Upload
godfreynolan
View
5.197
Download
0
Embed Size (px)
DESCRIPTION
Godfrey Nolan's class on Protecting Android Source code at AnDevCon 2012
Citation preview
Godfrey Nolan
Hear no evil, see no evil Decompiling APK demo Raising the bar
Easy access to APKs APK design Nobody using obfuscation
According to DuoSecurity Over 50% of Android phones are rootable
See Xray.io for more information Vulnerabilities
ASHMEM
Exploid
Gingerbreak
Levitator
Memoproid
etc.
Logins
API keys
Credit card information Fake apps
sdcard Rooting phone Download from forums
Obfuscation Android NDK SQLCipher for SQLite Google Closure for JavaScript in HTML5/CSS Don’t use keys - login each time Break tools
Dex2Jar and Baksmali
Google Encryption in Jelly Bean (RIP) Hide key info elsewhere (see resources)
Obfuscation Theory
Layout
Control
Data
Obfuscation Type Classification Transformation
Layout Scramble identifiers.
Control Computations Insert dead or irrelevant code.
Extend a loop condition.
Reducible to non-reducible.
Add redundant operands.
Remove programming idioms.
Parallelize code.
Aggregations Inline and outline methods.
Interleave methods.
Clone methods.
Loop transformations.
Ordering Reorder statements.
Reorder loops.
Reorder expressions.
Data Storage and encoding Change encoding.
Split variables.
Convert static data to procedural data.
Aggregation Merge scalar variables.
Factor a class.
Insert a bogus class.
Refactor a class.
Split an array.
Merge arrays.
Fold an array.
Flatten an array.
Ordering Reorder methods and instance variables.
Reorder arrays.
Obfuscators
ProGuard and DexGuard
DashO
Application size Performance Remove logging, debugging, testing code Protection
At the bytecode level
Dead code elimination
Constant propagation
Method Inlining
Class Merging
Remove logging code
Peephole optimizations
Devirtualization
Nothing is unbreakable, you can raise the bar:
Reflection
String encryption
Class encryption
Tamper detection
Debug detection
Emulator detection
Bug fixing Unit testing Obfuscation = defactoring
WordPress
ProGuard & DexGuard
DashO
HoseDex2Jar
NDK
DexToXML DexToSource Giveaway
What does Dex stand for?
http://www.strazzere.com/papers/DexEducation-PracticingSafeDex.pdf https://www.pcisecuritystandards.org/security_standards/documents.php?document=mobile_payment_security_guidelines1 http://xray.io http://www.netmite.com/android/mydroid/dalvik/docs/dalvik-bytecode.html http://source.android.com/tech/dalvik/dex-format.html http://pallergabor.uw.hu/androidblog/dalvik_opcodes.html http://www.saikoa.com/dexguard http://www.preemptive.com/products/dasho/overview http://android.wordpress.org/development/ http://selinuxproject.org/page/SEAndroid
http://www.decompilingandroid.com @decompiling [email protected] http://www.riis.com