. Any 3rd party libraries and .class files that you
have included in your project are also converted into
.dex files so that they can be packaged into the final
.apk file.
PSCG
9. Android Application Build Process
● All non-compiled resources (such as images),
compiled resources, and the .dex files are sent to
the apkbuilder tool to be packaged into an .apk file.
● Once the .apk is built, it must be signed with either
a debug or release key before it can be installed to
a device.
● Finally, if the application is being signed in release
mode, you must align the .apk with the zipalign
tool. Aligning the final .apk decreases memory
usage when the application is running on a device.
PSCG
10. Application Signing
All Android applications must be signed. Application or
code signing is the process of digitally signing a given
application using a private key to:
● Identify the code's author
● Detect if the application has changed
● Establish trust between applications
Note: A popular attack surface.
PSCG
11. Odex, OBB, and the likes
● The picture listed before is incomplete, because there
are additional [optional] phases:
○ ODEX: Optimized DEX code, or more precisely a JIT
cache.
■ Can be generated on build time, on on runtime,
on the fly.
■ Relevant for both User and platform apps.
○ OBB: Opaque Binary Blobs - Binaries extending
APK files. Original purpose: APK size limitation.
■ Generated on Build time (if at all).
■ User apps only (Of course platform can just load
another file, etc.)
12. Odex, OBB, and the likes
● There are tools for obtaining information
from both
○ But don’t count on the OBB, as they are completely
arbitrary file formats. Usually used for some textures,
and other resources in Games and more.
● As long as an app is not Forward-Locked,
one can read entire APK’s via the
PackageManager
○ And read into the class files, use the classloader,
etc.
○ And also just “copy” the APK → App exporting apps.
13. Android Application Build Process
Lollipop and Marshmallow.
We will concentrate on the AOSP master
branch, as per mid-September, 2015
PSCG
14. APK installation
● Packages can be installed as part of the ROM
(/system), as part of the initial /data/ partition of the
ROM, via the Play store, direct links, attachments, and
adb install.
● In either way, the PackageManager is responsible of
setting up the installation path and directories.
● On pre Lollipop (Dalvik based) versions, the APK’s were
installed, and then (possibly) JIT-ed
○ Or pre JIT-ed - DEX_PREOPT - Out of the scope of
this talk
● On Lollipop - another phase of LLVM compiling using
dex2oat happens n the device itself
○ Or: DEX_PREOPT...
15. APK Installation: Why should one
care about JIT/OAT?
● Well, in theory they shouldn’t care much for
Lollipop/Marshmallow because the base
APK is redundant for installed apps.
● However, Prebaked (ROM) and pre
optimized ODEX/OAT files are not
redundant to the APK, but rather split
⇒ No ODEX == No code.
● Note: in Lollipop and Marshmallow all
DEX/ODEX files are really OAT files. That’s
extremely confusing, but that’s the way it is.
16. Finding your files
Without getting into too many details:
● Application data files go into:
○ /data/user/<userno>/<packagename>
○ /sdcard/Android/data/user/<userno>/<packagename>
● Application itself (apk) goes into $ADIR:
○ ADIR is /data/app, /data/priv-app, system/app ,
/system/priv-app, …
● Android Runtime OAT files go into $ODIR
● We will not discuss DSO’s, OBB’s, and
forward locked apps at the moment.
○ There are ways to extract them, and except for the FL
PSCG
17. ADIR ? ODIR?
● These are names I made up, because the
folder hierarchy changes between versions.
● For example: the OAT files (which will have
a misleading .dex extension) will be in the
following locations:
○ Marshmallow: Pretty much where the APK is:
■ /data/app/<package>/<ARCH>/base.odex
○ Lollipop: In /data/dalvik-cache/<ARCH>/
■ data@app@<package>@base.apk@classes.dex
■ system@<...>@ …
● Our examples will be on Marshmallow.
19. Reverse Engineering an App
● In life, it is hard to build and easy to destroy
● In Software it can be the same
● But it doesn’t have to.
● Reverse Engineering is the process of
unbuilding. Decompiling. Extracting
information out of compiled programs
● It is a fascinating domain
● That can have disastrous outcomes
20. Android rev-eng Tools
● apktool
○ Decodes resources to nearly original form and rebuild them after making
some modifications; it makes possible to debug smali code step by step.
● dex2jar
○ dex2jar is a tool for converting Android's .dex format to Java's .class
format. just one binary format to another binary format, not to source.
● JD-Project - jd-gui/jd-plugin
○ The “Java Decompiler project” aims to develop tools in order to decompile
and analyze Java 5 “byte code” and the later versions.
● Custom “oat2dex” tools
○ Cut the DEX code out of the OAT code, so that the processed file would
be able to serve as input to the aforementioned tools.
PSCG
21. Android rev-eng tools
● smali
○ Assembler/disassembler for the dex format used by dalvik, Android's Java VM
implementation. Supports the full functionality of the dex format (annotations,
debug info, line info, etc.)
○ Many time it’s MUCH EASIER to work on the smali level - especially when one
wants to modify and repackage an APK.
● androguard
○ Androguard is mainly a tool written in python to play with :
■ Dex/Odex (Dalvik virtual machine) (.dex) (disassemble, decompilation),
■ APK (Android application) (.apk)
● There are more. Commercial and non commercial
● Most of the GUI tools just build on the most popular
command line tools - so we will concentrate on them.
● When there is a will there is a way
● There is a will. Code, data, behavioral attacks, IP.
PSCG
22. Reverse Engineering an App
● apktool takes your signed or
unsigned application apk and
retrieves
○ readable AndroidMenifest.xml
○ All its resources.
○ .dex/.odex files as .smali files
which are dex disassembly.
● dex2jar tool creates jars that contain .
class files of the application by
converting .dex files.
● A Java Decompiler (*jd*) can then be
applied.
○ The source code can be retrieved
automatically by installing jd-
plugin on Eclipse and opening .
class files.
Signed Apk
Resources
apktool
.dex files Manifest
.class files Java files
dex2jar
jd-plugin
PSCG
23. Ahead Of Time Compiling (ART)
● Experimental support before Lollipop
● Default Runtime since Lollipop
● AOT is a next generation JIT
○ In “plain Italian”: Your Java runs as native code.
● It essentially compiles your DEX code, into
completely native code.
○ Seems like problem solved right?
○ Well not really.
■ Observe: oatdump --oat-file=<some file..>
24. Ahead Of Time Compiling (ART)
$ oatdump --oat-file=system@priv-app@Settings.apk@classes.dex ### Excerpts
MAGIC:
oat
042
CHECKSUM:
0x48675513
INSTRUCTION SET:
X86_64
INSTRUCTION SET FEATURES:
none
DEX FILE COUNT:
1
…...
27. Ahead Of Time Compiling (ART)
In other words the OAT files provide you with:
● A full mapping from Native code to DEX byte
code
● A full mapping from both to Java functions.
● So you can apply the same techniques
for .dex file decompiling.
○ More tools: oat2dex, ...
28. How to “oat2dex”?
● Search for the DEX_FILE_MAGIC
○ { 0x64 0x65 0x78 0x0a 0x30 0x33 0x35 0x00 }
○ "dexn0350"
● Get rid of everything before it, and
everything after the DEX code
● Then use the “Traditional” tools on the
resulting file
● For a Python implementation see:
https://github.com/jakev/oat2dex-python
29. Repackaging
● Reverse Engineering is one thing. Modifying
an APK is another.
● Sometimes it is easy to rebuild from Java
sources - after complete decompilation.
● Most of the times it’s not ⇒ Fallback to .
smali
○ apktool d ⇒ modify ⇒ apktool b
○ baksmali ⇒ modify ⇒ smali
● Anyway, one has to resign the applications
after modifications (and re-zipalign) using
jarsigner.
30. Protecting Your Code
● There are no 100% bullet-proof protections
● There are however effective hardening methods
such as
○ Obfuscation
○ String Encryption
○ Asset Encryption
○ Tamper Detection
○ And more
● The tools exist at all levels: Java/ C/C++,
assembly, Javascript.
○ For more information - book a training
○ For just a teaser -look at some of my “Ultimate
Android Security Checklist” talks (always updating)
PSCG
31. Follow up:
● Android Security workshop
○ Public class in Tel-Aviv - October 18-20, 2015.
○ training@thepscg.com
○ Discount Code: VoxxedDays1809
● Private/Public classes in Lithuania?
○ Contact me - training@thepscg.com
33. Reversing Showcase
● For resources we will
use apktool
○ Which are usually
available in the .
apk without charge
○ But in a binary
forms (i.e. XML’s)
PSCG
38. Reversing Showcase
● This tool will help
us open .class files
without source
code
● In this case we
install JD-Project
as plugin to
eclipse
● There is also a
standalone version
PSCG
39. Reversing Showcase
● In order for JD-
Project to work, we
need to have the
jar in .classpath
● For that we will
add jar file as
external
PSCG
41. Reversing Showcase
● But what if I don’t have Eclipse?
○ Use jd-gui (my current choice)
○ Use JEB
○ Use other commercials or non commercials tools
● There is also a plugin for Android Studio, but
it is not yet considered stable.
PSCG
