All Your Code Belongs To Us Dismantling Android Secrets With CodeInspect. Steven Arzt. 04.10.2015 Secure Software Engineering Group Steven Arzt 1

Similar documents
Smartphone Security for Android Applications

(In-)Security of Backend-as-a-Service

This is DEEPerent: Tracking App behaviors with (Nothing changed) phone for Evasive android malware

Sandy. The Malicious Exploit Analysis. Static Analysis and Dynamic exploit analysis. Garage4Hackers

Mobile Application Hacking for Android and iphone. 4-Day Hands-On Course. Syllabus

Detecting privacy leaks in Android Apps

APPLICATION SECURITY: FROM WEB TO MOBILE. DIFFERENT VECTORS AND NEW ATTACK

Lecture 1 Introduction to Android

Messing with the Android Runtime

PROFILEDROID: MULTI-LAYER PROFILING OF ANDROID APPLICATIONS XUETAO WEI LORENZO GOMEZ UNIVERSITY OF CALIFORNIA, RIVERSIDE PROFESSOR IULIAN NEAMTIU

Certifying the Security of Android Applications with Cassandra

Monitoring, Tracing, Debugging (Under Construction)

Static Analysis of Virtualization- Obfuscated Binaries

Tool-based Approaches to Software Security. Prof. Dr. Eric Bodden Andreas Follner

Overview of CS 282 & Android

AGENDA. Background. The Attack Surface. Case Studies. Binary Protections. Bypasses. Conclusions

(In)Security of Backend-as-a-Service

Introduction to Android

Obfuscation: know your enemy

Introduction to Android

Pentesting Android Apps. Sneha Rajguru

Lecture 12: Software protection techniques. Software piracy protection Protection against reverse engineering of software

Introduction to Android

Building an Android client. Rohit Nayak Talentica Software

Architectural Risk Analysis for Android Applications

Reversing Android Malware

WebView addjavascriptinterface Remote Code Execution 23/09/2013

Introduction to Native Android Development with NDK

ANDROID BASED MOBILE APPLICATION DEVELOPMENT and its SECURITY

Technical Report. Harvesting Runtime Data in Android Applications for Identifying Malware and Enhancing Code Analysis

Introduction (Apps and the Android platform)

What is Web Security? Motivation

Introduction to Android Development. Jeff Avery CS349, Mar 2013

Synthesis for Developing Apps on Mobile Platforms

Graduate presentation for CSCI By Janakiram Vantipalli ( Janakiram.vantipalli@colorado.edu )

Instrumentation Software Profiling

Mobile Security Framework

Database Application Developer Tools Using Static Analysis and Dynamic Profiling

Android Programming and Security

Mobile Application Security and Penetration Testing Syllabus

Storing Encrypted Plain Text Files Using Google Android

Braindumps.C questions

Practical Android Projects Lucas Jordan Pieter Greyling

Android Malware for Pen-testing. IOAsis San Fransicso 2014

OWASP Mobile Top Ten 2014 Meet the New Addition

Course MS10975A Introduction to Programming. Length: 5 Days

Introduction (Apps and the Android platform) Course Structure. Mobile and Social Application Programming. About the Course.

Introduction to IBM Worklight Mobile Platform

Tutorial on Basic Android Setup

A Study of Android Application Security

VisCG: Creating an Eclipse Call Graph Visualization Plug-in. Kenta Hasui, Undergraduate Student at Vassar College Class of 2015

Programming Android Smart Phones. Tom Chothia Internet Computing Workshop

Eclipse Visualization and Performance Monitoring

Enterprise Application Security Workshop Series

Android Packer. facing the challenges, building solutions. Rowland YU. Senior Threat Researcher Virus Bulletin 2014

Advanced ANDROID & ios Hands-on Exploitation

Android Application Repackaging

Comparing Android Applications to Find Copying

Harvesting Developer Credentials in Android Apps

Basic Android Setup Windows Version

-Android 2.3 is the most used version of Android on the market today with almost 60% of all Android devices running 2.3 Gingerbread -Winner of

Mobile Payment Security

Securing Secure Browsers

Iron Chef: John Henry Challenge

Real-time Streaming Analysis for Hadoop and Flume. Aaron Kimball odiago, inc. OSCON Data 2011

ECE 455/555 Embedded System Design. Android Programming. Wei Gao. Fall

OWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair

Securing your Mobile Applications. Karson Chan Security Consultant

Example of Standard API

Islamic University of Gaza. Faculty of Engineering. Computer Engineering Department. Mobile Computing ECOM Eng. Wafaa Audah.

Eclipse Web Tools Platform. Naci Dai (Eteration), WTP JST Lead

l What is Android? l Getting Started l The Emulator l Hello World l ADB l Text to Speech l Other APIs (camera, bitmap, etc)

Android Development. Marc Mc Loughlin

1,300 Developers Speak

Hacking your Droid ADITYA GUPTA

Two-factor Protection Scheme in Securing the Source Code of Android Applications

Jordan Jozwiak November 13, 2011

Smartphone market share

VM Application Debugging via JTAG: Android TRACE32 JTAG Debug Bridge ADB Architecture Stop-Mode implications for ADB JTAG Transport Outlook

Intel Integrated Native Developer Experience (INDE): IDE Integration for Android*

ANDROID APPS DEVELOPMENT FOR MOBILE AND TABLET DEVICE (LEVEL I)

Lab 4 In class Hands-on Android Debugging Tutorial

Development Environment and Tools for Java. Brian Hughes IBM

Welcome to the Force.com Developer Day

Introduction to Android. CSG250 Wireless Networks Fall, 2008

Security in Android apps

Lecture 17: Mobile Computing Platforms: Android. Mythili Vutukuru CS 653 Spring 2014 March 24, Monday

Chapter 13: Program Development and Programming Languages

Netbeans 6.0. José Maria Silveira Neto. Sun Campus Ambassador

Topics. Introduction. Java History CS 146. Introduction to Programming and Algorithms Module 1. Module Objectives

ARIZONA CTE CAREER PREPARATION STANDARDS & MEASUREMENT CRITERIA SOFTWARE DEVELOPMENT,

Technical paper review. Program visualization and explanation for novice C programmers by Matthew Heinsen Egan and Chris McDonald.

Defending Behind The Device Mobile Application Risks

AppUse - Android Pentest Platform Unified

Mobile Application Hacking for ios. 3-Day Hands-On Course. Syllabus

Android Developer Fundamental 1

Risk-Rating Framework for Mobile Applications (Sponsored by DISA CTO)

Android Environment SDK

ios Application Development &

Transcription:

All Your Code Belongs To Us Dismantling Android Secrets With CodeInspect Steven Arzt 04.10.2015 Secure Software Engineering Group Steven Arzt 1

04.10.2015 Secure Software Engineering Group Steven Arzt 2

All Your Code Belongs To Us Dismantling Android Secrets With CodeInspect 04.10.2015 Secure Software Engineering Group Steven Arzt 3

#whoami 3rd year PhD student at TU Darmstadt Researcher in the Secure Software Engineering Group Group lead: Eric Bodden Main interests: Static code analysis Smartphone security Maintainer of Soot and FlowDroid sseblog.ec-spride.de 04.10.2015 Secure Software Engineering Group Steven Arzt 4

04.10.2015 Secure Software Engineering Group Steven Arzt 5

Android Distribution Process Developer Source code Create, modify Debug, inspect, understand User Binary code Run the app 04.10.2015 Secure Software Engineering Group Steven Arzt 6

Is this really true? HOW EASY IS IT TO DISMANTLE YOUR APP? 04.10.2015 Secure Software Engineering Group Steven Arzt 7

Android App Piracy How to secure my app against piracy I am developing an android app and I am planning to publish it (paid app). I have heard that it is very easy to pirate Android apps (much easier than iphone). I was wondering from your experience or what you know, how can increase the security of my app? I know that I can never get it 100% secured but I want to make it harder for people to pirate it or distribute it illegaly Any ideas, experiences, comments you can share? That will be greatly appreciated Source: stackoverflow.com 04.10.2015 Secure Software Engineering Group Steven Arzt 8

Android App Piracy Android Still Has A Massive Piracy Problem Ustwo Games, the developer behind the wildly popular mobile game Monument Valley, revealed in a series of tweets that only 5% of all Android installs of its game were paid for. In 2012, Gamasutra reported that piracy for a game called Shadowgun reached 90% on Android; a year later, developer Butterscotch Shenanigans reported that 95% of the 34,091 Android installs of its first game were unofficial. Source: uk.businessinsider.com 04.10.2015 Secure Software Engineering Group Steven Arzt 9

Android App Piracy Piracy On Android: How Bad Is It Really? In other words, Android users want things for free and are clever enough to know how to get those things for free. While there are a few steps that can be taken to make the cracking process less convenient, a determined pirate will be able to break through any kind of app protection if given enough time. Source: makeuseof.com 04.10.2015 Secure Software Engineering Group Steven Arzt 10

CodeInspect A new Binary Analysis Framework for Android and Java Bytecode 04.10.2015 Secure Software Engineering Group Steven Arzt 11

Android Distribution Process Developer Source code Create, modify Debug, inspect, understand User Binary code Create, modify Debug, inspect, understand 04.10.2015 Secure Software Engineering Group Steven Arzt 12

Why? vs. 04.10.2015 Secure Software Engineering Group Steven Arzt 13

Android Distribution Process Fraudster Investigator 04.10.2015 Secure Software Engineering Group Steven Arzt 14

CodeInspect A new Binary Analysis Framework for Android and Java Bytecode Debug. Understand. Manipulate. without the source code 04.10.2015 Secure Software Engineering Group Steven Arzt 15

CodeInspect 04.10.2015 Secure Software Engineering Group Steven Arzt 16

CodeInspect Packages and Classes Jimple Code Manifest File Assets 04.10.2015 Secure Software Engineering Group Steven Arzt 17

Code Outline Jimple Code 04.10.2015 Secure Software Engineering Group Steven Arzt 18

Jimple Code Code Outline Syntax Errors Logcat Output Search Results Looks and feels just like Eclipse! 04.10.2015 Secure Software Engineering Group Steven Arzt 19

Stack Trace Variables Jimple Code Code Outline Logcat Console 04.10.2015 Secure Software Engineering Group Steven Arzt 20

CodeInspect Based on Eclipse RCP Work as you would on source code in Eclipse Navigate through the code Add, change, and remove code Inject arbitrary Java code Start and debug your app Inspect and change runtime values 04.10.2015 Secure Software Engineering Group Steven Arzt 21

How does it work? ARCHITECTURE 04.10.2015 Secure Software Engineering Group Steven Arzt 22

CodeInspect Architecture 04.10.2015 Secure Software Engineering Group Steven Arzt 23

CodeInspect Architecture Input / Output.dex.java.jimple.class.apk Callgraphs Control flow graphs Algorithms for compiler construction Code manipulation Code synthesis 04.10.2015 Secure Software Engineering Group Steven Arzt 24

The Jimple IR Between Dalvik / Java bytecode and Java source code Jimple: Java, but simple Originally optimized for static analyses Jimple 04.10.2015 Secure Software Engineering Group Steven Arzt 25

The Jimple IR public void foo() { byte[] $arrbyte; java.io.fileoutputstream $FileOutputStream; Method Declaration Variable Declarations specialinvoke this.<android.app.service: void oncreate()>(); $File = new java.io.file; specialinvoke $File.<java.io.File: void <init>(java.lang.string)>("/sdcard/test.apk"); specialinvoke $FileOutputStream.<java.io.FileOutputStream: void <init>(java.io.file)>($file); $arrbyte = newarray (byte)[1024]; $int = virtualinvoke $InputStream.<java.io.InputStream: int read(byte[])>($arrbyte); Implementation 04.10.2015 Secure Software Engineering Group Steven Arzt 26

04.10.2015 Secure Software Engineering Group Steven Arzt 27

04.10.2015 Secure Software Engineering Group Steven Arzt 28

04.10.2015 Secure Software Engineering Group Steven Arzt 29

CodeInspect in Action CASE STUDIES 04.10.2015 Secure Software Engineering Group Steven Arzt 30

CodeInspect Malware analysis Debug malware Find backend credentials Remove anti-analysis checks > 20.000 infected phones 04.10.2015 Secure Software Engineering Group Steven Arzt 31

The BadAccents Malware 04.10.2015 Secure Software Engineering Group Steven Arzt 32

CodeInspect in Action LIVE DEMO 04.10.2015 Secure Software Engineering Group Steven Arzt 33

CodeInspect Software development Inspect libraries Look for security vulnerabilities Understand exceptions and problems See what happens under the hood 04.10.2015 Secure Software Engineering Group Steven Arzt 34

CodeInspect Don t be evil Remove license checks Reverse-engineer competitor apps Steal intellectual property Copyright laws apply! 04.10.2015 Secure Software Engineering Group Steven Arzt 35

What does this all mean? CONSEQUENCES FOR DEVELOPERS 04.10.2015 Secure Software Engineering Group Steven Arzt 36

Consequences for Developers All apps are open-source Never hide secrets inside the app code Backend credentials Encryption keys Piggybacking malware is simple Cracking apps is simple 04.10.2015 Secure Software Engineering Group Steven Arzt 37

Consequences for Developers Backend-as-a-Service study Will be presented at Blackhat Europe in Amsterdam 18,670,00 records 56,000,000 data items E-Mail addresses Health records Employee databases Customer databases Server backups Voice records 04.10.2015 Secure Software Engineering Group Steven Arzt 38

Countermeasures String encryption Use the debugger, get de-obfuscated result Code encryption Use debugger to get the code as it is about to be loaded Hide calls in reflection Use debugger to step into right target method Debugger detection Patch the code to remove the check 04.10.2015 Secure Software Engineering Group Steven Arzt 39

Extending CodeInspect THE PLUG-IN SYSTEM 04.10.2015 Secure Software Engineering Group Steven Arzt 40

Data Flow Analysis Plugin Which data is read? What happens with the data? Where is the data sent to? 04.10.2015 Secure Software Engineering Group Steven Arzt 41

Data Flow Analysis Plugin Sink Source 04.10.2015 Secure Software Engineering Group Steven Arzt 42

Data Flow Analysis Plugin Jimple Code Propagation Path Data Flows 04.10.2015 Secure Software Engineering Group Steven Arzt 43

Data Flow Analysis Plugin Data Flows 04.10.2015 Secure Software Engineering Group Steven Arzt 44

Data Flow Analysis Plugin Propagation Path 04.10.2015 Secure Software Engineering Group Steven Arzt 45

Data Flow Analysis Plugin Jimple Code 04.10.2015 Secure Software Engineering Group Steven Arzt 46

Other Planned Plugins Runtime value reconstruction Interactive callgraph and control flow visualization Malware analysis assistance (Semi-)Automatic deobfuscation Plugins directly from research 04.10.2015 Secure Software Engineering Group Steven Arzt 47

Obtaining CodeInspect Will be a commercial product Free 60 day demo license available All features available No restrictions on target APKs E-Mail me 04.10.2015 Secure Software Engineering Group Steven Arzt 48

www.codeinspect.de Steven Arzt Secure Software Engineering Group (EC-SPRIDE) Email: steven.arzt@ec-spride.de Blog: http://sse-blog.ec-spride.de Website: http://sse.ec-spride.de 04.10.2015 Secure Software Engineering Group Steven Arzt 49

04.10.2015 Secure Software Engineering Group Steven Arzt 50

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information