As presented in droidcon Tel Aviv 2018: http://il.droidcon.com

1. Yonatan V.Levin
levin.yonatan parahall
Google Developer Expert
CTO & Co Founder

2. >100 Cities > 30M usersRuby, Go, Python, Microservices
Ooooops...

4. What Do We Do?
● Android Fundamentals
● Android UI / UX
● Community Hackathon
● Android Advanced
● Mentors Program
● Active community

5. facebook.com/groups/android.academy.ils/

6. 22.10
Fundamentals

7. Bang! Bang! You have been hacked.

11. private boolean isMocLocationsOn() {
return Settings.Secure.getString(getContentResolver(), Settings.Secure.ALLOW_MOCK_LOCATION)
.equals(ALLOW_MOC_LOCATIONS_ON);
}

12. public class TimeChangedReceiver extends BroadcastReceiver {
public void onReceive(Context context, Intent intent) {
onSystemTimeChanged();
}
}

13. urlSigner.getUrlSignature(encodedPath, mAuthenticationToken);
Network request signing

16. First sign

17. public class NetworkHttpUnauthorizedReceiver extends BroadcastReceiver
{
public void onReceive(Context context, Intent intent) {
int httpCode = intent.getIntExtra(IntentExtras.HTTP_CODE, -1);
if (httpCode == HttpURLConnection.HTTP_UNAUTHORIZED) {
LoginActivity.logOut(context);
}
}
}
Anyone can send “unauthorized”

18. Possible way to solve it
- Exported = ‘false’ in AndroidManifest.xml
- Custom permissions with
protectionLevel=”signature”
- Dynamic register with LocalBroadcastManager

23. We lost the battle but not the war

24. How he did it
Static Analysis
• APKTool, Smali/Baksmali, BytecodeViewer, JEB ($), IDA Pro ($$) …
Network Analysis
• mitmproxy, charles, burpsuite, wireshark

25. Security is hard.
If it’s not - it’s easy to break

26. Disclaimer: I’m not security expert.
It’s our journey, and I decided to share it.

27. It’s a team work

28. Very easy to reverse-engineer
https://github.com/google/android-classyshark

29. The first goal:
Protect our code

30. Code Protection
● Name obfuscation
● String encryption
● Class encryption
● Resources, asset and native library encryption Control flow and
arithmetic obfuscation
● Hide calls through reflection

31. public String encryptSensitiveMessage() {
String nuclearLaunchCode = "abc123";
String encryptionKey = "secretkey";
return CryptoEngine.encrypt(nuclearLaunchCode, encryptionKey);
}
Example

32. public String encryptSensitiveMessage() {
String nuclearLaunchCode = "abc123";
String encryptionKey = "secretkey";
Class clazz = Class.forName("CryptoEngine");
Method meth = clazz.getMethod("encrypt", String.class, String.class);
return (String) meth.invoke(null, nuclearLaunchCode, encryptionKey);
}
Reflection

33. public String encryptSensitiveMessage() {
String nuclearLaunchCode = Base64.decode("YWJjMTIz");
String encryptionKey = Base64.decode("c2VjcmV0a2V5");
Class clazz = Class.forName(Base64.decode("Q3J5cHRvRW5naW5l"));
Method meth = clazz.getMethod(Base64.decode("ZW5jcnlwdA=="), String.class,
String.class);
return (String) meth.invoke(null, nuclearLaunchCode, encryptionKey);
}
String obfuscation

34. public String a() {
String a = e.f("YWJjMTIz");
String b = e.f("c2VjcmV0a2V5");
Class c = Class.forName(e.f("Q3J5cHRvRW5naW5l"));
Method d = c.getMethod(e.f("ZW5jcnlwdA=="), String.class, String.class);
return (String) d.invoke(null, a, b);
}
Name obfuscation

35. Automate it:
Proguard

37. Proguard
release {
minifyEnabled true
shrinkResources true
proguardFile 'proguard-project.pro'
proguardFile 'proguard-crashlytics.pro'
proguardFile 'proguard-gson.pro'
proguardFile 'proguard-okhttp.pro'
proguardFile 'proguard-mixpanel.pro'
proguardFile 'proguard-retrofit.pro'
proguardFile 'proguard-pubnub.pro'
proguardFile 'proguard-logback-android.pro'
proguardFile getDefaultProguardFile('proguard-android.txt')
debuggable false
signingConfig signingConfigs.release
}

38. -repackageclasses
-allowaccessmodification
-flattenpackagehierarchy
Proguard obfuscation

40. GSON makes you weak :)

41. "Order": {
"id": 89684,
"status": "expired",
"payment_type": "cash",
"future_ride": false,
"passenger_comment": "",
"scheduled_at": "2015-12-13T15:13:48+02:00",
"account_ride": false,
"ride_type": "private",
"price_origin": "driver",
"autopay": false...
public class A {
private int b;
private AB c;
private TM d;
private boolean e;
private S f;
private D j;
private D g;
private D k;
private boolean l;
private double m;
private boolean n;

42. Second goal:
Hide model in network layer

45. Protocol Buffers
(Wire)

46. message Person {
// The customer's full name.
required string name = 1;
// The customer's ID number.
required int32 id = 2;
// Email address for the customer.
optional string email = 3;
enum PhoneType {
MOBILE = 0;
HOME = 1;
WORK = 2;
}
message PhoneNumber {
// The user's phone number.
required string number = 1;
// The type of phone stored here.
optional PhoneType type = 2 [default = HOME];
}
// A list of the user's phone numbers.
repeated PhoneNumber phone = 4;
}

47. public final class Person extends Message {
/** The customer's full name. */
@ProtoField(tag = 1, type = STRING, label = REQUIRED)
public final String name;
/** The customer's ID number. */
@ProtoField(tag = 2, type = INT32, label = REQUIRED)
public final Integer id;
/** Email address for the customer. */
@ProtoField(tag = 3, type = STRING)
public final String email;
/** A list of the user's phone numbers. */
@ProtoField(tag = 4, label = REPEATED)
public final List<PhoneNumber> phone;

48. byte[] data = person.toByteArray();
Wire wire = new Wire();
Person newPerson = wire.parseFrom(data, Person.class);

50. Our Network exposing our models

51. * Ask server guys to have a flag - JSON/ProtoBuff format.
Will make your life easy to debug

52. Retrofit StarWarsServiceRetrofit = new
Retrofit.Builder().baseUrl(baseUrl)
.client(clientBuilder.build())
.addConverterFactory(WireConverterFactory.create())
.addConverterFactory(GsonConverterFactory.create())
.build();

53. Third goal:
Challenge the code stripping.

54. APK Signature check

55. PackageInfo packageInfo = context.getPackageManager()
.getPackageInfo(context.getPackageName(), PackageManager.GET_SIGNATURES);
for (Signature signature : packageInfo.signatures) {
MessageDigest md = MessageDigest.getInstance("SHA");
md.update(signature.toByteArray());
String currentSignature = Base64.encodeToString(md.digest(), Base64.DEFAULT);
//compare signatures
if (EXPECTED_SIGNATURE.equals(currentSignature)) {
return VALID;
}
return INVALID;

56. Challenge
Connect the code ,key and API.
Goal: every single change in code will generate different key and this
key will be used to sign API request.

57. Dex
- Custom Class Loading in Dalvik

58. DexClassLoader cl = new
DexClassLoader(dexInternalStoragePath.getAbsolutePath(),
optimizedDexOutputPath.getAbsolutePath(), null, getClassLoader());
Class libProviderClazz = null;
try {
// Load the library.
libProviderClazz = cl.loadClass("com.example.dex.lib.LibraryProvider");
LibraryInterface lib = (LibraryInterface) libProviderClazz.newInstance();
lib.showAwesomeToast(this, "hello");
} catch (Exception e) {...}

59. Reflection
Ask application with API - Who are you?
Generate challenge for each user randomly.Load it from server.
What can be challenged?
Resource IDs,
Class fields,
Classes
Method results

60. NDK possible to reverse-engineer too but really really hard!
https://www.hex-rays.com/products/decompiler/

61. JNI
- Use bytecode libs

62. With Help from Google

63. App Licensing
Google Library to query Google Play
Services if Application was installed from
the play store.

65. In order to download your expansion files
from Google Play, the user must have
acquired your application from Google
Play.

66. Combination - Part 1 Authorization
Answer to challenge
Obtain random
challenge for
current session
Application Side
Server Side
Download the
challenge
Using
Reflection
answer
challenge Send as
bytecode data
using
flatbuffer/wire
Compare
&
decide

67. Combination - Every request
Build
.apk
Extract MD5
from .apk
Store MD5 on server +
hash function (RSA,
AES)
Run-Time
Building Release
Load dex library.
Obtain MD5 from
dex/.so lib
Sign URL with MD5,
Token, TimeStamp and
challenge response Send data using
flatbuffer/wire
Compare url
signature

68. Compare
signature
and decide
Build
.apk
Extract MD5
from .apk
Store MD5 on
server per built
version
Run-Time
Building Release
Load dex library with
challenge.
Obtain MD5 from
dex/.so lib
Sign API Request with
MD5, Token,
TimeStamp and
challenge response
Answer to challenge
Obtain random
challenge for
current session
Server Side
Generate signature
based on stored MD5,
Challenge Answer,
TimeStamp & Token
Send data using
flatbuffer/wire

72. Yonatan V.Levin levin.yonatan
parahallGoogle Developer Expert