михаил дударев
DESCRIPTION
TRANSCRIPT
![Page 1: михаил дударев](https://reader031.vdocument.in/reader031/viewer/2022020105/546cb02aaf7959294f8b4764/html5/thumbnails/1.jpg)
Android applica,ons in the cruel world
Defence Against the Dark Forces: how to save an Android applica,on from
threats? Mikhail Dudarev, Ivan Kinash Licel, 2014, DroidCon Moscow 2014
![Page 2: михаил дударев](https://reader031.vdocument.in/reader031/viewer/2022020105/546cb02aaf7959294f8b4764/html5/thumbnails/2.jpg)
• Mikhail Dudarev, old-‐school java security guy, founder of jCardSim, a Java Card simulator, has won the 2013 Duke's Choice Award, co-‐founder Licel.
• Ivan Kinash, co-‐founder & CEO at Licel • Licel creates applica,on protec,on solu,ons for Java and Android plaQorms.
About
![Page 3: михаил дударев](https://reader031.vdocument.in/reader031/viewer/2022020105/546cb02aaf7959294f8b4764/html5/thumbnails/3.jpg)
Report Mobile Techworld Report: Looking at a total of 230 apps – the top 100 paid apps and top 15 free apps for Android and iOS – Arxan found that 100 percent of the top paid apps on Android and 56 percent on iOS were being impersonated in a compromised form on grey markets. hDp://goo.gl/mW1WxZ
![Page 4: михаил дударев](https://reader031.vdocument.in/reader031/viewer/2022020105/546cb02aaf7959294f8b4764/html5/thumbnails/4.jpg)
Android Applica,on Security Model • There is no standard EULA, every publisher is sole responsible for one (Google Play)
• Installed APK is stored on a device • It is signed with a publisher’s signature • There is a privilege system (users do not take it seriously, or they simply have no choice)
• APKs stored on devices are accessible even without root privileges
![Page 5: михаил дударев](https://reader031.vdocument.in/reader031/viewer/2022020105/546cb02aaf7959294f8b4764/html5/thumbnails/5.jpg)
Android Applica,on Security Model • Signature is designed to confirm integrity of an applica,on
• Truth is that it gives you absolutely nothing • A couple of minutes needed to resign an applica,on
• Then put it to grey markets, p2p, warez sites… Or even to the same market where original one is (was)
![Page 6: михаил дударев](https://reader031.vdocument.in/reader031/viewer/2022020105/546cb02aaf7959294f8b4764/html5/thumbnails/6.jpg)
APK Structure
classes.dex (dalvik
bytecode)
resources.arsc (compiled resources)
META-‐INF/ (signatures)
res/ (resources)
assets/ (assets)
lib/ (na,ve libs)
AndroidManifest.xml (name, version, access rights,
referenced libs)
![Page 7: михаил дударев](https://reader031.vdocument.in/reader031/viewer/2022020105/546cb02aaf7959294f8b4764/html5/thumbnails/7.jpg)
Dalvik bytecode • Is it protected? • Is it hard to reverse engineer?
No and no once again…
![Page 8: михаил дударев](https://reader031.vdocument.in/reader031/viewer/2022020105/546cb02aaf7959294f8b4764/html5/thumbnails/8.jpg)
Example • Imagine you have an applica,on with ads • What malicious person have to do to own your app? • Apktool disassemble -‐> change ad id -‐> Apktool assemble -‐> add its own signature -‐> zipalign -‐> distribute (p2p, grey markets, official markets, warez sites) = 10 mins
• If you are using just name obfusca,on technique, it will require one extra minute to hack…
![Page 9: михаил дударев](https://reader031.vdocument.in/reader031/viewer/2022020105/546cb02aaf7959294f8b4764/html5/thumbnails/9.jpg)
Short funny demo
![Page 10: михаил дударев](https://reader031.vdocument.in/reader031/viewer/2022020105/546cb02aaf7959294f8b4764/html5/thumbnails/10.jpg)
![Page 11: михаил дударев](https://reader031.vdocument.in/reader031/viewer/2022020105/546cb02aaf7959294f8b4764/html5/thumbnails/11.jpg)
Exis,ng threats • Applica,on cloning • Sensi,ve informa,on (user) thef • Licensing system cracking • Reverse engineering
![Page 12: михаил дударев](https://reader031.vdocument.in/reader031/viewer/2022020105/546cb02aaf7959294f8b4764/html5/thumbnails/12.jpg)
Applica,on cloning • Illegal publishing on alterna,ve app stores – App sales revenue loss
• Rerou,ng of Ad/IAP revenue streams – Lost revenue from ads and purchases
• Malicious code injec,on – Loss of reputa,on and harm to the app’s users
![Page 13: михаил дударев](https://reader031.vdocument.in/reader031/viewer/2022020105/546cb02aaf7959294f8b4764/html5/thumbnails/13.jpg)
Stealing sensi,ve informa,on from an applica,on
• User’s Data – Logins/Passwords/Keys/Credit
card info… – Social Network data – Loca,on
• Applica,on Data – Unique mul,media resources – Informa,on from embedded
databases – Business Logic
• Corporate Data – DBs/Confiden,al files/…
Cracking tools (free): ApkTool, Androguard, Dex2jar
![Page 14: михаил дударев](https://reader031.vdocument.in/reader031/viewer/2022020105/546cb02aaf7959294f8b4764/html5/thumbnails/14.jpg)
Licensing system cracking. Google Play LVL
• The main app licensing service in Google Play • Based on asymmetric cryptography – Secret keys are stored on the licensing server, public keys are in an applica,on’s code
Automa,c cracking tool: An,LVL
![Page 15: михаил дударев](https://reader031.vdocument.in/reader031/viewer/2022020105/546cb02aaf7959294f8b4764/html5/thumbnails/15.jpg)
Reverse-‐engineering • Analysis of weak/cri,cal places in apps in order to detect vulnerabili,es
• Applica,on’s internal logic analysis – OTP-‐generator for a banking solu,on hip://goo.gl/0Dauve
Cracking tools: ApkTool, Androguard, Dex2jar
![Page 16: михаил дударев](https://reader031.vdocument.in/reader031/viewer/2022020105/546cb02aaf7959294f8b4764/html5/thumbnails/16.jpg)
Reverse engineering my bank's security token
• Original mobile banking applica,on that generates OTP (One Time Password) codes
• Afer decompiling with Dex2Jar – Detected OTP genera,on algorithm – TOTP
TOTP = HOTP(SecretKey, TimeCounter) – Secret key extracted from code – Arduino clone created J
![Page 17: михаил дударев](https://reader031.vdocument.in/reader031/viewer/2022020105/546cb02aaf7959294f8b4764/html5/thumbnails/17.jpg)
Reverse engineering my bank's security token
![Page 18: михаил дударев](https://reader031.vdocument.in/reader031/viewer/2022020105/546cb02aaf7959294f8b4764/html5/thumbnails/18.jpg)
Standard protec,on and licensing techniques
• Name obfusca,on (in par,cular Proguard) • Licensing services provided by app store
– Google Play Licensing – Amazon DRM
• Custom na,ve libraries for license checking, string/class encryp,on
• Server-‐side computa,on • Mathema,cal Jigsaw Puzzle Obfusca,on (keep ProGuard
op,mizer away from this parts of code)
![Page 19: михаил дударев](https://reader031.vdocument.in/reader031/viewer/2022020105/546cb02aaf7959294f8b4764/html5/thumbnails/19.jpg)
Useful, but do not work…
Ac,ve and Strong Integrity Protec,on Techniques and set of other great
approaches
They do not work without…
![Page 20: михаил дударев](https://reader031.vdocument.in/reader031/viewer/2022020105/546cb02aaf7959294f8b4764/html5/thumbnails/20.jpg)
Cracking methods • Automa,c – An,LVL
• Tools for analysis and modifica,on – ApkTool – Androlib – Dex2Jar – JD-‐GUI/JEB/…
• Text editor and grep J
![Page 21: михаил дударев](https://reader031.vdocument.in/reader031/viewer/2022020105/546cb02aaf7959294f8b4764/html5/thumbnails/21.jpg)
Advanced protec,on techniques • String Encryp,on (e.g. whiteboxcrypto) • Hiding of API calls • Class Encryp,on • Resource Encryp,on
• Strong and ac,ve integrity protec,on
![Page 22: михаил дударев](https://reader031.vdocument.in/reader031/viewer/2022020105/546cb02aaf7959294f8b4764/html5/thumbnails/22.jpg)
Protec,on goal • Have bytecode (even if it is dumped) as hard to reverse engineer as possible (strings are encrypted, valuable algorithms are hidden, API calls are hidden)
• Have strong integrity protec,on mechanism in order to block repackaging ability
• Have unique resources encrypted
![Page 23: михаил дударев](https://reader031.vdocument.in/reader031/viewer/2022020105/546cb02aaf7959294f8b4764/html5/thumbnails/23.jpg)
Protec,on scheme APK
Bytecode • String Encryp8on • Class Encryp8on • Hide API calls
Resources • Resource encryp8on
Signature • Ac8ve Integrity Protec8on (Repackaging protec8on)
If an app has network abili,es, you can also change communica,on protocol from version to version…
![Page 24: михаил дударев](https://reader031.vdocument.in/reader031/viewer/2022020105/546cb02aaf7959294f8b4764/html5/thumbnails/24.jpg)
A few important ,ps If you are developing mobile banking/financial/corporate/secure app: • Device fingerprint • Device-‐related One ,me passwords via second communica,on channel
(SMS) • Use secured communica,on protocols and strong cryptography if it is
possible • Sensi,ve informa,on stored on a device should be encrypted (SQLCipher),
keys must be hidden via String Encryp,on • Keep in mind that the balance between usability/performance and
security is important • Think about protec,on and do protect in advance, BEFORE RELEASE
![Page 25: михаил дударев](https://reader031.vdocument.in/reader031/viewer/2022020105/546cb02aaf7959294f8b4764/html5/thumbnails/25.jpg)
A few important ,ps #2 Afer applying strong protec,on techniques you might think then about: • App cert check (just in case) • Debug mode check • Rooted device check • Emulator check
![Page 26: михаил дударев](https://reader031.vdocument.in/reader031/viewer/2022020105/546cb02aaf7959294f8b4764/html5/thumbnails/26.jpg)
DexProtector • Having huge exper,ze we have implemented String
Encryp,on, Class Encryp,on, Resource Encryp,on, Hide Access and Integrity Control mechanisms on a technology leading level
• That is why I would love to recommend DexProtector for protec,ng your apps from threats
• If you are applying addi,onal security prac,ces DexProtector will help you to protect them from being reverse engineered
• It can be used together with ProGuard
![Page 27: михаил дударев](https://reader031.vdocument.in/reader031/viewer/2022020105/546cb02aaf7959294f8b4764/html5/thumbnails/27.jpg)
Conclusion • Nobody will give you 100% guarantee that your app will not be hacked
• Relevance of piracy is increasing day by day as the Android market growth
• Standard protec,on techniques are not stand any more against current methods of analysis and cracking
• Must have a set of protec,on techniques applied • Integrity Protec,on is very important
![Page 28: михаил дударев](https://reader031.vdocument.in/reader031/viewer/2022020105/546cb02aaf7959294f8b4764/html5/thumbnails/28.jpg)
Conclusion #2 • If you applied security measures intelligently you are safe
from more than 90% of poten,al hackers. It is hoped that the remaining 10 percent will not be interested in breaking you app
• Google is in a difficult situa,on with Android security now. Definitely there should be some changes, especially in securing boot-‐loader, in crea,ng secure app execu,on environment and storage also. They tried in Jelly Bean, but with no luck. On the other hand I see Nexus series has ability to be legally rooted and do not know what to think
![Page 29: михаил дударев](https://reader031.vdocument.in/reader031/viewer/2022020105/546cb02aaf7959294f8b4764/html5/thumbnails/29.jpg)
Contacts
Email: [email protected], [email protected] Twiier: @MikhailDudarev, @ivan_kinash Web: hip://licelus.com DexProtector: hip://dexprotector.com