inside dvm basics
TRANSCRIPT
Inside DVMBasics
Nick Bova@mykola_bova
Nov 14 2013
Why Java is vulnerable?
1. For portability, Java code is partially compiled and then interpreted by the JVM.
2. Java’s compiled classes contain a lot of symbolic information for the JVM.
3. The JVM is a simple stack machine.4. Standard applications have no real protection
against decompilation.
Why Android apps are vulnerable?
1. There are multiple easy ways to gain access to Android APKs.
2. It’s simple to translate an APK to a Java jar file for subsequent decompilation.
3. One-click decompilation is possible, using tools such as apktool.
4. APKs are shared on hacker forums.
Legal Issues to Consider When Decompiling
Цель оправдывает средства?
Legal Issues to Consider When Decompiling
1. Don’t decompile an APK, recompile it, and then pass it off as your own.
2. Don’t even think of trying to sell a recompiled APK to any third parties.
3. Try not to decompile an APK or application that comes with a license agreement that expressly forbids decompiling or reverse-engineering the code.
4. Don’t decompile an APK to remove any protection mechanisms and then recompile it for your own personal use..
Protecting Yourself (Protection schemes)
Protection schemes in your code: Spreading protection schemes throughout your code (such as checking whether the phone is rooted) is useless because the schemes can be commented out of the decompiled code.
Protecting Yourself (Obfuscation)
Obfuscation: Obfuscation replaces the method names and variable names in a class file with weird and wonderful names. This can be an excellent deterrent, but the source code is often still visible, depending on your choice of obfuscator.
Protecting Yourself (Server-side code)
Server-side code: The safest protection for APKs is to hide all the interesting code on the web server and only use the APK as a thin front-end GUI. This has the downside that you may still need to hide an API key somewhere to gain access to the web server
Protecting Yourself (Native code)
Native code: The Android Native Development Kit (NDK) allows you to hide password information in C++ files that can be disassembled but not decompiled and that still run on top of the DVM. Done correctly, this technique can add a significant layer of protection.
Protecting Yourself (Encryption)
Encryption can also be used in conjunction with the NDK to provide an additional layer of protection from disassembly, or as a way of passing public and private key information to any backend web server.
Protecting Yourself
What else?