Preface
Security data show that 2014 of the year, Android users infected with malicious programs 319 million people, the average daily malicious program infection reached 875,000. At the same time, Android applications have been cracked and pirated and other events are also emerging. It is clear that the Android platform has become the target of malicious programs and attackers, and more and more Android developers are beginning to realize the importance of application security.
first, what is "packing the party" They're targeting the hottest or rookie apps, first cracking them, and then encapsulating them into new apps in the form of Trojan horses, insert ads, tamper-pay links, and the process is called two-pack. More developers, the professional "packaging party" monthly income of more than million, this is a genuine developer of the most naked attack and provocation.
what a. One inch code one inch of blood, time is money, all in vain!
second, "Packing party" generally do whatTrojan Horse, malicious deduction fee"Packaging Party" to make a variety of profiteering, such as in the app Trojan horse program, users download, through malicious charges, stealing user accounts and passwords and other ways to gain benefits. In order to deceive users and save costs, two times packaged apps and genuine basically no difference, the user without the knowledge of the situation, once the economic loss, the final developer will take the blame, but also make the brand image of the genuine app damaged.
Embed ads and earn AD fees When a team has worked hard to develop an app that has hundreds of thousands of or millions of users, it may have become the target of "pack party" hunting. They will earn ad revenue in the form of placement or replacement ads in two packs, with different billing formats, such as impressions, clicks, installation activations, and so on. Take the number of impressions as an example, in order to obtain more benefits, two times packaged apps will be frequent advertising reminders to users, causing harassment, experience is very poor, but "packaging party" is not care, they are only concerned about how to make as much money as possible.
can imagine, one side is the team desperately development and promotion, the other side is sitting on the benefit of the fisherman, without pains. The more popular the app, the more benefits it brings to the "packing party", which is completely reduced to a "packing party" money-making tool.
Direct capture of the developer's Giroin addition to games and software apps, the "pack party" is also targeting the payment app as the mobile payment class application heats up. "Packaging party" to crack the original app, and then modify the app's paid link parameters, the user pays the cost directly into the "packaging Party" pocket, completely cut off the developer's money.
after a whole year, I went back to liberation!
Third, Android APK file structure
Androidmanifest.xml:The android master configuration file, which is converted from text format to binary axml file format during compilation.
Classes.dex:A type of bytecode-like file that is generated after the Java code is compiled.
Res:A resource file in which the. xml file is converted from text format to a binary Axml file format during compilation.
Meta-inf:Signature file.
Lib:Native code after compiling the so.
Other folders:Files added by the developer themselves
Android The core logic of the APK is mainly found in Classes.dex, where the cracker will operate on the Classes.dex and Androidmanifest.xml files when it is cracked and packaged two times, so protecting these two files is particularly important. Four,Four steps to pack apk two times 1. Anti-compilationThe decompile Java:classes.dex is deserialized into an intermediate file (Smali, jar).
decompile The layout file: The Axml file is deserialized into an XML file.
2. Modifications Modify the Smali file.
Modify the XML file.
3. Recompile The modified Smali is compiled into Classes.dex.
The modified XML is compiled into Axml.
4. Re-signing
a cottage version of the app was born!
Android APP Anti-cracking evolutionary historyPrimitive Society period--code confusion
The earliest application protection when it is code confusion, Google's official release of the SDK contains proguard this obfuscation tool. The obfuscation tool confuses the class name and variable name of the code you write in the Java language into its own defined format, which can increase the difficulty of the cracker in reading. But code obfuscation is simply changing the name of the class name or variable, as long as you can find Dex, decompile it to Smali or Java, and take some time to easily hack it. If we do not need to confuse the tool we hack an apk takes 22 days, then using this tool, the cracker may take 4 days, but the time cost increases.
Slave society period--self-calibration after a long period of confusion, developers find that their application is still being cracked as usual. So the new way of protection comes up again--self-calibration.
Simply put, self-calibration is the process of adding some of their own application integrity check, you can use the signature, or calculate their own application of Dex MD5 value and so on to complete. Some developers have directly added the checksum to Dex, while others request the service through the HTTP protocol to get the checksum. With this verification, the application will not run when it is packaged two times.
What is the disadvantage of this method? Give an interesting example. There is a signpost at the corner of the cliff to indicate the direction correctly. However, if someone deliberately sabotage, the direction of the road signs are reversed, the driver was misled, follow the wrong direction, there will be unfortunate tragedy.
This example means that the computer executes the instruction in accordance with the pre-defined logic (written by the developer), but if the cracker changes the location of the developer's calibration, the computer will execute in the new logic, which is a very risky protection measure. So it's going to be a gradual decline.
Deformation of--dex files during feudal societyover the past two times, developers have gradually improved their protection skills. So many Java-born developers, after countless day and night efforts to become C, C + + experts. More and more logic is written to the C-layer, and all the checks are moved to the C-layer, and the confusion also exists. At the same time, developers are beginning to deform the Dex file Androidmanifest file, which has the advantage of ensuring that the application works properly, as well as enabling some anti-compilation tools such as Apktool to collapse at the time of the decompile. However, the distortion of the Dex file and the manifest file also has its weaknesses. The basic world of Dex deformation can be baksmali to get smali, so the cracker can continue to analyze. and the Manifset file format official has the clear specification, the cracker resolves according to the specification, encounters the incorrect byte to be able to scrutinize, finally can restore it.
Capitalist period This is a period of rapid development of mobile Internet, but piracy and two packaging problems are increasingly prominent, in this open period, in order to meet the urgent needs of developers to protect the application, there have been a number of Android app-based reinforcement of third-party products, Usually their basic practice is to:
1.Dex Protection(1) Hiding Dex files Since the Dex file contains core logic, is it possible to protect Dex by hiding it and loading it in another way? So this becomes a way for some third-party ruggedized product protection applications. They convert Dex to another file by encrypting or even compressing (in the early days there is no compression, just pure encryption). The hardened apk, Dex, is the third-party hardened product used to start and load the hidden Dex entry, which is the shell.
(2) deform the Dex file The variants described here are different from those mentioned in the feudal times. This approach does not hide Dex, but rather keeps Dex out, but when the cracker analyzes the Dex, it will find that the contents of Dex are incomplete.
(3) to deform the DEX structure Some third-party hardening products are starting to try this way, and their protection scenarios may have extracted portions of Dexcode, then added NOP to bytecode instructions, or even classdataitem and dexcode. Or the three parts mentioned above are dealt with. After the extraction, but also to do the correction, repair and other work, in short, very annoying lock. Because the DEX runtime has a lot of checks on Dex, even though the validation pass has some offset problems.
Why does Dex run when it's been extracted and modified? That's because the in-memory Dex is fixed before or during the run. The fix is also complicated, and the general choice is to make corrections before running, which can reduce a lot of work and may even require a hook to help.
2.So Protection(1) Modify Elf Head, section table we know that so is actually an elf file, and the elf file has its own format. Some third-party hardening protection protects so files by slightly modifying the ELF header or section table information, as this does not affect the program's normal operation. Figure 3 and Figure 4 is the elf file header in the section Header table information has been modified, and then opened with 010 Editor, the display of the exception interface:
Figure 3
Figure 4
then we opened the elf file with Ida and found that the file could not be opened at all (stuck there), as shown in 5 and Figure 6:
Figure 5
Figure 6
second, there is the modification of the Program Header table this protection, 7, the Pt_note section has made some changes. Some invalid numbers were populated in the attribute values of the segment, causing the reverse tool to not parse properly. Since the system does not analyze the Pt_note segment, it can protect the reverse tool and ensure that the file is loaded properly by the system.
Figure 7(2) Select Open Source Shell tool The most commonly used genus is the upx shell, as it supports the elf reinforcement of the arm architecture. In the shell after the original file to do some processing, so that the analysis of the cracker has added some difficulty.
(3) process to prevent debugging, or increase the difficulty of debugging
Sometimes static analysis is very limited, this time the benefits of dynamic analysis is reflected, but the core of dynamic analysis is debugging, and debugging a process first to ptrace this process, if it can effectively prevent the process is ptrace, can effectively prevent dynamic debugging. Of course, there are other anti-debugging techniques, or increase the difficulty of debugging and so on.
Socialist period
During this period, the development and popularization of technology made it possible for everyone to be a developer. And the cracked technology and means are changing. Single application protection has not been able to effectively deal with the attack of the cracker, so it is necessary to reinforce the application from multiple dimensions and depths.
Among the protections mentioned in the above period of capitalism, many problems were left behind, such as:
1. Hide the problem that Dex left behind First, Dex is completely hidden, and once the cracker gets Dex, it's half done. If the shell principle is cracked, the shelling machine can be easily made. In addition to the implementation of custom ROM, this is the simplest way, only need to add some code at the relevant points, and then compile a own ROM, so that in the virtual machine can be successfully shelled. There is the use of inject principle to inject the target process, code hook system function to achieve the purpose of shelling.
disadvantages of 2.Dex structural deformation with the launch of Android 5.0, art has entered our vision. Art can directly compile Dex to run as a local instruction.
But what happens when it compiles with the full Dex required? Perhaps some third-party reinforcement products choose not to compile at all, of course, developers and users do not know, because it shows that the program can run correctly, but the system in the art mode of running faster this advantage will never be reflected.
so the problem with Dex's structural deformation is obvious, namely, compatibility and the compilation problem in art mode.
3.ELF Simple Modification legacy issues the skill of modifying Elf head and Header table information is easy to be detected and repaired, so it can only prevent the primary cracker.
Disadvantages of 4.UPX While UPX is the first choice for the most so Packers, the UPX code is complex and difficult to customize, especially if it supports multiple architectures at the same time.
Android Application Security vulnerability status, security protection evolutionary history