Android applications in the cruel world

Defence Against the Dark Forces or how to save an Android application from threats?

Mikhail Dudarev, Ivan KinashLicel, 2014, DroidCon Moscow 2014

• Mikhail Dudarev is an old-school java security guy, co-founder of Licel, founder of jCardSim, a Java Card simulator, which has won the 2013 Duke's Choice Award

• Ivan Kinash is a co-founder & CEO at Licel• Licel creates application protection

solutions for Java and Android platforms

About

ReportMobile Techworld Report:Looking at a total of 230 apps – the top 100 paid apps and top 15 free apps for Android and iOS – Arxan found that 100 percent of the top paid apps on Android and 56 percent on iOS were being impersonated in a compromised form on grey markets.http://goo.gl/mW1WxZ

Android Application Security Model• There is no standard EULA, each publisher is sole

responsible for one (Google Play)• Installed APK is stored on a device• It is signed with a publisher’s signature• There is a privilege system (users do not take it seriously, or

they simply have no choice)• APKs stored on devices are accessible even without root

privileges (Jelly Bean Encrypted Containers – root needed)

Android Application Security Model• Signature is designed to confirm integrity of an

application• Truth is that it gives you absolutely nothing• A couple of minutes needed to resign an application• Then put it to grey markets, p2p, warez sites… Or

even to the same market where original one is (was)

APK Structure

classes.dex(dalvik

bytecode)

resources.arsc(compiled resources)

META-INF/(signatures)

res/(resources)

assets/(assets)

lib/(native libs)

AndroidManifest.xml(name, version, access rights,

referenced libs)

Dalvik bytecode• Is it protected?• Is it hard to reverse engineer?

No and no once again…

Example• Imagine you have an application with ads• What malicious person have to do to own your app?• Apktool disassemble -> change ad id -> Apktool

assemble -> add its own signature -> zipalign -> distribute (p2p, grey markets, official markets, warez sites) = 10 mins

• If you are using just name obfuscation technique, it will require one extra minute to hack…

Short funny demo

Existing threats• Application cloning• Sensitive information (user) theft• Licensing system cracking• Reverse engineering

Application cloning• Illegal publishing on alternative app stores– App sales revenue loss

• Rerouting of Ad/IAP revenue streams– Lost revenue from ads and purchases

• Malicious code injection– Loss of reputation and harm to the app’s users

Stealing sensitive information from an application

• User’s Data– Logins/Passwords/Keys/Credit

card info…– IM, Social Network data,…– Location

• Application Data

– Unique multimedia resources– Information from embedded

databases– Business Logic

• Corporate Data– DBs/Confidential files/…

Cracking tools (free): ApkTool, Androguard, Dex2jar

Licensing system cracking. Google Play LVL

• The main app licensing service in Google Play• Based on asymmetric cryptography– Secret keys are stored on the licensing server,

public keys are in an application’s code

Automatic cracking tool: AntiLVL

Reverse-engineering• Analysis of weak/critical places in apps in order to

detect vulnerabilities• Application’s internal logic analysis– OTP-generator for a banking solution

http://goo.gl/0Dauve

Cracking tools: ApkTool, Androguard, Dex2jar

Reverse engineering my bank's security token

• Original mobile banking application that generates OTP (One Time Password) codes

• After decompiling with Dex2Jar – Detected OTP generation algorithm – TOTP

TOTP = HOTP(SecretKey, TimeCounter)– Secret key extracted from code– Arduino clone created

Reverse engineering my bank's security token

Standard protection and licensing techniques

• Name obfuscation (in particular Proguard) • Licensing services provided by app store

– Google Play Licensing– Amazon DRM

• Custom native libraries for license checking, string/class encryption

• Server-side computation• Mathematical Jigsaw Puzzle Obfuscation (keep ProGuard

optimizer away from this parts of code)

Useful, but do not work…

Active and Strong Integrity Protection Techniques and set of other great

approaches

They do not work without…

Cracking methods• Automatic– AntiLVL

• Tools for analysis and modification– ApkTool– Androlib– Dex2Jar– JD-GUI/JEB/…

• Text editor and grep

Advanced protection techniques• String Encryption (e.g. whiteboxcrypto)• Hiding of API calls • Class Encryption• Resource Encryption

• Strong and active integrity protection

Protection goal• Have bytecode (even if it is dumped) as hard to

reverse engineer as possible (strings are encrypted, valuable algorithms are hidden, API calls are hidden)

• Have strong integrity protection mechanism in order to block repackaging ability

• Have unique resources encrypted

Protection schemeAPK

Bytecode• String Encryption• Class Encryption• Hide API calls

Resources• Resource encryption

Signature• Active Integrity Protection (Repackaging protection)

If an app has network abilities, you can also change communication protocol from version to version…

A few important tipsIf you are developing mobile banking/financial/corporate/secure app:• Device fingerprint • Device-related One time passwords via second communication channel (SMS)• Use secured communication protocols and strong cryptography if it is possible• Sensitive information stored on a device should be encrypted (SQLCipher),

keys must be hidden via String Encryption• Keep in mind that the balance between usability/performance and security is

important• Think about protection and do protect in advance, BEFORE RELEASE

A few important tips #2After applying strong protection techniques you might think then about:• App cert check (just in case)• Debug mode check• Rooted device check• Emulator check

DexProtector• Having a huge expertize we implemented String Encryption,

Class Encryption, Resource Encryption, Hide Access and Integrity Control mechanisms on a technology leading level

• That is why I would love to recommend DexProtector for protecting your apps from threats

• If you are applying additional security practices DexProtector will help you to protect them from being reverse engineered

• It can be used together with ProGuard

Conclusion• Nobody will give you 100% guarantee that your app will

not be hacked• Relevance of piracy is increasing day by day as the Android

market growth• Standard protection techniques are not stand any more

against current methods of analysis and cracking• Must have a set of protection techniques applied• Integrity Protection is very important

Conclusion #2• If you applied security measures intelligently you are safe from

more than 90% of potential hackers. It is hoped that the remaining 10 percent will not be interested in breaking you app

• Google is in a difficult situation with Android security now. Definitely there should be some changes, especially in securing boot-loader, in creating secure app execution environment and storage also. They tried in Jelly Bean, but with no luck. On the other hand I see Nexus series has ability to be legally rooted and do not know what to think

Contacts

Email: dudarev@licelus.com, kinash@licelus.com Twitter: @MikhailDudarev, @ivan_kinash Web: http://dexprotector.com, http://licelus.com