1

Java applications reverse engineering

Antoni BertelAntoni_Bertel@epam.com

AUGUST 4, 2015

2

• Jar (Java Archive) is a package file format typically used to aggregate many

Java class files and associated metadata and resources.

• Java bytecode is the instruction set of the Java virtual machine.

• APK is the package file format used to distribute and install application

software and middleware onto Google's Android operating system.

• Obfuscation is the obscuring of intended meaning in communication,

making the message confusing, willfully ambiguous, or harder to understand.

Introductory

3

Plan

The attack on the two java archive: desktop and mobile applications. 1

Conclusion of business problems.2

Other types of attacks on the jar, demonstration of some of them.

3

Types of jar protection, concentrating on obfuscation.

4

Protecting "Hello, world" java application.5

Answers on questions6

4

Desktop java application

AEM (Adobe Experience Manager) is an enterprise-grade web content management system with a wide array of powerful features.

Info• License costs 50.000 $• Delivered as jar with size ~ 450 mb• Used by Playstation, SAP, Norton• Written by java• Bytecode is not obfuscated

5

The practical part

6

Android application

Dalvik VM is a virtual machine in Google's Android operating system that executes applications written for Android.The Dalvik VM executes files in the Dex (Dalvik Executable) format .

7

Android application

8

Android application

VK (Vkontakte) is a social network that unites people all over the world and helps them communicate comfortably and promptly.

Info• More than 2.000.000 reviews.• Fifty million downloads from android market• Delivered as APK• Written by java• Bytecode is not obfuscated

9

The practical part

10

1. Access to premium content

2. Stealing source code

3. Access to the private application data

4. Declassification of the internal architecture of the application

5. Access to internal application systems (API)

6. Stealing traffic; advertising; mobile botnets…

Technical risks

11

1. Product discrediting

2. Losing money

Business risks

12

• Bytecode decompilation

– JD-GUI– JAD Java Decompiler– Bytecode viewer

• Bytecode modification

– Java Bytecode Editor– reJ– Javassist– Byte Buddy

• Bytecode debugging

– Java ByteCode Debugger– Bytecode Visualizer

Tools

13

Solutions

Bytecode obfuscation 1

Anti-debugging2

Own protection of business logic3

14

The practical part

15

Questions?