help doctor, my application is an onion!

My application is an onion. Help me Doctor! Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.

Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information. Sebas Guerrero (@0xroot) Sr. Mobile Security Analyst @ NowSecure [email protected] I am

Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.

Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.What society think we do


Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information. This talk pretends to be a lightning talk, for more detailed information, please refer to: The Nightmare behind the cross platform mobile apps dream (https://www.blackhat.com/docs/asia-15/materials/asia-15-Grassi-The-Nightmare-Behind-The-Cross-Platform-Mobile-Apps-Dream.pdf) - Marco Grassi / Sebas Guerrero Android Hacker Protection Level 0 (https://www.defcon.org/images/defcon-22/dc-22-presentations/Strazzere-Sawyer/DEFCON-22-Strazzere-and-Sawyer-Android-Hacker-Protection-Level-UPDATED.pdf) Tim Strazzere, Justin CaseNOTE


Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information. Motivations FrameworksTitanium Framework (Demo)Kony Framework (Demo) ObfuscatorsProGuardDexGuard (Demo) Conclusions Agenda


Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information. Most of the applications assessments realized during the last year were packed/obfuscated or using some framework. Manual analysis is ok once, twice but Im not Chinese. Its a good challenge to understand its insights and how do they work. Keep your application away from hackers.Motivations


Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.FrameworksWhen wrappin is all what your developers care about.

Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.Background Mobile market is fragmented. Developers want their app on multiple platform, at least iOS and Android. This caused a growth in the number of tools and frameworks available for cross platform development with different technologies. Native code development is from 90s. HTML5 and JavaScript are the future. They are so trending topic. Money is a scarce resource, even more when you have to hire a dev team for each platform. Large companies are getting interested on multi-deployment framework models. They like to be cool.

Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.Background


Catch em all


Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.Titanium FrameworkNot that stronger.

Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information. Open source framework that can be downloaded from its official website. As many other frameworks, brings you the ability to develop your native mobile application in JavaScript. It is a wrapper, that runs the JavaScript code on an interpreter and uses native UI and other functionalities. Comes with its own IDE, which is Eclipse based.


Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.Extracting the code As mentioned before, the real source code is written in JavaScript. The asset data is loaded at runtime through the AssetCryptImpl class. The assets range are defined in a HashMap in the initAssets method. This range specifies the start and end of a specific file in assets bytes. The chunk of data that contains the real assets is a CharBuffer defined in the initAssetsBytes method.

Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.initAssets

Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.initAssetsBytes

Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.Defeating the encryption The crypto is implemented in the shared library libtiverify.so, in the JNI function Java_org_appcelerator_titanium_TiVerify_filterDataInRange. Simple AES in ECB mode, using the last 16 bytes of the assetBytes as key for the decryption process. There are multiple approaches to recover the original data. Lets keep it simple. The pseudo-code for the filterDataInRange method looks like:

Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.Defeating the encryption



Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.Kony FrameworkThat startup.js file is not the startup you are looking for.

Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information. Standard approaches used during application assessment are no longer useful. The framework is a wrapper, but its behavior slightly changes from versions prior to 6.0, and afterwards to 6.0Kony Framework


Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.LUA Bytecode (Prior to 6.0)

Kony app

konyappluabytecode.o.mp3

Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.JVSM (Afterwards to 6.0)

Kony app

libkonyJSVM.so

startup.js

common-jslibs.kfm

Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information. There are multiple approaches available. From massive device memory dumping to dynamic instrumentation (Frida). In case you are lazy, just use unluac.jar and extracts the LUA code. For more detailed information, please refer to our talk at Black Hat Asia 2015.Hunting the LUA code


Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information. If you are lucky enough, earlier versions of the JSVM, only require you to unzip the startup.js file to extract the original source code. Latest versions prefer to put things harder Long story short, the shared library is a trap and the crypter is the jackpot. That is the case we will discuss in this section.Hunting the JavaScript code


Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.Kony Kung-fu KOIt is not over 9000.

Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.Kony application A couple interesting and encrypted files (common-jslibs.kfm & startup.js) can be seen in the assets/js folder. File format is not recognizable, and binary analysis does not reveal any clue. Reverse engineering process to the classes.dex file does not reveal anything related with crypto operations. However, there is a class that caught our attention KonyJavaScriptVM. The infamous method System.loadLibrary is being used, and it loads the shared library konyjsvm.so

Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.KonyJavaScriptVM method It might look sort of black magic to redirect our efforts to this library, but first look at that previous class got me a hunch.Contains references to common-jslibs.kfm and startup.js files.Following cross references between calls to a range of obfuscated methods, we discover buffer allocation, compilation and zipEntry operations that ends in a call to loadFilesToVM function. Such method belongs to konyjsvm shared library.Roses are red, Violets are blue, potato.

Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.konyjsvm shared library A quick look to the procedure KonyJSVM_loadFilesToVM, reveals multiple calls to EVP cipher routines, a method named charxor, and a call to callUnzippingForDex method, among others. This method decrypts the encrypted files and loads their content dynamically. Best practices during development stage? What is that? First look at its implementation:XOR encryption key embedded in the source code: AnDr/[email protected] embedded in the source code and initialized to 0s.Yes, the encryption key is also embedded in the source code. What the heck did you expect?

Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.What is XORed? The string XORed is the key used in the EVP_AES_256_CBC cipher, which is generated as follows:Call to getTime method, which executes the getTimeStamp function. However this value can be obtained from the file application.properties located under the /assets folder.Call to getN method, according to its implementation returns the the class name for the package located under /com/kony/labs/android/KonyMain, which is KonyMain.A XOR operation is performed between these two values.Call to getPackageName method.Another XOR operation is performed between the result from the previous XOR operation and the package name.

Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.Reverting the process Again, there are multiple solutions available out there. Static and dynamic approaches do exist. However, Ive got another hunch.The application does not include any methods to the encryption and/or decryption process.The crypto operations observed in the library, are merely for decryption purposes.The application has been shipped to the store and it already included the encrypted files.Those files are being encrypted at compilation time, and luckily, there is a trial available for Kony IDE Framework which can be downloaded.

Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.kony_loadfile.exe

encrypt - 1decrypt - 0

Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.kony_loadfile.exe The binary expects the following parameters:startup.js common-jslibs.kfm APPID package_name timestamp



Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.Obfuscators/OptimizersProtectorsWhen wrappin is all what your developers care about.

Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information. As developer, either you are lazy to implement good practices, or directly you are not aware of them. However, they do the job for you, partially. Includes security mechanisms such as encryption, obfuscation and potential use of reflection techniques. They try to sell your application would be protected against hackers.Why using obfuscators?


Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.Catch em all


Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.ProGuardMmm potato

Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information. Way older than Android, specially designed for Java at the beginning. Recommended by Google for Android developers and quite frequent out there in applications shipped to the Play Store. It is free and bundled in Android SDK.Quick introduction


Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.Optimization? At the byte code instruction level:Removes unnecessary/unused code.Renames objects (compact classes/methods/vars names).Restructures code.Performs peephole optimizations.Merges identical code blocks.Removes debug information.

Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.Obfuscation? Traditional and basic name obfuscation:Rename identifiers: class/field/method namesRemove debug information: line numbers, local variable names,

Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.Class renaming

Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information..source field annotation

Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.Final result

Original Java SourceProGuard Output

Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.Why developers use it? It decreases the dex file size and increases the application speed and its performance. Also reduces memory usage. Removes debug information, .source annotation field, lines number, etc. Which might slightly increase its reversing complexity. However it can be seen as an application being developed by an apprentice. Doesnt deploy real obfuscation, and it is trivial to reconstruct original code, it only requires patience and some extra hours.

Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information. Automatic class rename utility based on .source annotation. (https://github.com/HamiltonianCycle/ClassNameDeobfuscator) JEB/JEB2 and its renaming feature. Dynamic instrumentation with Frida, Cydia Substrate or Xposed Framework.Swiss Toolset


Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.DexGuardOhh Boo! Did it scare you?

Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information. Paid version of ProGuard. Offers same functionalities as its predecesor (optimizer, shrinker). Includes low level techniques that are supposed to increase notoriously the reverse engineering process. It also encrypts and obfuscates applications assets and libraries. A license might cost around $600 - $1300Quick introduction


Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.What does it do? All the features already included in ProGuard String encryption Tampering detection Assets and libraries encryption Class encryption (We will cover this point later) Automatic reflection

Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.Why developers use it? In opposition to Proguard, it might increase the dex file size as well as the application speed and its performance. Including memory usage. Includes all the features included in Proguard. Performs automatic encryption to the applications strings, assets, libraries and classes. Use of automatic reflection in combination with the protections described above. Might give you some headaches when reverse engineering it It is really easy to use, and offers a decent grade of protection for its prize.

Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.Reflection

Automatic reflectionString Encryption


String EncryptionEncrypted stringsarray

Obfuscated code


Loader

Keys and IV for 1st DEX

1st Dex

2nd Dex (Main Code)

1st Embedded dex

Keys and IV for 2nd DEX2nd Embedded dex

Main Code

1st Stage

2nd Stage

Class encryption

Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.Defeating DexGuard(Statically) Use scripts for JEB like DeCluster (JCase) and DexGuardStringDecoder (AKosterin) to rename classes, methods and variables and spot the InnerClass function that contains the string decryption method. Spot the respective IVs and encryption keys, grab the dex binaries content embedded in the loader and first encrypted dec, and revert the process. Sounds easy, but in fact, its a pain in the ass

Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.Defeating DexGuard(Statically)


Defeating DexGuard(Statically)

First/Second dex embedded (encrypted)

Encryption Key

IV

DES/AESCBF/NP

Encrypt/Decrypts classes.dex

Repeat this processtwice

Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.Not gonna happen

Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.How to defeat DexGuard (Dynamically) Most packers and obfuscators dynamically load dex/apk/jar/zip files. This means that at some point those files must be written on disk. UNPROTECTED, DECRYPTED.

Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.BaseDexClassLoader

Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.DexFile

Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.ConclusionsBut Ive got mad skillzZz and already paid for these protections!

Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.Well Nothing is unbreakable, even if your product costs a thousand dollars, however you can raise the bar, always. Do not fall on the idea of adding extra layers of security to your application, just because it will be more secure. Leave the onions for cooking.

Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.ThanksSpecial mentions to @revskills a.k.a. My weapon, @trufae, @pof, @oleavr, @fuzion24, @strazzere, @jduck, @jcase,@nowsecuremobile, @insitusec, etc

cero dramas, siempre smile (:

Super consejitodel dia

Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.Q&A?



help doctor, my application is an onion!

Engineering