Beginners guide-to-reverse-engineering-android-apps-pau-oliva-fora-viaforensics-rsa-conference-2014
2 likes1,276 views
This document provides an overview of reverse engineering Android apps. It discusses the anatomy of Android apps, obtaining target apps from a device or Google Play, and tools for disassembling and decompiling apps like Apktool, Dex2jar, and Android decompilers. It also promotes the use of Santoku Linux, an operating system distribution containing tools for mobile forensics and malware analysis.
Beginners guide-to-reverse-engineering-android-apps-pau-oliva-fora-viaforensics-rsa-conference-2014
- 1. SESSION ID: Beginners Guide to Reverse Engineering Android Apps STU-W02B Pau Oliva Fora Sr. Mobile Security Engineer viaForensics @pof
- 2. #RSAC Agenda Anatomy of an Android app Obtaining our target apps Getting our hands dirty: reversing the target application Demo using Santoku Linux 2
- 3. Anatomy of an Android app
- 4. #RSAC Anatomy of an Android app Simple ZIP file, renamed to “APK” extension App resources Signature Manifest (binary XML) 4
- 5. Obtaining our target apps
- 6. #RSAC Getting the APK from the phone Backup to SD Card: APKOptic Astro file manager etc… 6
- 7. #RSAC Getting the APK from the phone Using ADB (Android Debug Bridge): adb shell pm list packages adb pull /data/app/package-name-1.apk 7
- 8. #RSAC Downloading the APK from Google Play Using unofficial Google Play API: https://github.com/egirault/googleplay-api Using a web service or browser extension: http://apps.evozi.com/apk-downloader/ http://apify.ifc0nfig.com/static/clients/apk-downloader/ 8
- 9. #RSAC Downloading the APK from Google Play Using unofficial Google Play API: https://github.com/egirault/googleplay-api Using a web service or browser extension: http://apps.evozi.com/apk-downloader/ http://apify.ifc0nfig.com/static/clients/apk-downloader/ 9
- 10. Getting our hands dirty: reversing the target application
- 11. #RSAC Disassembling DEX Smali 11
- 12. #RSAC Apktool apktool - https://code.google.com/p/android-apktool/ Multi platform, Apache 2.0 license Decode resources to original form (and rebuild after modification) Transforms binary Dalvik bytecode (classes.dex) into Smali source 12
- 13. #RSAC Smali 13
- 14. #RSAC Decompiling – Java Decompiler DEX JAR JAVA 14
- 15. #RSAC Dex2Jar dex2jar - https://code.google.com/p/dex2jar/ Multi platform, Apache 2.0 license Converts Dalvik bytecode (DEX) to java bytecode (JAR) Allows to use any existing Java decompiler with the resulting JAR file 15
- 16. #RSAC Java Decompilers Jd-gui - http://jd.benow.ca/ Multi platform closed source JAD - http://varaneckas.com/jad/ Multi platform closed source Command line Others: Dare, Mocha, Procyon, … 16
- 17. #RSAC Decompiling – Android (Dalvik) decompiler DEX JAVA 17
- 18. #RSAC Dalvik Decompilers Transforming DEX to JAR looses important metadata that the decompiler could use. Pure Dalvik decompilers skip this step, so they produce better output Unfortunately there are not as many choices for Android decompilers as for Java decompilers: Open Source: Androguard’s DAD - https://code.google.com/p/androguard/ Commercial: JEB - http://www.android-decompiler.com/ Others? 18
- 19. Demo – Santoku
- 20. #RSAC Demo – Santoku Linux Santoku Linux - https://santoku-linux.com/ Mobile Forensics Mobile Malware analysis Mobile application assessment 20
- 21. #RSAC Summary APK files are ZIP files, can be extracted with any unzip utility Apktool helps extracting binary resources, and allows repacking Dex2jar converts Dalvik Bytecode to Java Bytecode Pure Android decompilers are better Santoku Linux has all the tools you need to reverse engineering mobile apps 21
- 22. #RSAC Q&A | Contact | Feedback Thanks for listening… @pof github.com/poliva poliva@viaforensics.com 22