"It is a must-have for security architects and consultants as well as enterprise security managers who are working with mobile devices and applications."Dr. Dena Haritos Tsamitis, Director, Information Networking Institute (INI) Director of Education, CyLab Carnegie Mellon University
"Good book for Android security enthusiasts and developers that also covers advance topic like reverse engineering of Android applications. A must have book for all security professionals."Sanjay Katkar, Co-Founder Quick Heal Technologies
"It's an excellent book for professional businesses that are trying to move their corporate applications on mobile / Android platform. It helped me understand the threats foreseen in Android applications and how to protect against them. Thanks for putting together a structured text on Android security."Jagmeet Malhotra, Vice President, Royal Bank of Scotland
"Smart mobile devices need smart security. If you are facing the complex challenge of securing data and applications for Android, this book provides valuable insight into the security architecture and practical guidance for safeguarding this modern platform."Gerhard Eschelbeck, Chief Technology Officer, Sophos
"Abhishek and Anmol's book Android Security: Attacks & Defenses is a great introduction to Android security. Their chapter "Reverse Engineering Android Applications" provides the groundwork for anybody interested in mobile malware analysis and cracking the nitty-gritty of most Android apps."Nicholas Falliere, Founder JEB Decompiler & Security Researcher
"In their book Android Security: Attacks and Defenses, Dubey and Misra have filled a critical gap in software security literature by providing a unique and holistic approach to addressing this critical and often misunderstood topic..."James Ransome, Senior Director, Product Security McAfee . An Intel Company
The book gives security professionals and executives a practical guide to the security implications and best practices for deploying Android platforms and applications in the (corporate) environment.Steve Martino, VP Information Security, Cisco
In this appendix, we detail how a malicious user can reverse engineer and modify
the behavior of a particular application. In Chapter 7, we showed this using the
SecureApp.apk application as one of many ways in which a malicious user can achieve this.
In this tutorial, we will demonstrate a few ways in which a malicious user can modify an
application’s behavior to add or remove functionality.
We will now demonstrate how application behavior can be modified by decompiling
it into smali code and recompiling it back and then packaging it in apk file.
Authors have created a simple application that requires user to enter the correct
passcode before using the application. We will demonstrate how a malicious user can
potentially bypass this intended functionality.
First step to analyze or to reverse engineer an application is to understand its behavior. Typically this entails
installing and using the application and going through different functionality provided by it. In our case,
we can install the application on an emulator and try to use it. As seen from figure 1, launching application
presents the user with a password screen. At this point we don’t know length of the password required or if
passwords are numeric (PIN) or actual passwords. We notice (by trial and error) that application only accepts
numeric digits as password. We also notice that a maximum digit applicationFirst step to analyze or to reverse engineer
an application is to understand its behavior. Typically this entails installing and using the application and going through
different functionality provided by it. In our case, we can install the application on an emulator and try to use it.
As seen from figure 1, launching application presents the user with a password screen. At this point we don’t know length
of the password required or if passwords are numeric (PIN) or actual passwords. We notice (by trial and error)
that application only accepts numeric digits as password. We also notice that a maximum digit application
allows us to enter is 4. Thus we can conclude that password is all numeric and is 4 digits in length.
We can decompile application file (apk) by using capitol. Figure 4 shows SecureApp.apk decompiled into secure_app folder. Browsing through the folder (Figure 5), we note that there is a smali folder. Smali files are found in test directory. Note that there are smali files beginning with KeyPad & R prefixes. Once can conclude that the application had two java files – KeyPad.java and R.java.
Step 2: Make changes to application
Reading through smali code for KeyPad$1.smali file, one can conclude that SHA-256 is being used for hashing password user inputs from login screen of the application. This password is then compared against a stored password and if they are equal, a user is logged in to the application.
Hash is loaded into v8 and compared against v10 (line 51). If these values are same, user is logged in.
We can create a SHA-256 hash value and create an entry to put it in v8 and thus modifying the password to
our choice and bypassing authentication. Figure 8 shows original smali file created by apktool and Figure 9
`shows modified smali file with the following entry(SHA-256 hash of “1234” with a sclass="figure" alt):
const-string v8, "2DD225ED6888BA62465CF4C54DB21FC17700925D0BD0774EE60B600B0172E916"
Note that there is usually a “sclass="figure" alt” passed onto the hash algorithm. For us to change the password successfully,
we will need to either:
1. Change the “sclass="figure" alt” value that application is using to our preferred value
2. Or pass sclass="figure" alt along with our desired password to get a SHA- 256 hash value and change code within
application to use this new hash value
Either way we will need to identify where “sclass="figure" alt” value is stored. Let’s look at files in the ‘res’directory (see Figure 10).
There is a ‘values’ folder inside /res of recently decompiled application directory folder. ‘values’ has three xml files – ids.xml,
public.xml and strings.xml. Let’s look at the contents of strings.xml (see figure 11). We see that hash value as well as sclass="figure" alt value within this xml file.
This example also shows why it is important not to store sensitive information in strings.xml or other files, which can be decoded and read.
Step 3: Re-compile application
Modified smali code can be assembled back and packaged into apk file through the following command: apktool b New apk needs to be signed before it can be installed on the device or emulator. Signapk tool is freely available on the web for download. After installing the modified apk, the reader can use “1234” as password string to use the application.