Talking about Android Application protection (I): The basic method for reverse engineering of Android applications, and talking about android

Talking about Android Application protection (I): The basic method for reverse engineering of Android applications, and talking about android

There are many methods and ideas for unprotected Android apps to conduct Reverse Analysis and attacks. By using some basic methods, you can break the confidentiality and integrity that are very important to application security, obtain internal code and data, modify its code logic and mechanism, and perform other operations. This article mainly introduces some basic reverse application and analysis methods to demonstrate how the code confidentiality and integrity of Android applications are damaged and used by attackers.

 

I. Dalvik-layer source code Inversion

In the analysis of dalvik-Layer Code (normally for unprotected applications), We only care about reverse analysis of classes. dex on the Dalvik-layer.

 

Classes. dex is the code used when the APK is running. It is compiled from the source code and can be run on dalvik. The Dalvik virtual machine is similar to the java virtual machine, so you can use the decompilation method similar to the java class file to decompile classes. dex as java code. For unprotected applications, you can use this method to restore most of the Code.

 

The Code involved in the entire process is as follows:

· 1. dex file: the executable file of APK.

· 2. smali file, the Code executed inside Dalvik VM.

· 3. jar files and java files, which are converted to java code files based on dex files ..

 

 

Tools used:

· 1. smali/baksmali: A Tool for converting dex executable files to smali bytecode files. No information is lost during the conversion process.

· 2. dex2jar: a tool used to convert dex files into java jar files. Because of the differences between the Dalvik Virtual Machine and the Java Virtual Machine, the conversion cannot be one-to-one, resulting in information loss and code errors. (This tool is a very meaningful step in reverse engineering of the entire source code ).

· 3.jd/ jd-gui: a java jar file decompilation tool.

· 4. ApkIDE: a gui platform integrated with the preceding tools on Windows.

 

The final java source code format. At this time, the Dalvik-layer source code has been reversed, and further quasi-source code-level analysis can be performed on the application.

 

2. Dalvik-Layer Code tampering

Code tampering at the Dalvik layer mainly occurs in the smali file. Although the decompiled java code is easy to read, some information has been lost and there may be several errors. Basically, it is impossible to compile the code back to the executable file. Dex binary files are not readable. Therefore, you can only modify the code in smali and repackage it to generate an APK.

 

Tampering at the code layer allows you to modify the logical process of an application, insert malicious code, bypass key security processes (registration, verification, payment), and print sensitive data. Tampering with code and repackaging techniques are generally applied to the registration and verification mechanism of cracked software (AD block cracking registration, hazhuo cracking advertising VIP, and MIUI charging topic cracking ), modify game rules (aircraft war cracking) and monitor sensitive API calls of applications (APIMonitor, reinforce APK interception software behavior through Android re-packaging ).

 

A famous example of Dalvik-Layer Code tampering is APIMonitor.

The working principle of APIMonitor is to decompile the apk file, traverse the smali code, and search for the Api configured in the configuration file to be monitored. If an Api call is found, analyze its parameters, then, call the static functions of the corresponding classes in the droidbox package space. These static functions are implemented to parse parameters and print the output log information. After processing, re-compile and generate the apk.

 

Iii. Hook of Dalvik-Layer Code

Samli code tampering requires re-packaging. The signature and file verification of the new package are different from those of the original package. It can be identified by the integrity check module in the application to limit further operations. To solve this problem, you can inject custom code into the process space of the application, hook the code in real time, and modify the code logic of the application without modifying the code.

The framework tools that can implement the above functions are xposed and cyida substrate. Xposed is widely used. For the principles of xposed, refer to the previous article "Xposed principles and implementation".

 

The Xposed application has two famous examples:

1. Zjdroid: automatically removes most android encryption shells by mounting dex files through the hook system.

2. Xprivicy: monitors or blocks the privacy API calls of applications by hook most privacy functions.

The hook of Dalvik-Layer Code will be detailed in the third article.

 

4. Analysis of Local. so files

Local. so files generally provide encapsulation of sensitive functions. For unprotected. so files, you can perform static analysis and dynamic Mount debugging through IDA. The analysis of the so file will be detailed in the fourth article.

 

V. Talking about the Android Application Protection Series; talking about Android Application protection (zero): starting point and background

Author: Nachi @ Alibaba mobile security. For more security-related technical articles, please click Alibaba Cloud universal security blog