inside dvm basics
TRANSCRIPT
![Page 1: Inside Dvm basics](https://reader036.vdocuments.mx/reader036/viewer/2022082702/55518088b4c90596028b480c/html5/thumbnails/1.jpg)
Inside DVMBasics
Nick Bova@mykola_bova
Nov 14 2013
![Page 2: Inside Dvm basics](https://reader036.vdocuments.mx/reader036/viewer/2022082702/55518088b4c90596028b480c/html5/thumbnails/2.jpg)
Why Java is vulnerable?
1. For portability, Java code is partially compiled and then interpreted by the JVM.
2. Java’s compiled classes contain a lot of symbolic information for the JVM.
3. The JVM is a simple stack machine.4. Standard applications have no real protection
against decompilation.
![Page 3: Inside Dvm basics](https://reader036.vdocuments.mx/reader036/viewer/2022082702/55518088b4c90596028b480c/html5/thumbnails/3.jpg)
Why Android apps are vulnerable?
1. There are multiple easy ways to gain access to Android APKs.
2. It’s simple to translate an APK to a Java jar file for subsequent decompilation.
3. One-click decompilation is possible, using tools such as apktool.
4. APKs are shared on hacker forums.
![Page 4: Inside Dvm basics](https://reader036.vdocuments.mx/reader036/viewer/2022082702/55518088b4c90596028b480c/html5/thumbnails/4.jpg)
Legal Issues to Consider When Decompiling
Цель оправдывает средства?
![Page 5: Inside Dvm basics](https://reader036.vdocuments.mx/reader036/viewer/2022082702/55518088b4c90596028b480c/html5/thumbnails/5.jpg)
Legal Issues to Consider When Decompiling
1. Don’t decompile an APK, recompile it, and then pass it off as your own.
2. Don’t even think of trying to sell a recompiled APK to any third parties.
3. Try not to decompile an APK or application that comes with a license agreement that expressly forbids decompiling or reverse-engineering the code.
4. Don’t decompile an APK to remove any protection mechanisms and then recompile it for your own personal use..
![Page 6: Inside Dvm basics](https://reader036.vdocuments.mx/reader036/viewer/2022082702/55518088b4c90596028b480c/html5/thumbnails/6.jpg)
Protecting Yourself (Protection schemes)
Protection schemes in your code: Spreading protection schemes throughout your code (such as checking whether the phone is rooted) is useless because the schemes can be commented out of the decompiled code.
![Page 7: Inside Dvm basics](https://reader036.vdocuments.mx/reader036/viewer/2022082702/55518088b4c90596028b480c/html5/thumbnails/7.jpg)
Protecting Yourself (Obfuscation)
Obfuscation: Obfuscation replaces the method names and variable names in a class file with weird and wonderful names. This can be an excellent deterrent, but the source code is often still visible, depending on your choice of obfuscator.
![Page 8: Inside Dvm basics](https://reader036.vdocuments.mx/reader036/viewer/2022082702/55518088b4c90596028b480c/html5/thumbnails/8.jpg)
Protecting Yourself (Server-side code)
Server-side code: The safest protection for APKs is to hide all the interesting code on the web server and only use the APK as a thin front-end GUI. This has the downside that you may still need to hide an API key somewhere to gain access to the web server
![Page 9: Inside Dvm basics](https://reader036.vdocuments.mx/reader036/viewer/2022082702/55518088b4c90596028b480c/html5/thumbnails/9.jpg)
Protecting Yourself (Native code)
Native code: The Android Native Development Kit (NDK) allows you to hide password information in C++ files that can be disassembled but not decompiled and that still run on top of the DVM. Done correctly, this technique can add a significant layer of protection.
![Page 10: Inside Dvm basics](https://reader036.vdocuments.mx/reader036/viewer/2022082702/55518088b4c90596028b480c/html5/thumbnails/10.jpg)
Protecting Yourself (Encryption)
Encryption can also be used in conjunction with the NDK to provide an additional layer of protection from disassembly, or as a way of passing public and private key information to any backend web server.
![Page 11: Inside Dvm basics](https://reader036.vdocuments.mx/reader036/viewer/2022082702/55518088b4c90596028b480c/html5/thumbnails/11.jpg)
Protecting Yourself
What else?