Upload
apps4allru
View
227
Download
4
Tags:
Embed Size (px)
DESCRIPTION
Citation preview
Android applica,ons in the cruel world
Defence Against the Dark Forces: how to save an Android applica,on from
threats? Mikhail Dudarev, Ivan Kinash Licel, 2014, DroidCon Moscow 2014
• Mikhail Dudarev, old-‐school java security guy, founder of jCardSim, a Java Card simulator, has won the 2013 Duke's Choice Award, co-‐founder Licel.
• Ivan Kinash, co-‐founder & CEO at Licel • Licel creates applica,on protec,on solu,ons for Java and Android plaQorms.
About
Report Mobile Techworld Report: Looking at a total of 230 apps – the top 100 paid apps and top 15 free apps for Android and iOS – Arxan found that 100 percent of the top paid apps on Android and 56 percent on iOS were being impersonated in a compromised form on grey markets. hDp://goo.gl/mW1WxZ
Android Applica,on Security Model • There is no standard EULA, every publisher is sole responsible for one (Google Play)
• Installed APK is stored on a device • It is signed with a publisher’s signature • There is a privilege system (users do not take it seriously, or they simply have no choice)
• APKs stored on devices are accessible even without root privileges
Android Applica,on Security Model • Signature is designed to confirm integrity of an applica,on
• Truth is that it gives you absolutely nothing • A couple of minutes needed to resign an applica,on
• Then put it to grey markets, p2p, warez sites… Or even to the same market where original one is (was)
APK Structure
classes.dex (dalvik
bytecode)
resources.arsc (compiled resources)
META-‐INF/ (signatures)
res/ (resources)
assets/ (assets)
lib/ (na,ve libs)
AndroidManifest.xml (name, version, access rights,
referenced libs)
Dalvik bytecode • Is it protected? • Is it hard to reverse engineer?
No and no once again…
Example • Imagine you have an applica,on with ads • What malicious person have to do to own your app? • Apktool disassemble -‐> change ad id -‐> Apktool assemble -‐> add its own signature -‐> zipalign -‐> distribute (p2p, grey markets, official markets, warez sites) = 10 mins
• If you are using just name obfusca,on technique, it will require one extra minute to hack…
Short funny demo
Exis,ng threats • Applica,on cloning • Sensi,ve informa,on (user) thef • Licensing system cracking • Reverse engineering
Applica,on cloning • Illegal publishing on alterna,ve app stores – App sales revenue loss
• Rerou,ng of Ad/IAP revenue streams – Lost revenue from ads and purchases
• Malicious code injec,on – Loss of reputa,on and harm to the app’s users
Stealing sensi,ve informa,on from an applica,on
• User’s Data – Logins/Passwords/Keys/Credit
card info… – Social Network data – Loca,on
• Applica,on Data – Unique mul,media resources – Informa,on from embedded
databases – Business Logic
• Corporate Data – DBs/Confiden,al files/…
Cracking tools (free): ApkTool, Androguard, Dex2jar
Licensing system cracking. Google Play LVL
• The main app licensing service in Google Play • Based on asymmetric cryptography – Secret keys are stored on the licensing server, public keys are in an applica,on’s code
Automa,c cracking tool: An,LVL
Reverse-‐engineering • Analysis of weak/cri,cal places in apps in order to detect vulnerabili,es
• Applica,on’s internal logic analysis – OTP-‐generator for a banking solu,on hip://goo.gl/0Dauve
Cracking tools: ApkTool, Androguard, Dex2jar
Reverse engineering my bank's security token
• Original mobile banking applica,on that generates OTP (One Time Password) codes
• Afer decompiling with Dex2Jar – Detected OTP genera,on algorithm – TOTP
TOTP = HOTP(SecretKey, TimeCounter) – Secret key extracted from code – Arduino clone created J
Reverse engineering my bank's security token
Standard protec,on and licensing techniques
• Name obfusca,on (in par,cular Proguard) • Licensing services provided by app store
– Google Play Licensing – Amazon DRM
• Custom na,ve libraries for license checking, string/class encryp,on
• Server-‐side computa,on • Mathema,cal Jigsaw Puzzle Obfusca,on (keep ProGuard
op,mizer away from this parts of code)
Useful, but do not work…
Ac,ve and Strong Integrity Protec,on Techniques and set of other great
approaches
They do not work without…
Cracking methods • Automa,c – An,LVL
• Tools for analysis and modifica,on – ApkTool – Androlib – Dex2Jar – JD-‐GUI/JEB/…
• Text editor and grep J
Advanced protec,on techniques • String Encryp,on (e.g. whiteboxcrypto) • Hiding of API calls • Class Encryp,on • Resource Encryp,on
• Strong and ac,ve integrity protec,on
Protec,on goal • Have bytecode (even if it is dumped) as hard to reverse engineer as possible (strings are encrypted, valuable algorithms are hidden, API calls are hidden)
• Have strong integrity protec,on mechanism in order to block repackaging ability
• Have unique resources encrypted
Protec,on scheme APK
Bytecode • String Encryp8on • Class Encryp8on • Hide API calls
Resources • Resource encryp8on
Signature • Ac8ve Integrity Protec8on (Repackaging protec8on)
If an app has network abili,es, you can also change communica,on protocol from version to version…
A few important ,ps If you are developing mobile banking/financial/corporate/secure app: • Device fingerprint • Device-‐related One ,me passwords via second communica,on channel
(SMS) • Use secured communica,on protocols and strong cryptography if it is
possible • Sensi,ve informa,on stored on a device should be encrypted (SQLCipher),
keys must be hidden via String Encryp,on • Keep in mind that the balance between usability/performance and
security is important • Think about protec,on and do protect in advance, BEFORE RELEASE
A few important ,ps #2 Afer applying strong protec,on techniques you might think then about: • App cert check (just in case) • Debug mode check • Rooted device check • Emulator check
DexProtector • Having huge exper,ze we have implemented String
Encryp,on, Class Encryp,on, Resource Encryp,on, Hide Access and Integrity Control mechanisms on a technology leading level
• That is why I would love to recommend DexProtector for protec,ng your apps from threats
• If you are applying addi,onal security prac,ces DexProtector will help you to protect them from being reverse engineered
• It can be used together with ProGuard
Conclusion • Nobody will give you 100% guarantee that your app will not be hacked
• Relevance of piracy is increasing day by day as the Android market growth
• Standard protec,on techniques are not stand any more against current methods of analysis and cracking
• Must have a set of protec,on techniques applied • Integrity Protec,on is very important
Conclusion #2 • If you applied security measures intelligently you are safe
from more than 90% of poten,al hackers. It is hoped that the remaining 10 percent will not be interested in breaking you app
• Google is in a difficult situa,on with Android security now. Definitely there should be some changes, especially in securing boot-‐loader, in crea,ng secure app execu,on environment and storage also. They tried in Jelly Bean, but with no luck. On the other hand I see Nexus series has ability to be legally rooted and do not know what to think
Contacts
Email: [email protected], [email protected] Twiier: @MikhailDudarev, @ivan_kinash Web: hip://licelus.com DexProtector: hip://dexprotector.com