hashdays 2011: tobias ospelt - reversing android apps - hacking and cracking android apps is easy
DESCRIPTION
This talk shows the possibilities of reversing Android applications. After an introduction about Android issues in the past, Tobias Ospelt explains how he managed to download several thousand Android applications from the Google Market, and which security issues are present in various apps. Apps can be decompiled, altered and recompiled, which means that for most apps it is very easy to steal code or to include malware. Some of the apps use obfuscation to disguise the code, but for example encryption keys can easily be extracted. Small game developers, as well as big companies are not aware of the risk that their code can be decompiled to java and disassembled to smali code. This is how a lot of protection mechanisms can be circumvented, such as licensing (cracking a Game) or corporate solutions (enforcing policies on the mobile). The talk shows how easy everybody can reverse android apps and how encryption keys can be extracted, even when the code is obfuscated. The material is a nice follow-up to the Android talk of Jesse Burns from last year at #days, although this talk is more focused on the apps and shows some more hacks/code/encryption/obfuscation/reversing.Bio: Tobias Ospelt is working as a security expert and tester for Dreamlab Technologies AG in Bern. He is mainly involved in web application and mobile security penetration tests. Tobias Ospelt joined Dreamlab after having achieved his Master Degree focusing IT-Security, and after having worked as a Research Assistant at the Zurich University of Applied Sciences.TRANSCRIPT
![Page 1: hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking Android apps is easy](https://reader036.vdocument.in/reader036/viewer/2022062510/54b686384a7959601b8b4580/html5/thumbnails/1.jpg)
Reversing Android Apps
Hacking and cracking Android apps is easy
Tobias Ospelt
![Page 2: hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking Android apps is easy](https://reader036.vdocument.in/reader036/viewer/2022062510/54b686384a7959601b8b4580/html5/thumbnails/2.jpg)
Agenda
• Issues (in the past) • Android security / code concept • Techniques for pentesters / reverse engineers • My experiences and the general quality of apps
![Page 3: hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking Android apps is easy](https://reader036.vdocument.in/reader036/viewer/2022062510/54b686384a7959601b8b4580/html5/thumbnails/3.jpg)
My approach
• Bought HTC Desire/Bravo with Android 2.0 (now 2.2.0) in 2010
• Finding security related issues
![Page 4: hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking Android apps is easy](https://reader036.vdocument.in/reader036/viewer/2022062510/54b686384a7959601b8b4580/html5/thumbnails/4.jpg)
Issues (in the past?)
![Page 5: hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking Android apps is easy](https://reader036.vdocument.in/reader036/viewer/2022062510/54b686384a7959601b8b4580/html5/thumbnails/5.jpg)
Losing phones
![Page 6: hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking Android apps is easy](https://reader036.vdocument.in/reader036/viewer/2022062510/54b686384a7959601b8b4580/html5/thumbnails/6.jpg)
CircumvenNng lock screen
![Page 7: hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking Android apps is easy](https://reader036.vdocument.in/reader036/viewer/2022062510/54b686384a7959601b8b4580/html5/thumbnails/7.jpg)
CircumvenNng lock screen • Poor lock screen implementaNon – Home buPon mashing, not all brands<= 2.2 – Back buPon during call, not all brands <= 2.0 – Plug into car dock, unknown – Gmail address & password „null“, unknown
• Lock screen not acNvated • USB debug on (adb shell) • Associated Google account • OpenRecovery, Milestone <= 2.1 • Acquire physical memory (forensic tools)
![Page 8: hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking Android apps is easy](https://reader036.vdocument.in/reader036/viewer/2022062510/54b686384a7959601b8b4580/html5/thumbnails/8.jpg)
Android or Google?
• Android is Open Source – Google is the strong force behind it
• Google Market is not (it‘s Google‘s) • You can create your own market
![Page 9: hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking Android apps is easy](https://reader036.vdocument.in/reader036/viewer/2022062510/54b686384a7959601b8b4580/html5/thumbnails/9.jpg)
Google Market – a feel free environment
![Page 10: hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking Android apps is easy](https://reader036.vdocument.in/reader036/viewer/2022062510/54b686384a7959601b8b4580/html5/thumbnails/10.jpg)
Malware
• Malware in the Google Market – DroidDream aka Rootcager
• Other malware (o]en in Chinese markets) – Bgserv, Pjabbs, Geinimi, FakePlayer, GingerMaster, Zeus, SpyEye
![Page 11: hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking Android apps is easy](https://reader036.vdocument.in/reader036/viewer/2022062510/54b686384a7959601b8b4580/html5/thumbnails/11.jpg)
Bring malware to the mobile
• Convince users (aka put on market) • XSS on Google Market website • App without permissions installs apps with permissions – Angry Birds extra level malware, fixed – Browser vulnerability (cookie stealing), < 2.3.5 – New technique going to be released in November
• Oberheide/Lanie, Source Barcelona
![Page 12: hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking Android apps is easy](https://reader036.vdocument.in/reader036/viewer/2022062510/54b686384a7959601b8b4580/html5/thumbnails/12.jpg)
Android Browser
• Puts nice liPle bookmark pics on your SD card
![Page 13: hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking Android apps is easy](https://reader036.vdocument.in/reader036/viewer/2022062510/54b686384a7959601b8b4580/html5/thumbnails/13.jpg)
Other issues
• Facebook-‐App V. 1.6 is able to read/write/edit SMS/MMS
• Plain authenNcaNon tokens, fixed • SMS receiver incorrect, fixed • Htclogger, HTC only • App reversing • Many more
![Page 14: hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking Android apps is easy](https://reader036.vdocument.in/reader036/viewer/2022062510/54b686384a7959601b8b4580/html5/thumbnails/14.jpg)
Nuclear chain of command...
xkcd.com
![Page 15: hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking Android apps is easy](https://reader036.vdocument.in/reader036/viewer/2022062510/54b686384a7959601b8b4580/html5/thumbnails/15.jpg)
... is similar to the Android chain of security
![Page 16: hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking Android apps is easy](https://reader036.vdocument.in/reader036/viewer/2022062510/54b686384a7959601b8b4580/html5/thumbnails/16.jpg)
My situaNon
• Bought HTC Desire in 2010
• SNll on Android 2.2.0, means: – Screen lock circumvenNon (buPon mashing) – Vulnerable to DroidDream malware – Browser vulnerability
• Cookie stealing / XSS • Can be used to install apps
![Page 17: hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking Android apps is easy](https://reader036.vdocument.in/reader036/viewer/2022062510/54b686384a7959601b8b4580/html5/thumbnails/17.jpg)
Android security / code concept
![Page 18: hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking Android apps is easy](https://reader036.vdocument.in/reader036/viewer/2022062510/54b686384a7959601b8b4580/html5/thumbnails/18.jpg)
Android code • Write app in Java and HTML/Javascript (Android SDK) – The obvious approach – Most apps from the Google Market – Easy to decompile/disassemble/reassemble
• Write app in ARM naNve code (Android NDK) – Together with Java code – ARM Assembler Reverse Engineering and JNI
• Use a framework/generator – appmakr.com – PhoneGap – Others?
![Page 19: hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking Android apps is easy](https://reader036.vdocument.in/reader036/viewer/2022062510/54b686384a7959601b8b4580/html5/thumbnails/19.jpg)
Techniques for pentesters / reverse engineers
![Page 20: hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking Android apps is easy](https://reader036.vdocument.in/reader036/viewer/2022062510/54b686384a7959601b8b4580/html5/thumbnails/20.jpg)
1. Gemng hundrets of Android Apps (apk files)
![Page 21: hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking Android apps is easy](https://reader036.vdocument.in/reader036/viewer/2022062510/54b686384a7959601b8b4580/html5/thumbnails/21.jpg)
Obvious download approach
• Open market app on mobile • Click app and install • SCP apk file from phone à Too slow, not enough space on mobile, etc
![Page 22: hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking Android apps is easy](https://reader036.vdocument.in/reader036/viewer/2022062510/54b686384a7959601b8b4580/html5/thumbnails/22.jpg)
How to download all Android apps
• Connect mobile to laptop Wi-‐Fi with airbase-‐ng / dnsmasq
• Use iptables to redirect to local Burp – thx Android for not having a proxy opNon
• BurpExtender to save responses with apk files • Send mobile a HTTP 404 not found
![Page 23: hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking Android apps is easy](https://reader036.vdocument.in/reader036/viewer/2022062510/54b686384a7959601b8b4580/html5/thumbnails/23.jpg)
Install all apps?
• One HTTPS request to market.android.com • Change the app name – com.google.android.youtube
• Modified w3af spider / regex plugin – Search for terms A ... ZZ on market.android.com – No restricNons (e.g. captcha) as in Google search
• Wrote script that sends HTTPS requests with app name
![Page 24: hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking Android apps is easy](https://reader036.vdocument.in/reader036/viewer/2022062510/54b686384a7959601b8b4580/html5/thumbnails/24.jpg)
Download environment
![Page 25: hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking Android apps is easy](https://reader036.vdocument.in/reader036/viewer/2022062510/54b686384a7959601b8b4580/html5/thumbnails/25.jpg)
Metadata
• About 300’000 apps in market • Crawled about 10’000 app names • Successfully downloaded and decompiled about 3’500 apps (about 15 GB) – Took about 3 days to download all these apps
![Page 26: hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking Android apps is easy](https://reader036.vdocument.in/reader036/viewer/2022062510/54b686384a7959601b8b4580/html5/thumbnails/26.jpg)
2. Decompile/disassemble
![Page 27: hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking Android apps is easy](https://reader036.vdocument.in/reader036/viewer/2022062510/54b686384a7959601b8b4580/html5/thumbnails/27.jpg)
The apktool disassembled structure
+assets +res +drawable -icon.png +layout -main.xml +values -strings.xml +META-INF -AndroidManifest.xml -classes.dex
• Apk unzipped +assets +res +drawable -icon.png +layout -main.xml +values -strings.xml -AndroidManifest.xml +smali +com +... -apktool.yml
à apktool disassembled
![Page 28: hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking Android apps is easy](https://reader036.vdocument.in/reader036/viewer/2022062510/54b686384a7959601b8b4580/html5/thumbnails/28.jpg)
Two approaches
• Disassembling to smali – Similar to Jasmin syntax (Java assembler code) – Apktool
• Correct smali code • Didn’t use dexdump/dedexer
• Decompiling to Java – Dex2Jar + Java-‐Decompiler
• SomeNmes incorrect Java code
![Page 29: hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking Android apps is easy](https://reader036.vdocument.in/reader036/viewer/2022062510/54b686384a7959601b8b4580/html5/thumbnails/29.jpg)
Disassembling how-‐to
• Apktool me$ java -jar apktool.jar d app.apk output-folder
![Page 30: hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking Android apps is easy](https://reader036.vdocument.in/reader036/viewer/2022062510/54b686384a7959601b8b4580/html5/thumbnails/30.jpg)
Disassembled example
![Page 31: hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking Android apps is easy](https://reader036.vdocument.in/reader036/viewer/2022062510/54b686384a7959601b8b4580/html5/thumbnails/31.jpg)
Reassembling how-‐to
• Apktool me$ echo "change something" change something me$ java -jar apktool.jar b output-folder/ fake.apk […] me$ keytool -genkey -alias someone -validity 100000 -keystore someone.keystore […] me$ jarsigner -keystore someone.keystore fake.apk someone me$ adb install fake-app.apk
![Page 32: hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking Android apps is easy](https://reader036.vdocument.in/reader036/viewer/2022062510/54b686384a7959601b8b4580/html5/thumbnails/32.jpg)
3. Other techniques for pentesters
![Page 33: hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking Android apps is easy](https://reader036.vdocument.in/reader036/viewer/2022062510/54b686384a7959601b8b4580/html5/thumbnails/33.jpg)
Heap dump
me$ su me# ps | grep kee 949 10082 183m S com.android.keepass 960 0 1964 S grep kee me# kill -10 949 me# grep password /data/misc/heap-dump-tm1312268434-pid949.hprof thisisasecretpassword
• In Android > 2.3 – BuPon in DDMS tool or call android.os.Debug.dumpHprofData(fileName)
![Page 34: hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking Android apps is easy](https://reader036.vdocument.in/reader036/viewer/2022062510/54b686384a7959601b8b4580/html5/thumbnails/34.jpg)
Invoking AcNviNes
• AcNviNes are basically user interfaces – „one screen“
• Fortunately this example doesn‘t work
me$ dumpsys package > packages.txt me$ am start -n com.android.keepass/com.keepassdroid.PasswordActivity
![Page 35: hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking Android apps is easy](https://reader036.vdocument.in/reader036/viewer/2022062510/54b686384a7959601b8b4580/html5/thumbnails/35.jpg)
Tons of other tools • Androguard • Apkinspector – GUI combining apktool, dex2jar, a Java decompiler, byte code, etc.
• DED • androidAuditTools • Smartphonesdumbapps • Taintdroid (Privacy issues) • Android Forensic Toolkit • viaExtract • More
![Page 36: hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking Android apps is easy](https://reader036.vdocument.in/reader036/viewer/2022062510/54b686384a7959601b8b4580/html5/thumbnails/36.jpg)
Experiences when decompiling/disassembling 3‘500 apps
Finding security related issues
![Page 37: hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking Android apps is easy](https://reader036.vdocument.in/reader036/viewer/2022062510/54b686384a7959601b8b4580/html5/thumbnails/37.jpg)
Metadata
• About 3’500 apps – 2’300 unique email addresses – 1’000 «fuck» – Several twiPer / facebook / flickr / geocaching API keys
![Page 38: hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking Android apps is easy](https://reader036.vdocument.in/reader036/viewer/2022062510/54b686384a7959601b8b4580/html5/thumbnails/38.jpg)
Low hanging fruits
![Page 39: hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking Android apps is easy](https://reader036.vdocument.in/reader036/viewer/2022062510/54b686384a7959601b8b4580/html5/thumbnails/39.jpg)
Hashing and encrypNon – a short best pracNces refresh
• Secure algorithms/implementaNons • Random, long salts/keys • Hashing – Separate salt for every hash – Several hashing rounds
• E.g. hash(hash( ... hash(pwd+salt)+salt ... ))
• EncrypNon – Keep the key secret
![Page 40: hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking Android apps is easy](https://reader036.vdocument.in/reader036/viewer/2022062510/54b686384a7959601b8b4580/html5/thumbnails/40.jpg)
![Page 41: hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking Android apps is easy](https://reader036.vdocument.in/reader036/viewer/2022062510/54b686384a7959601b8b4580/html5/thumbnails/41.jpg)
Key: MSB always 0
Used for sending passwords in HTTPS
![Page 42: hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking Android apps is easy](https://reader036.vdocument.in/reader036/viewer/2022062510/54b686384a7959601b8b4580/html5/thumbnails/42.jpg)
Used to signalise the server that in-‐
game goods were purchased
![Page 43: hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking Android apps is easy](https://reader036.vdocument.in/reader036/viewer/2022062510/54b686384a7959601b8b4580/html5/thumbnails/43.jpg)
![Page 44: hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking Android apps is easy](https://reader036.vdocument.in/reader036/viewer/2022062510/54b686384a7959601b8b4580/html5/thumbnails/44.jpg)
![Page 45: hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking Android apps is easy](https://reader036.vdocument.in/reader036/viewer/2022062510/54b686384a7959601b8b4580/html5/thumbnails/45.jpg)
Obfuscated code
Who calls this „ah“ constructor?
![Page 46: hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking Android apps is easy](https://reader036.vdocument.in/reader036/viewer/2022062510/54b686384a7959601b8b4580/html5/thumbnails/46.jpg)
Obfuscated code
• 4 greps later... • c.f includes the key – c.f calls a.bs(key)
• a.bs calls a.ah(key) – a.ah uses the key and locale variables for encrypNon
• We know all the input data for the encrypNon rouNne
• It‘s symmetric crypto • We can decrypt „it“ (whatever it might be)
![Page 47: hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking Android apps is easy](https://reader036.vdocument.in/reader036/viewer/2022062510/54b686384a7959601b8b4580/html5/thumbnails/47.jpg)
TestXXXXX.java
• Yeah, let’s copy/paste a test email!
![Page 48: hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking Android apps is easy](https://reader036.vdocument.in/reader036/viewer/2022062510/54b686384a7959601b8b4580/html5/thumbnails/48.jpg)
TestXXXXX2.java
• And credenNals for the test server...
![Page 49: hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking Android apps is easy](https://reader036.vdocument.in/reader036/viewer/2022062510/54b686384a7959601b8b4580/html5/thumbnails/49.jpg)
Some apps I looked at more closely
(it’s gemng worse)
![Page 50: hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking Android apps is easy](https://reader036.vdocument.in/reader036/viewer/2022062510/54b686384a7959601b8b4580/html5/thumbnails/50.jpg)
App 1 -‐ banking app • Who really wants banking on the mobile? • A lot of banking apps! Yay! • App 1 – No obfuscaNon + can easily be recompiled – App simply shows the website – Hides the URL and SSL cert/lock from the user – Can only be used with mTAN
![Page 51: hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking Android apps is easy](https://reader036.vdocument.in/reader036/viewer/2022062510/54b686384a7959601b8b4580/html5/thumbnails/51.jpg)
App 2
• Server had self-‐signed SSL cerNficate • SSL MITM Dump: /usernam e=B1436A 13E85D20 F2428D6E 232C2B93 FE....pa ssword=2 C30F3866 016E6C59 52655C06 400BCC6. imei=405 23204606 E450... ...
Wow, it’s encrypted... Don’t we need a key for that?
![Page 52: hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking Android apps is easy](https://reader036.vdocument.in/reader036/viewer/2022062510/54b686384a7959601b8b4580/html5/thumbnails/52.jpg)
App 2
• AES key public byte[] cryptKey42 = {-31, -21, 4, 24, -21, 54, -63, -40, -38, 61, -47, -115, -95, -36, -142, 64, 53, 120, -85, -96, -69, 85, 81, 16, -36, 80, -102, 95, -20, 110, 36, -11};
![Page 53: hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking Android apps is easy](https://reader036.vdocument.in/reader036/viewer/2022062510/54b686384a7959601b8b4580/html5/thumbnails/53.jpg)
App 3 – root detecNon private boolean deviceRoot(){ try{
Runtime.getRuntime().exec("su"); return true; } catch (IOException localIOException){ return false; } }
![Page 54: hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking Android apps is easy](https://reader036.vdocument.in/reader036/viewer/2022062510/54b686384a7959601b8b4580/html5/thumbnails/54.jpg)
App 3 – CircumvenNng root detecNon
• Not necessary
![Page 55: hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking Android apps is easy](https://reader036.vdocument.in/reader036/viewer/2022062510/54b686384a7959601b8b4580/html5/thumbnails/55.jpg)
App 4 – Another root detecNon
public static boolean isDeviceRooted(){ File f = new File(“/system/sbin/su”) return f.exists()
}
![Page 56: hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking Android apps is easy](https://reader036.vdocument.in/reader036/viewer/2022062510/54b686384a7959601b8b4580/html5/thumbnails/56.jpg)
App 4 -‐ Removing root detecNon me$ java -jar apktool.jar d app.apk source […] me$ sed -i "" 's/system\/sbin\/su/system\/sbin\/CEW1PFSLK/g' source/smali/net/example/checks.smali me$ java -jar apktool.jar b source/ fake.apk […] me$ keytool -genkey -alias someone -validity 100000 -keystore someone.keystore […] me$ jarsigner -keystore someone.keystore fake.apk someone me$ adb install fake.apk
![Page 57: hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking Android apps is easy](https://reader036.vdocument.in/reader036/viewer/2022062510/54b686384a7959601b8b4580/html5/thumbnails/57.jpg)
App 4 – Was that a good method to remove the root detecNon?
• Altering the app – No updates
• We only want to fail that simple check
![Page 58: hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking Android apps is easy](https://reader036.vdocument.in/reader036/viewer/2022062510/54b686384a7959601b8b4580/html5/thumbnails/58.jpg)
App 4 -‐ Prevent root detecNon
me$ adb shell $ su # cd /system/bin/; mount -o remount,rw -o rootfs rootfs /; mount -o remount,rw -o yaffs2 /dev/block/mtdblock3 /system # echo $PATH /sbin:/system/sbin:/system/bin:/system/xbin # mv /system/sbin/su /system/xbin/
root stays root!
![Page 59: hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking Android apps is easy](https://reader036.vdocument.in/reader036/viewer/2022062510/54b686384a7959601b8b4580/html5/thumbnails/59.jpg)
A special secret key
• 445 apps use the same AES key – byte[] a = { 10, 55, -‐112, -‐47, -‐6, 7, 11, 75, -‐7, -‐121, 121, 69, 80, -‐61, 15, 5 }
![Page 60: hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking Android apps is easy](https://reader036.vdocument.in/reader036/viewer/2022062510/54b686384a7959601b8b4580/html5/thumbnails/60.jpg)
Google Ads
• Encrypt last known locaNon – All locaNon providers (GPS, Wifi, ...)
• Send via the „uule“ JSON parameter • NoNfied Google on the 23th of June – No response yet
• To be honest I haven‘t seen the „uule“ parameter in my network yet
![Page 61: hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking Android apps is easy](https://reader036.vdocument.in/reader036/viewer/2022062510/54b686384a7959601b8b4580/html5/thumbnails/61.jpg)
Google Ads
• Why didn‘t they use asymmetric crypto?
![Page 62: hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking Android apps is easy](https://reader036.vdocument.in/reader036/viewer/2022062510/54b686384a7959601b8b4580/html5/thumbnails/62.jpg)
Countermeasures
• Use asymmetric crypto instead of symmetric when transferring data to a server
• Store hashes/session tokens instead of passwords
• Good obfuscaNon is Security Through Obscurity
• Pentest your apps • Know the limitaNons – root stays root
![Page 63: hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking Android apps is easy](https://reader036.vdocument.in/reader036/viewer/2022062510/54b686384a7959601b8b4580/html5/thumbnails/63.jpg)
References • hPp://designora.com/graphics/android-‐logo/ • hPp://blog.duosecurity.com/2011/05/when-‐angry-‐birds-‐aPack-‐android-‐ediNon/ • hPp://jon.oberheide.org/blog/2011/03/07/how-‐i-‐almost-‐won-‐pwn2own-‐via-‐xss/ • hPp://www.h-‐online.com/open/news/item/Android-‐apps-‐send-‐unencrypted-‐authenNcaNon-‐token-‐1243968.html • hPps://www.infosecisland.com/blogview/13459-‐Google-‐Sued-‐for-‐SurrepNNous-‐Android-‐LocaNon-‐Tracking.html • hPp://www.h-‐online.com/open/news/item/Android-‐malware-‐acNvates-‐itself-‐through-‐incoming-‐calls-‐1253807.html • hPp://www.slideshare.net/bsideslondon/bsideslondon-‐spo#text-‐version • hPps://www.hashdays.ch/assets/files/slides/burns_android_security_the%20fun%20details.pdf • hPps://theassurer.com/p/756.html • hPp://thomascannon.net/blog/2011/02/android-‐lock-‐screen-‐bypass/ • hPp://www.symantec.com/content/en/us/about/media/pdfs/symc_mobile_device_security_june2011.pdf?
om_ext_cid=biz_socmed_twiPer_facebook_marketwire_linkedin_2011Jun_worldwide_mobilesecuritywp • hPp://www.xkcd.com/898 • hPp://www.madaxeman.com/general/2009/11/lost-‐phone.html • hPp://thomascannon.net/projects/android-‐reversing/ • hPp://www.infsec.cs.uni-‐saarland.de/projects/android-‐vuln/ • hPp://www.madaxeman.com/general/2009/11/lost-‐phone.html • hPp://www.heise.de/mobil/meldung/Android-‐verschickt-‐SMS-‐an-‐falsche-‐Empfaenger-‐2-‐Update-‐1162685.html • hPp://blog.duosecurity.com/2011/09/android-‐vulnerabiliNes-‐and-‐source-‐barcelona/
![Page 64: hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking Android apps is easy](https://reader036.vdocument.in/reader036/viewer/2022062510/54b686384a7959601b8b4580/html5/thumbnails/64.jpg)
Thx!
• TwiPer: floyd_ch • hPp://floyd.ch
![Page 65: hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking Android apps is easy](https://reader036.vdocument.in/reader036/viewer/2022062510/54b686384a7959601b8b4580/html5/thumbnails/65.jpg)