Help Doctor, my application is an onion!

My application is an
onion. Help me Doctor!
© Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.

● Sebas Guerrero (@0xroot)
● Sr. Mobile Security Analyst @ NowSecure
● sguerrero@nowsecure.com
Who I am

What society think we do

● This talk pretends to be a lightning talk, for more detailed
information, please refer to:
● The Nightmare behind the cross platform mobile apps dream
(https://www.blackhat.com/docs/asia-15/materials/asia-15-Grassi-The-
Nightmare-Behind-The-Cross-Platform-Mobile-Apps-Dream.pdf) - Marco Grassi /
Sebas Guerrero
● Android Hacker Protection Level 0 (https://www.defcon.org/images/defcon-
22/dc-22-presentations/Strazzere-Sawyer/DEFCON-22-Strazzere-and-Sawyer-
Android-Hacker-Protection-Level-UPDATED.pdf) Tim Strazzere, Justin Case
NOTE

● Motivations
● Frameworks
A. Titanium Framework (Demo)
Kony Framework (Demo)
● Obfuscators
B. ProGuard
C. DexGuard (Demo)
● Conclusions
Agenda

● Most of the applications assessments realized during the last
year were packed/obfuscated or using some framework.
● Manual analysis is ok once, twice… but I’m not ‘Chinese’.
● It’s a good challenge to understand its insights and how do
they work.
● “Keep your application away from hackers”.
Motivations

Frameworks
When wrappin’ is all what your developers care about.

Background
● Mobile market is fragmented. Developers want their app on multiple platform, at least iOS and Android.
● This caused a growth in the number of tools and frameworks available for cross platform development
with different technologies.
● Native code development is from 90’s. HTML5 and JavaScript are the future. They are so trending
topic.
● Money is a scarce resource, even more when you have to hire a dev team for each platform.
● Large companies are getting interested on multi-deployment framework models. They like to be cool.

Background

Catch’ em all

Titanium Framework
Not that stronger.

● Open source framework that can be downloaded from its
official website.
● As many other frameworks, brings you the ability to
develop your native mobile application in JavaScript.
● It is a wrapper, that runs the JavaScript code on an
interpreter and uses native UI and other functionalities.
● Comes with its own IDE, which is Eclipse based.

Extracting the code
● As mentioned before, the real source code is written in JavaScript.
● The asset data is loaded at runtime through the ‘AssetCryptImpl’ class.
● The assets range are defined in a HashMap in the ‘initAssets’ method. This range
specifies the start and end of a specific file in assets bytes.
● The chunk of data that contains the real assets is a CharBuffer defined in the
‘initAssetsBytes’ method.

initAssets

initAssetsBytes

Defeating the encryption
● The crypto is implemented in the shared library ‘libtiverify.so’, in the JNI function
‘Java_org_appcelerator_titanium_TiVerify_filterDataInRange’.
● Simple AES in ECB mode, using the last 16 bytes of the assetBytes as key for the
decryption process.
● There are multiple approaches to recover the original data. Lets keep it simple.
● The pseudo-code for the filterDataInRange method looks like:

Defeating the encryption

Kony Framework
That ‘startup.js’ file is not the startup you are looking for.

● Standard approaches used during application assessment
are no longer useful.
● The framework is a wrapper, but its behavior slightly
changes from versions prior to 6.0, and afterwards to 6.0
Kony Framework

LUA Bytecode (Prior to 6.0)
Kony app konyappluabytecode.o.mp3

JVSM (Afterwards to 6.0)
Kony app libkonyJSVM.so
startup.js
common-jslibs.kfm

● There are multiple approaches available. From massive
device memory dumping to dynamic instrumentation
(Frida).
● In case you are lazy, just use ‘unluac.jar’ and extracts the
LUA code.
● For more detailed information, please refer to our talk at
Black Hat Asia 2015.
Hunting the LUA code

● If you are lucky enough, earlier versions of the JSVM,
only require you to unzip the ‘startup.js’ file to extract the
original source code.
● Latest versions prefer to put things harder… Long story
short, the shared library is a trap and the crypter is the
jackpot.
● That is the case we will discuss in this section.
Hunting the JavaScript code

Kony Kung-fu KO
It is not over 9000.

Kony application
● A couple interesting and encrypted files (‘common-jslibs.kfm’ & ‘startup.js’) can be seen
in the ‘assets/js’ folder.
● File format is not recognizable, and binary analysis does not reveal any clue.
● Reverse engineering process to the ‘classes.dex’ file does not reveal anything related
with crypto operations.
● However, there is a class that caught our attention ‘KonyJavaScriptVM’. The infamous
method ‘System.loadLibrary’ is being used, and it loads the shared library ‘konyjsvm.so’

KonyJavaScriptVM method
● It might look sort of black magic to redirect our efforts to this library, but first look at that
previous class got me a hunch.
1. Contains references to ‘common-jslibs.kfm’ and ‘startup.js’ files.
2. Following cross references between calls to a range of obfuscated methods, we
discover buffer allocation, compilation and zipEntry operations that ends in a call
to ‘loadFilesToVM’ function. Such method belongs to ‘konyjsvm’ shared library.
3. Roses are red, Violets are blue, potato.

konyjsvm shared library
● A quick look to the procedure ‘KonyJSVM_loadFilesToVM’, reveals multiple calls to EVP cipher routines,
a method named ‘charxor’, and a call to ‘callUnzippingForDex’ method, among others.
1. This method decrypts the encrypted files and loads their content dynamically.
● Best practices during development stage? What is that? First look at its implementation:
2. XOR encryption key embedded in the source code: ‘AnDr/iD2K@nyeN4Calert’.
3. IV embedded in the source code and initialized to 0’s.
4. Yes, the encryption key is also embedded in the source code. What the heck did you expect?

What is XOR’ed?
● The string XOR’ed is the key used in the ‘EVP_AES_256_CBC’ cipher, which is generated as follows:
1. Call to ‘getTime’ method, which executes the ‘getTimeStamp’ function. However this value can be
obtained from the file ‘application.properties’ located under the ‘/assets’ folder.
2. Call to ‘getN’ method, according to its implementation returns the the class name for the package located
under ‘/com/kony/labs/android/KonyMain’, which is ‘KonyMain’.
3. A XOR operation is performed between these two values.
4. Call to ‘getPackageName’ method.
5. Another XOR operation is performed between the result from the previous XOR operation and the
package name.

Reverting the process
● Again, there are multiple solutions available out there. Static and dynamic approaches do exist.
However, I’ve got another hunch.
1.The application does not include any methods to the encryption and/or decryption process.
2.The crypto operations observed in the library, are merely for decryption purposes.
3.The application has been shipped to the store and it already included the encrypted files.
4.Those files are being encrypted at compilation time, and luckily, there is a trial available for
Kony IDE Framework which can be downloaded.

kony_loadfile.exe
encrypt - 1
decrypt - 0

kony_loadfile.exe
● The binary expects the following parameters:
startup.js common-jslibs.kfm APPID package_name timestamp

Obfuscators/Optimizers
Protectors
When wrappin’ is all what your developers care about.

● As developer, either you are lazy to implement good
practices, or directly you are not aware of them. However,
they do the job for you, partially.
● Includes security mechanisms such as encryption,
obfuscation and potential use of reflection techniques.
● They try to sell your application would be protected
against hackers.
Why using obfuscators?

ProGuard
Mmm… potato

● Way older than Android, specially designed for Java at
the beginning.
● Recommended by Google for Android developers and
quite frequent out there in applications shipped to the Play
Store.
● It is free and bundled in Android SDK.
Quick introduction

Optimization?
● At the byte code instruction level:
A. Removes unnecessary/unused code.
B. Renames objects (compact classes/methods/vars names).
C. Restructures code.
D. Performs peephole optimizations.
E. Merges identical code blocks.
F. Removes debug information.

Obfuscation?
● Traditional and basic name obfuscation:
A. Rename identifiers: class/field/method names
B. Remove debug information: line numbers, local variable names, …

Class renaming

.source field annotation

Final result
Original Java Source
ProGuard Output

Why developers use it?
● It decreases the dex file size and increases the application speed and its performance.
Also reduces memory usage.
● Removes debug information, .source annotation field, lines number, etc. Which might
slightly increase its reversing complexity.
● However it can be seen as an application being developed by an apprentice.
● Doesn’t deploy real obfuscation, and it is trivial to reconstruct original code, it only
requires patience and some extra hours.

● Automatic class rename utility based on .source
annotation.
(https://github.com/HamiltonianCycle/ClassNameDeobfusc
ator)
● JEB/JEB2 and its renaming feature.
● Dynamic instrumentation with Frida, Cydia Substrate or
Xposed Framework.
Swiss Toolset

DexGuard
Ohh… Boo! Did it scare you?

● Paid version of ProGuard. Offers same functionalities as
its predecesor (optimizer, shrinker).
● Includes “low level” techniques that are supposed to
increase notoriously the reverse engineering process.
● It also encrypts and obfuscates application’s assets and
libraries.
● A license might cost around $600 - $1300
Quick introduction

What does it do?
● All the features already included in ProGuard
● String encryption
● Tampering detection
● Assets and libraries encryption
● Class encryption (We will cover this point later)
● Automatic reflection

Why developers use it?
● In opposition to Proguard, it might increase the dex file size as well as the application speed
and its performance. Including memory usage.
● Includes all the features included in Proguard.
● Performs automatic encryption to the application’s strings, assets, libraries and classes.
● Use of automatic reflection in combination with the protections described above.
● Might give you some headaches when reverse engineering it
● It is really easy to use, and offers a decent grade of protection for its prize.

Reflection
Automatic reflection
String Encryption

String Encryption
Encrypted strings
array
Obfuscated code

Loader
Keys and IV
for 1st DEX
1st Dex
2nd Dex
(Main Code)
1st Embedded dex
Keys and IV
for 2nd DEX
2nd Embedded dex
Main Code
1st Stage
2nd Stage
Class encryption

Defeating DexGuard
(Statically)
● Use scripts for JEB like DeCluster (JCase) and DexGuardStringDecoder (AKosterin) to
rename classes, methods and variables and spot the InnerClass function that contains
the string decryption method.
● Spot the respective IVs and encryption keys, grab the dex binaries content embedded
in the loader and first encrypted dec, and revert the process.
● Sounds easy, but in fact, it’s a pain in the ass…

Defeating DexGuard
(Statically)

Defeating DexGuard
(Statically)
First/Second dex embedded
(encrypted)
Encryption Key
IV
DES/AES
CBF/NP
Encrypt/Decrypts classes.dex
Repeat this process
twice

Not gonna happen

How to defeat DexGuard
(Dynamically)
Most packers and obfuscators dynamically load dex/apk/jar/zip
files. This means that at some point those files must be written
on disk.
UNPROTECTED, DECRYPTED.

BaseDexClassLoader

DexFile

Conclusions
But… I’ve got mad skillzZz and already paid for these protections!

Well…
● Nothing is unbreakable, even if your product
costs a thousand dollars, however you can raise the
bar, always.
● Do not fall on the idea of adding extra layers of
security to your application, just because it will be
more secure. Leave the onions for cooking.

Thanks
Special mentions to @revskills a.k.a. ‘My weapon’, @trufae, @pof, @oleavr, @fuzion24,
@strazzere, @jduck, @jcase,@nowsecuremobile, @insitusec, etc…

Q&A?

Help Doctor, my application is an onion!

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Similar a Help Doctor, my application is an onion!

Similar a Help Doctor, my application is an onion! (20)

Último

Último (20)

Help Doctor, my application is an onion!