Getting Started with Android app Security (one)

<span id="Label3"></p><p><p>Recently began to touch Android client security-related technology, the previous testing of mobile clients focused on the data transfer level, and now began to learn software-based security testing. In fact, a lot of things and Windows platform software security is still somewhat similar.</p></p><p><p>App security test or crack, The basic idea is that the APK is anti-compilation, and then through the analysis of the Anti-compilation file (smali file or the jar File) to find the program breach, the program changes, complete the modification, re-packaged into the apk file and Signed. The following are the main steps of the common operating Procedures.</p></p><p><p>first, It is relatively straightforward to decompile the APK file. Because Android apps are developed based on java, Java is relatively easy to decompile. You can use Apktool to decompile the apk file into a smali file, such as:</p></p><p><p></p></p><p><p>But the Smali file is relatively not particularly intuitive, for people who do not have a good grasp of Smali grammar (such as me), directly look at the Smali file is not friendly. The second is to use Dex2-jar directly decompile to the jar file, and then can use Jd-gui to open into similar Java source code, of course, sometimes Jd-gui is not so, the source code Anti-compilation. But recently found a call Luyten software, features similar to jd-gui, some classes Jd-gui can not be compiled into Java source code, Lutyen could be decompile. Simple analysis of the pros and cons of Jd-gui and Luyten Back. overall, The combination of Smali files and Java source code can speed up the Analysis.</p></p><p><p>After the decompile is complete, there is now a Smali file and a jar file that can be deserialized into a similar source. Through the two types of file analysis program operating principle, the general main look at the jar file, after all, the approximate source code is more friendly, find the need to modify the place, and then go to the corresponding Smali file for Modification. But the actual use, found Jd-gui some places anti-compilation is not Luyten good. For example, an app that launches a method in the page adddustatistics, the two Software's anti-compilation results are as follows:</p></p><p><p>Jd-gui anti-compilation result: (coding. Avoiding leaks is what APP)</p></p><p><p></p></p><p><p>Luyten anti-compilation results:</p></p><p><p></p></p><p><p>The code for the function in the Smali file is as Follows:</p></p><p><p></p></p><p><p>Through the analysis of the Smali file can be seen, in fact, Jd-gui anti-compilation results are wrong, Luyten is Correct. For some time, the individual summed up the pros and cons of Jd-gui and Luyten:</p></p><p><p>1. In the anti-compilation effect, each has advantages and disadvantages, overall Luyten correctness to High.<br></p></p><p><p>2. Some class Jd-gui cannot be recompiled, and general Luyten can be decompile.<br></p></p><p><p>3.jd-gui easy to operate, the main is to directly click on the underlined class, jump to the Class's anti-compilation File. This is still very convenient, Luyten does not have this function, so you have to find it yourself, and in a bunch of classes, a person is not necessarily so easy to find this class.<br></p></p><p><p>4.jd-gui a little bit, You can list all the properties and methods of the class by using the middle Key. It's easy to traverse the class and jump to the method you want to See.</p></p><p style="text-align:center"><p style="text-align:center"></p></p><p><p>overall, Luyten in the anti-compilation aspect is still strong, but the ease of use is not as good as Jd-gui. So they are generally used in combination, the effect is Good.</p></p><p><p>As for the specific analysis process, each app may be different. In general, the first step is to look at the Androidmanifest.xml file after the anti-compilation, you can learn a lot of Information. The main thing is to find the first activity that starts when the software runs, so you know where to Start. For example, Android:name is the first activity to start running (code: ）。 The activity is then Analyzed. Of course, generally first glance at the overall package structure, class, etc., in the case of no confusion, the meaning of the package name and the class name is very easy to understand, and can give a lot of valuable information.<br></p></p><p><p></p></p><p><p>As for how to locate critical code, six methods are mentioned in "android software security and reverse Analysis":</p></p><p><p>1. Information Feedback Method. Most software will have some normal or wrong information prompt string, through the res public.xml and String.xml get the corresponding id, these ID values will be referenced in the program, find the reference place, you can push or reverse, to find the key Code.<br></p></p><p><p>2. Characteristic function Feedback Method. Similar to the first method, through a number of specific SDK to find, because the general information is the pop-up window display, through the positioning of the Bullet box SDK to Find.<br></p></p><p><p>3. Sequential check of Views. That is, from the first activity above, according to the process of analysis of the procedure .... This method should be good, but it is too time consuming, and the complete analysis of the running flow of the app is not needed in most cases.<br></p></p><p><p>4. Code Injection METHOD. Mainly by modifying the APK code, adding the log output, and then using Logcat to capture the output Information. such as capturing the registration code and other Information. It's not working at the moment, but it's similar to the Windows platform ...<br></p></p><p><p>5. Stack Tracking Method. Dynamic debugging method, Similar to the above, output stack Information.<br></p></p><p><p>6.method Profiling. is also a means of dynamic debugging, which is said to be more powerful than stack tracking,,, not used<br></p></p><p><p>In fact, how to analyze the app, everyone may have their own play. And sometimes it takes a bit of luck ....</p></p><p><p>After the analysis of the app, locate the code that needs to be modified, directly to the Smali file to modify it, after the modification, you can re-package directly with apktool, to generate the APK file. This step also has a lot of pits, sometimes packaging will be a variety of error, resulting in the re-packaging Unsuccessful.<br></p></p><p><p>An error has been encountered as Follows:<br></p></p><p><p></p></p><p><p>The PNG file in the resource file is not in PNG format ... It was strange at first, why the format was Wrong. Use file to test a bit</p></p><p><p></p></p><p><p>The result shows the PNG file, the real format is jpeg, and then the PNG suffix is changed to jpg. Some people say that this is a means of protection, have not done app development, not clear as a means of protection or because of the development of other Causes. If you do not modify the resource file, you can avoid this problem by using the-r parameter directly at the time of the decompile, without recompiling the resource File.</p></p><p><p>After the repackaging is complete, it is signed. In theory, unless you get a formal release certificate for this app, it's usually signed with a test certificate, so the signed app is definitely not the same as the release Version. If the app does a signature check, its own modified app will certainly not Work. Signature Check Module A comparison to the signature Discovery app has been modified, will error automatically quit Running. This is also an app hardening Method.<br></p></p><p><p>usually, If the app does not strengthen, the above set down, you can achieve their desired function, such as crack registration, remove ads, etc... But most apps are now more or less fortified. Some of the major reinforcement methods that are now known Are:<br></p></p><p><p>1. Obfuscation Techniques. The simplest, the most used reinforcement method, the effect can also, at least can increase the difficulty of writing Analysis. At present, mainly Proguard<br></p></p><p><p>2. Signature Comparison. The above also said, do a signature comparison, unless you can get a formal certificate, otherwise the test certificate is too Much. Signature comparison module If it is implemented through the Java program,, in fact, It is also easy to crack. And some people have shared some way around the Idea. Do not use Java to do the signature module, you can work with the NDK<br></p></p><p><p>3.NDK Technology. Some of the important core modules can be written into so libraries using C/C + + and then called using Jni. In contrast, C + + cracking is a bit more difficult ... however, Some people say that it is familiar with arm decompile. I like to look directly at arm Decompile. Can only say to increase the Difficulty. The master is still hard to block.<br></p></p><p><p>4. shell-adding Technology. Like various packers on windows, switch to Android Platform. There are many packers and so on ...<br></p></p><p><p>5. Other Technologies ..... There are a lot of it, not known, or not very mainstream.<br></p></p><p><p><br></p></p><p><p>Getting Started with Android app Security (one)</p></p></span>