Upload
gaurav-lochan
View
1.537
Download
5
Tags:
Embed Size (px)
DESCRIPTION
Our product (Little Eye Labs) is a performance monitoring and optimization tool for Android apps. We wanted to expose detailed network usage information from the app, and we explored binary instrumentation as a way to do this. The presentation covers many learnings from the process - what are different reverse engineering tools on android, which ones specifically help with instrumentation, and a link to some of the source code from this process.
Citation preview
Reverse engineering and instrumenting android appsGaurav LochanLittle Eye Labs
Friday 13 December 13
Outline
Motivation?
Instrumentation
Guts of an android app
Instrumentation approaches
Chosen approach
Friday 13 December 13
Motivation?Little Eye Measures, Analyzes and helps optimize app resource usage on Android. But network stats are aggregates only
Friday 13 December 13
Motivation (2)Needed granular network stats - each endpoint/URL, Latency, Data transferred
Considered different approaches
Implement a VPN client app
Use a proxy
Looked at OS stats - didn’t find anything
Java debug wire protocol (JDWP)
InstrumentationFriday 13 December 13
Instrumentation
ie, Rewriting parts of a binary (in this case, android app)
Allows us to intercept HTTP calls, with code-level context (parameters, errors) for each call
Works on any app
Works on practically any android version/device
Opens up a lot of exciting possibilities...
Friday 13 December 13
Instrumentation (2)Can be: Static or Runtime
Examples
Android Traceview (startMethodTracing)
Android test automation framework
iOS instruments
Purify (Rational / IBM)
JVM -javaagent option
AspectJFriday 13 December 13
Guts of an app
Friday 13 December 13
classes.dx
Dalvik is the custom android VM (different from JVM)
Dex = Dalvik EXecutable format. It’s a custom bytecode format designed for android
Build process:
compile .java code into .class files
dx converts each .class file into .dx representation, and stores them in the single classes.dx
all ref’d library code also goes into classes.dex
Friday 13 December 13
Reverse engineering toolsSmali (by JesusFreke) - dex disassembler
ApkTool - decodes resources, repackage app
dex2jar - disassembles dex to .class format
JD-GUI - Decompiles .class into .java
Androguard - Tool for deep analysis of android app
ApkAnalyzer - Tool for analysis of app, also supports instrumentation of the app.
Friday 13 December 13
Smali: Before
Friday 13 December 13
Smali: After
Friday 13 December 13
Androguard
Friday 13 December 13
ApkAnalyzer
Friday 13 December 13
Instrumentation Approaches
Explored the following approaches on android
Runtime
Instrument .class files during build process
Instrument .dex file
Friday 13 December 13
Runtime instrumentation
A JVM allows this - pass in a java.lang.instrumentation (using the -javaagent flag) which can transform class at class-load time
Dalvik doesn’t support this
It supports passing in a android.app.instrumentation, but that has a limited set of methods, mostly for automated testing
Friday 13 December 13
Instrumenting .class files
Considered modifying .class files, in two ways:
Using the JavaAssist tool/library
AspectJ
Both are well understood tools, but need to be done at build time
Requires a process change, plus not all of our users have access to the build (e.g. 3rd party QA team)
Friday 13 December 13
Instrumenting .dex file
Found some tools - none of these looked solid enough
dexpler - research project
redexer - research project
apkil - google summer of code project
Tried dex2jar to convert .dx into .class - but this is not a reliable method. Fine for reading code (skip the failed conversions), but not for this use case.
Friday 13 December 13
Instrumenting .dex file (2)Smali
A simple tool that decompiles the .dx into an intermediate format (also known as smali)
This is well-used (e.g. ApkTool, ApkAnalyzer, and apkil use it)
Active project, well supported by JesusFreke
I disassemble an app, modified the smali code, and re-assembled and repackaged, and it just worked!
Friday 13 December 13
Automating instrumentationChallenges:
Need a way to find all the appropriate calls in the app to replace
Need to do it without side-effects.
Tried many approaches, JesusFreke pointed me to MutableMethod which did what i needed
Called my approach Umbreyta (icelandic for transform). https://github.com/LittleEyeLabs/smali
Friday 13 December 13
Voila!
Friday 13 December 13