Godfrey Nolan

� Easy access to APKs

� APK design

� Same trailer, different park

� sdcard

� Rooting phone

� Download from forums

� Identify and protect sensitive data on the mobile device� Handle password credentials securely on the device� Ensure sensitive data is protected in transit� Implement user authentication, authorization and session

management correctly� Keep the backend APIs (services) and the platform (server) secure� Secure data integration with third party services and applications� Pay specific attention to the collection and storage of consent for

the collection and use of the user’s data� Implement controls to prevent unauthorized access to paid-for

resources (wallet, SMS, phone calls etc.)� Ensure secure distribution/provisioning of mobile applications� Carefully check any runtime interpretation of code for errors

� Download an APK� adb pull /data/app/Dashboard.apk

� Unzip APK� Disassemble an APK

� apktool d Dashboard.apk

� Decompile an APK� dex2jar.bat Dashboard.apk, open in JD-GUI

� SQLite investigation� adb backup –noapk Dashboard.apk

� java –jar abe.jar unpack backup.ab backup.tar

� https://code.google.com/p/dex2jar/

� http://java.decompiler.free.fr/?q=jdgui

� http://www.netmite.com/android/mydroid/dalvik/docs/dex-format.html

� http://www.netmite.com/android/mydroid/dalvik/docs/instruction-

formats.html

� https://code.google.com/p/android-apktool/

� http://sourceforge.net/projects/adbextractor/files/

� http://www.sweetscape.com/010editor/

� http://sqlitebrowser.sourceforge.net/

� Giveaway

� http://www.decompilingandroid.com

� @decompiling

� godfrey@riis.com

� http://www.riis.com