Publicidad
Help Doctor, my application is an onion!
Help Doctor, my application is an onion!
Help Doctor, my application is an onion!
Help Doctor, my application is an onion!
Help Doctor, my application is an onion!
Help Doctor, my application is an onion!
Help Doctor, my application is an onion!
Help Doctor, my application is an onion!
Help Doctor, my application is an onion!
Help Doctor, my application is an onion!
Help Doctor, my application is an onion!
Help Doctor, my application is an onion!
Help Doctor, my application is an onion!
Help Doctor, my application is an onion!
Help Doctor, my application is an onion!
Help Doctor, my application is an onion!
Help Doctor, my application is an onion!
Help Doctor, my application is an onion!
Help Doctor, my application is an onion!
Help Doctor, my application is an onion!
Help Doctor, my application is an onion!
Help Doctor, my application is an onion!
Help Doctor, my application is an onion!
Help Doctor, my application is an onion!
Help Doctor, my application is an onion!
Help Doctor, my application is an onion!
Help Doctor, my application is an onion!
Help Doctor, my application is an onion!
Help Doctor, my application is an onion!
Help Doctor, my application is an onion!
Help Doctor, my application is an onion!
Help Doctor, my application is an onion!
Help Doctor, my application is an onion!
Help Doctor, my application is an onion!
Help Doctor, my application is an onion!
Help Doctor, my application is an onion!
Help Doctor, my application is an onion!
Help Doctor, my application is an onion!
Help Doctor, my application is an onion!
Help Doctor, my application is an onion!
Help Doctor, my application is an onion!
Help Doctor, my application is an onion!
Help Doctor, my application is an onion!
Help Doctor, my application is an onion!
Help Doctor, my application is an onion!
Help Doctor, my application is an onion!
Help Doctor, my application is an onion!
Help Doctor, my application is an onion!
Help Doctor, my application is an onion!
Help Doctor, my application is an onion!
Help Doctor, my application is an onion!
Help Doctor, my application is an onion!
Help Doctor, my application is an onion!
Help Doctor, my application is an onion!
Help Doctor, my application is an onion!
Help Doctor, my application is an onion!
Help Doctor, my application is an onion!
Help Doctor, my application is an onion!
Help Doctor, my application is an onion!
Help Doctor, my application is an onion!
Help Doctor, my application is an onion!
Help Doctor, my application is an onion!
Help Doctor, my application is an onion!

Check these out next

iOS Application Penetration Testing
iOS Application Penetration Testing
n|u - The Open Security Community
Android Security & Penetration Testing
Android Security & Penetration Testing
Subho Halder
Mobile Application Security – Effective methodology, efficient testing!
Mobile Application Security – Effective methodology, efficient testing!
espheresecurity
CDIC 2013-Mobile Application Pentest Workshop
CDIC 2013-Mobile Application Pentest Workshop
Prathan Phongthiproek
iOS Hacking: Advanced Pentest & Forensic Techniques
iOS Hacking: Advanced Pentest & Forensic Techniques
Ömer Coşkun
I Want More Ninja – iOS Security Testing
I Want More Ninja – iOS Security Testing
Jason Haddix
Sperasoft talks: Android Security Threats
Sperasoft talks: Android Security Threats
Sperasoft
Deep Dive Into Android Security
Deep Dive Into Android Security
Marakana Inc.
1 de 63

Help Doctor, my application is an onion!

5 de Jan de 2016
Descargar para leer sin conexión
Ingeniería

Slides for the presentation given at NoConName Conference

Sebastián Guerrero Selma
Senior Mobile Security Analyst
Publicidad
Publicidad
Publicidad

Recomendados

[Wroclaw #1] Android Security Workshop[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security WorkshopOWASP2.2K vistas166 diapositivas
Testing Android Security Codemotion Amsterdam editionTesting Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam editionJose Manuel Ortega Candel722 vistas88 diapositivas
Android Security - Common Security Pitfalls in Android ApplicationsAndroid Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android ApplicationsBlrDroid 4.1K vistas52 diapositivas
Iphone Presentation for MuMe09Iphone Presentation for MuMe09
Iphone Presentation for MuMe09Gonzalo Parra836 vistas24 diapositivas
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...Consulthinkspa1.9K vistas76 diapositivas
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Stephan Chenette7.5K vistas77 diapositivas

Más contenido relacionado

Presentaciones para ti(20)

iOS Application Penetration TestingiOS Application Penetration Testing
iOS Application Penetration Testing
n|u - The Open Security Community3.9K vistas
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration Testing
Subho Halder8.1K vistas
Mobile Application Security – Effective methodology, efficient testing!Mobile Application Security – Effective methodology, efficient testing!
Mobile Application Security – Effective methodology, efficient testing!
espheresecurity2.7K vistas
CDIC 2013-Mobile Application Pentest WorkshopCDIC 2013-Mobile Application Pentest Workshop
CDIC 2013-Mobile Application Pentest Workshop
Prathan Phongthiproek2K vistas
iOS Hacking: Advanced Pentest & Forensic TechniquesiOS Hacking: Advanced Pentest & Forensic Techniques
iOS Hacking: Advanced Pentest & Forensic Techniques
Ömer Coşkun3.5K vistas
I Want More Ninja – iOS Security TestingI Want More Ninja – iOS Security Testing
I Want More Ninja – iOS Security Testing
Jason Haddix2.8K vistas
Sperasoft talks: Android Security ThreatsSperasoft talks: Android Security Threats
Sperasoft talks: Android Security Threats
Sperasoft1.4K vistas
Deep Dive Into Android SecurityDeep Dive Into Android Security
Deep Dive Into Android Security
Marakana Inc.9.2K vistas
Android Security Overview and Safe Practices for Web-Based Android ApplicationsAndroid Security Overview and Safe Practices for Web-Based Android Applications
Android Security Overview and Safe Practices for Web-Based Android Applications
h4oxer3.1K vistas
Spring Roo Rev005Spring Roo Rev005
Spring Roo Rev005
Rich Helton912 vistas
Android App Hacking - Erez Metula, AppSecAndroid App Hacking - Erez Metula, AppSec
Android App Hacking - Erez Metula, AppSec
DroidConTLV1.2K vistas
Mobile securityMobile security
Mobile security
Stefaan 418 vistas
A 2018 practical guide to hacking RFID/NFCA 2018 practical guide to hacking RFID/NFC
A 2018 practical guide to hacking RFID/NFC
Slawomir Jasek5.7K vistas
iOS 6 Exploitation: 280 days lateriOS 6 Exploitation: 280 days later
iOS 6 Exploitation: 280 days later
Seguridad Apple8.5K vistas
First Steps in AndroidFirst Steps in Android
First Steps in Android
Rich Helton1.4K vistas
Android system securityAndroid system security
Android system security
Chong-Kuan Chen1.3K vistas
[2.2] Hacking Internet of Things devices - Ivan Novikov[2.2] Hacking Internet of Things devices - Ivan Novikov
[2.2] Hacking Internet of Things devices - Ivan Novikov
OWASP Russia1.5K vistas
Mobile Defense-in-Dev (Depth)Mobile Defense-in-Dev (Depth)
Mobile Defense-in-Dev (Depth)
Prathan Phongthiproek169 vistas
Android SecurityAndroid Security
Android Security
Lars Jacobs4K vistas
Android SecurityAndroid Security
Android Security
Suminda Gunawardhana1.6K vistas

Similar a Help Doctor, my application is an onion!(20)

Using CredHub for Kubernetes DeploymentsUsing CredHub for Kubernetes Deployments
Using CredHub for Kubernetes Deployments
VMware Tanzu1K vistas
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline Security
James Wickett277 vistas
OSX/Pirrit: The blue balls of OS X adwareOSX/Pirrit: The blue balls of OS X adware
OSX/Pirrit: The blue balls of OS X adware
Amit Serper657 vistas
Google Hacking Lab ClassNameDate This is an introducti.docxGoogle Hacking Lab ClassNameDate This is an introducti.docx
Google Hacking Lab ClassNameDate This is an introducti.docx
whittemorelucilla6 vistas
Mobile Penetration Testing: Episode III - Attack of the CodeMobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the Code
NowSecure1.2K vistas
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Mobodexter709 vistas
Tor in Haskell & Other Unikernel TricksTor in Haskell & Other Unikernel Tricks
Tor in Haskell & Other Unikernel Tricks
C4Media536 vistas
Pentesting iOS AppsPentesting iOS Apps
Pentesting iOS Apps
Herman Duarte3.3K vistas
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
James Wickett4.2K vistas
Android Security: Defending Your UsersAndroid Security: Defending Your Users
Android Security: Defending Your Users
CommonsWare2.6K vistas
The DevSecOps Builder’s Guide to the CI/CD PipelineThe DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD Pipeline
James Wickett607 vistas
The State of the Veil FrameworkThe State of the Veil Framework
The State of the Veil Framework
VeilFramework4.8K vistas
Kube Security Shifting left | Scanners & OPAKube Security Shifting left | Scanners & OPA
Kube Security Shifting left | Scanners & OPA
Haggai Philip Zagury18 vistas
Securing User Data with SQLCipherSecuring User Data with SQLCipher
Securing User Data with SQLCipher
CommonsWare8.1K vistas
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CD
James Wickett327 vistas
AV Evasion with the Veil FrameworkAV Evasion with the Veil Framework
AV Evasion with the Veil Framework
VeilFramework18.6K vistas
Security Tips to run Docker in ProductionSecurity Tips to run Docker in Production
Security Tips to run Docker in Production
Gianluca Arbezzano2.9K vistas
Hardening Kubernetes by Securing PodsHardening Kubernetes by Securing Pods
Hardening Kubernetes by Securing Pods
Suraj Deshmukh800 vistas
LinkedinLinkedin
Linkedin
Khaled Serag256 vistas
Making Security Agile - Oleg GrybMaking Security Agile - Oleg Gryb
Making Security Agile - Oleg Gryb
SeniorStoryteller764 vistas
Publicidad

Último(20)

MRI Image Segmentation Using Level Set Method and Implement an Medical Diagno...MRI Image Segmentation Using Level Set Method and Implement an Medical Diagno...
MRI Image Segmentation Using Level Set Method and Implement an Medical Diagno...
CSEIJJournal0 vistas
ML-DecisionTrees.pptML-DecisionTrees.ppt
ML-DecisionTrees.ppt
ssuser71fb630 vistas
nanotech in Def. (dinesh yadav).pptxnanotech in Def. (dinesh yadav).pptx
nanotech in Def. (dinesh yadav).pptx
DineshYadav2303780 vistas
WIPAC Monthly - May 2023.pdfWIPAC Monthly - May 2023.pdf
WIPAC Monthly - May 2023.pdf
Water Industry Process Automation & Control0 vistas
SMRP Best Practices 6th EditionSMRP Best Practices 6th Edition
SMRP Best Practices 6th Edition
VictorMarcos180 vistas
Page Cache in Linux 2.6.pdfPage Cache in Linux 2.6.pdf
Page Cache in Linux 2.6.pdf
ycelgemici10 vistas
CSE WIBREE ppt.pptxCSE WIBREE ppt.pptx
CSE WIBREE ppt.pptx
vidyamali40 vistas
Mechanical Engineering: An International Journal (MEIJ)Mechanical Engineering: An International Journal (MEIJ)
Mechanical Engineering: An International Journal (MEIJ)
meijjournal0 vistas
vol_stability_slides.pptvol_stability_slides.ppt
vol_stability_slides.ppt
VivekPatel8175930 vistas
HOSPITAL MANAGEMENT PPT.pptxHOSPITAL MANAGEMENT PPT.pptx
HOSPITAL MANAGEMENT PPT.pptx
Vasanth1510 vistas
PPTSEM3.pptxPPTSEM3.pptx
PPTSEM3.pptx
VEDAMNT0 vistas
McDonell Douglas XFD-1 Pilot's Handbook.pdfMcDonell Douglas XFD-1 Pilot's Handbook.pdf
McDonell Douglas XFD-1 Pilot's Handbook.pdf
TahirSadikovi0 vistas
lecture1.pptxlecture1.pptx
lecture1.pptx
NorazamAliman0 vistas
ID725_Samuthirapandi_IoT_karuppu.pptxID725_Samuthirapandi_IoT_karuppu.pptx
ID725_Samuthirapandi_IoT_karuppu.pptx
DrSNAVANEETHAN0 vistas
Modelling and Performance of transmission lines.pptxModelling and Performance of transmission lines.pptx
Modelling and Performance of transmission lines.pptx
karthik prabhu0 vistas
mechanical properties of metal.pptxmechanical properties of metal.pptx
mechanical properties of metal.pptx
SAMEERSARWAR60 vistas
ASSIGNMENT-2 BETC (1) (1).pdfASSIGNMENT-2 BETC (1) (1).pdf
ASSIGNMENT-2 BETC (1) (1).pdf
SreyashiBishnuMajumd0 vistas
Friction.pdfFriction.pdf
Friction.pdf
RaviJangid770 vistas
ID727_Helina_MitigationTechnique_uday.pptxID727_Helina_MitigationTechnique_uday.pptx
ID727_Helina_MitigationTechnique_uday.pptx
DrSNAVANEETHAN0 vistas
ppt.pptxppt.pptx
ppt.pptx
VEDAMNT0 vistas

Help Doctor, my application is an onion!

  1. My application is an onion. Help me Doctor! © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.
  2. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information. ● Sebas Guerrero (@0xroot) ● Sr. Mobile Security Analyst @ NowSecure ● sguerrero@nowsecure.com Who I am
  3. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information. What society think we do
  4. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information. ● This talk pretends to be a lightning talk, for more detailed information, please refer to: ● The Nightmare behind the cross platform mobile apps dream (https://www.blackhat.com/docs/asia-15/materials/asia-15-Grassi-The- Nightmare-Behind-The-Cross-Platform-Mobile-Apps-Dream.pdf) - Marco Grassi / Sebas Guerrero ● Android Hacker Protection Level 0 (https://www.defcon.org/images/defcon- 22/dc-22-presentations/Strazzere-Sawyer/DEFCON-22-Strazzere-and-Sawyer- Android-Hacker-Protection-Level-UPDATED.pdf) Tim Strazzere, Justin Case NOTE
  5. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information. ● Motivations ● Frameworks A. Titanium Framework (Demo) Kony Framework (Demo) ● Obfuscators B. ProGuard C. DexGuard (Demo) ● Conclusions Agenda
  6. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information. ● Most of the applications assessments realized during the last year were packed/obfuscated or using some framework. ● Manual analysis is ok once, twice… but I’m not ‘Chinese’. ● It’s a good challenge to understand its insights and how do they work. ● “Keep your application away from hackers”. Motivations
  7. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information. Frameworks When wrappin’ is all what your developers care about.
  8. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information. Background ● Mobile market is fragmented. Developers want their app on multiple platform, at least iOS and Android. ● This caused a growth in the number of tools and frameworks available for cross platform development with different technologies. ● Native code development is from 90’s. HTML5 and JavaScript are the future. They are so trending topic. ● Money is a scarce resource, even more when you have to hire a dev team for each platform. ● Large companies are getting interested on multi-deployment framework models. They like to be cool.
  9. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information. Background
  10. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information. Catch’ em all
  11. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information. Titanium Framework Not that stronger.
  12. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information. ● Open source framework that can be downloaded from its official website. ● As many other frameworks, brings you the ability to develop your native mobile application in JavaScript. ● It is a wrapper, that runs the JavaScript code on an interpreter and uses native UI and other functionalities. ● Comes with its own IDE, which is Eclipse based.
  13. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information. Extracting the code ● As mentioned before, the real source code is written in JavaScript. ● The asset data is loaded at runtime through the ‘AssetCryptImpl’ class. ● The assets range are defined in a HashMap in the ‘initAssets’ method. This range specifies the start and end of a specific file in assets bytes. ● The chunk of data that contains the real assets is a CharBuffer defined in the ‘initAssetsBytes’ method.
  14. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information. initAssets
  15. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information. initAssetsBytes
  16. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information. Defeating the encryption ● The crypto is implemented in the shared library ‘libtiverify.so’, in the JNI function ‘Java_org_appcelerator_titanium_TiVerify_filterDataInRange’. ● Simple AES in ECB mode, using the last 16 bytes of the assetBytes as key for the decryption process. ● There are multiple approaches to recover the original data. Lets keep it simple. ● The pseudo-code for the filterDataInRange method looks like:
  17. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information. Defeating the encryption
  18. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.
  19. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information. Kony Framework That ‘startup.js’ file is not the startup you are looking for.
  20. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information. ● Standard approaches used during application assessment are no longer useful. ● The framework is a wrapper, but its behavior slightly changes from versions prior to 6.0, and afterwards to 6.0 Kony Framework
  21. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information. LUA Bytecode (Prior to 6.0) Kony app konyappluabytecode.o.mp3
  22. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information. JVSM (Afterwards to 6.0) Kony app libkonyJSVM.so startup.js common-jslibs.kfm
  23. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information. ● There are multiple approaches available. From massive device memory dumping to dynamic instrumentation (Frida). ● In case you are lazy, just use ‘unluac.jar’ and extracts the LUA code. ● For more detailed information, please refer to our talk at Black Hat Asia 2015. Hunting the LUA code
  24. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information. ● If you are lucky enough, earlier versions of the JSVM, only require you to unzip the ‘startup.js’ file to extract the original source code. ● Latest versions prefer to put things harder… Long story short, the shared library is a trap and the crypter is the jackpot. ● That is the case we will discuss in this section. Hunting the JavaScript code
  25. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information. Kony Kung-fu KO It is not over 9000.
  26. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information. Kony application ● A couple interesting and encrypted files (‘common-jslibs.kfm’ & ‘startup.js’) can be seen in the ‘assets/js’ folder. ● File format is not recognizable, and binary analysis does not reveal any clue. ● Reverse engineering process to the ‘classes.dex’ file does not reveal anything related with crypto operations. ● However, there is a class that caught our attention ‘KonyJavaScriptVM’. The infamous method ‘System.loadLibrary’ is being used, and it loads the shared library ‘konyjsvm.so’
  27. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information. KonyJavaScriptVM method ● It might look sort of black magic to redirect our efforts to this library, but first look at that previous class got me a hunch. 1. Contains references to ‘common-jslibs.kfm’ and ‘startup.js’ files. 2. Following cross references between calls to a range of obfuscated methods, we discover buffer allocation, compilation and zipEntry operations that ends in a call to ‘loadFilesToVM’ function. Such method belongs to ‘konyjsvm’ shared library. 3. Roses are red, Violets are blue, potato.
  28. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information. konyjsvm shared library ● A quick look to the procedure ‘KonyJSVM_loadFilesToVM’, reveals multiple calls to EVP cipher routines, a method named ‘charxor’, and a call to ‘callUnzippingForDex’ method, among others. 1. This method decrypts the encrypted files and loads their content dynamically. ● Best practices during development stage? What is that? First look at its implementation: 2. XOR encryption key embedded in the source code: ‘AnDr/iD2K@nyeN4Calert’. 3. IV embedded in the source code and initialized to 0’s. 4. Yes, the encryption key is also embedded in the source code. What the heck did you expect?
  29. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information. What is XOR’ed? ● The string XOR’ed is the key used in the ‘EVP_AES_256_CBC’ cipher, which is generated as follows: 1. Call to ‘getTime’ method, which executes the ‘getTimeStamp’ function. However this value can be obtained from the file ‘application.properties’ located under the ‘/assets’ folder. 2. Call to ‘getN’ method, according to its implementation returns the the class name for the package located under ‘/com/kony/labs/android/KonyMain’, which is ‘KonyMain’. 3. A XOR operation is performed between these two values. 4. Call to ‘getPackageName’ method. 5. Another XOR operation is performed between the result from the previous XOR operation and the package name.
  30. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information. Reverting the process ● Again, there are multiple solutions available out there. Static and dynamic approaches do exist. However, I’ve got another hunch. 1.The application does not include any methods to the encryption and/or decryption process. 2.The crypto operations observed in the library, are merely for decryption purposes. 3.The application has been shipped to the store and it already included the encrypted files. 4.Those files are being encrypted at compilation time, and luckily, there is a trial available for Kony IDE Framework which can be downloaded.
  31. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information. kony_loadfile.exe encrypt - 1 decrypt - 0
  32. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information. kony_loadfile.exe ● The binary expects the following parameters: startup.js common-jslibs.kfm APPID package_name timestamp
  33. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.
  34. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information. Obfuscators/Optimizers Protectors When wrappin’ is all what your developers care about.
  35. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information. ● As developer, either you are lazy to implement good practices, or directly you are not aware of them. However, they do the job for you, partially. ● Includes security mechanisms such as encryption, obfuscation and potential use of reflection techniques. ● They try to sell your application would be protected against hackers. Why using obfuscators?
  36. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information. Catch’ em all
  37. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information. ProGuard Mmm… potato
  38. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information. ● Way older than Android, specially designed for Java at the beginning. ● Recommended by Google for Android developers and quite frequent out there in applications shipped to the Play Store. ● It is free and bundled in Android SDK. Quick introduction
  39. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information. Optimization? ● At the byte code instruction level: A. Removes unnecessary/unused code. B. Renames objects (compact classes/methods/vars names). C. Restructures code. D. Performs peephole optimizations. E. Merges identical code blocks. F. Removes debug information.
  40. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information. Obfuscation? ● Traditional and basic name obfuscation: A. Rename identifiers: class/field/method names B. Remove debug information: line numbers, local variable names, …
  41. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information. Class renaming
  42. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information. .source field annotation
  43. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information. Final result Original Java Source ProGuard Output
  44. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information. Why developers use it? ● It decreases the dex file size and increases the application speed and its performance. Also reduces memory usage. ● Removes debug information, .source annotation field, lines number, etc. Which might slightly increase its reversing complexity. ● However it can be seen as an application being developed by an apprentice. ● Doesn’t deploy real obfuscation, and it is trivial to reconstruct original code, it only requires patience and some extra hours.
  45. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information. ● Automatic class rename utility based on .source annotation. (https://github.com/HamiltonianCycle/ClassNameDeobfusc ator) ● JEB/JEB2 and its renaming feature. ● Dynamic instrumentation with Frida, Cydia Substrate or Xposed Framework. Swiss Toolset
  46. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information. DexGuard Ohh… Boo! Did it scare you?
  47. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information. ● Paid version of ProGuard. Offers same functionalities as its predecesor (optimizer, shrinker). ● Includes “low level” techniques that are supposed to increase notoriously the reverse engineering process. ● It also encrypts and obfuscates application’s assets and libraries. ● A license might cost around $600 - $1300 Quick introduction
  48. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information. What does it do? ● All the features already included in ProGuard ● String encryption ● Tampering detection ● Assets and libraries encryption ● Class encryption (We will cover this point later) ● Automatic reflection
  49. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information. Why developers use it? ● In opposition to Proguard, it might increase the dex file size as well as the application speed and its performance. Including memory usage. ● Includes all the features included in Proguard. ● Performs automatic encryption to the application’s strings, assets, libraries and classes. ● Use of automatic reflection in combination with the protections described above. ● Might give you some headaches when reverse engineering it ● It is really easy to use, and offers a decent grade of protection for its prize.
  50. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information. Reflection Automatic reflection String Encryption
  51. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information. String Encryption Encrypted strings array Obfuscated code
  52. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information. Loader Keys and IV for 1st DEX 1st Dex 2nd Dex (Main Code) 1st Embedded dex Keys and IV for 2nd DEX 2nd Embedded dex Main Code 1st Stage 2nd Stage Class encryption
  53. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information. Defeating DexGuard (Statically) ● Use scripts for JEB like DeCluster (JCase) and DexGuardStringDecoder (AKosterin) to rename classes, methods and variables and spot the InnerClass function that contains the string decryption method. ● Spot the respective IVs and encryption keys, grab the dex binaries content embedded in the loader and first encrypted dec, and revert the process. ● Sounds easy, but in fact, it’s a pain in the ass…
  54. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information. Defeating DexGuard (Statically)
  55. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information. Defeating DexGuard (Statically) First/Second dex embedded (encrypted) Encryption Key IV DES/AES CBF/NP Encrypt/Decrypts classes.dex Repeat this process twice
  56. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information. Not gonna happen
  57. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information. How to defeat DexGuard (Dynamically) Most packers and obfuscators dynamically load dex/apk/jar/zip files. This means that at some point those files must be written on disk. UNPROTECTED, DECRYPTED.
  58. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information. BaseDexClassLoader
  59. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information. DexFile
  60. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information. Conclusions But… I’ve got mad skillzZz and already paid for these protections!
  61. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information. Well… ● Nothing is unbreakable, even if your product costs a thousand dollars, however you can raise the bar, always. ● Do not fall on the idea of adding extra layers of security to your application, just because it will be more secure. Leave the onions for cooking.
  62. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information. Thanks Special mentions to @revskills a.k.a. ‘My weapon’, @trufae, @pof, @oleavr, @fuzion24, @strazzere, @jduck, @jcase,@nowsecuremobile, @insitusec, etc…
  63. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information. Q&A?
Publicidad