paper.rverse.engineers.mobile.apps.meyers source meet

7/31/2019 Paper.rverse.engineers.mobile.apps.Meyers SOURCE MEET

1/80

Reverse Engineering Mobile Malware

ADAM MEYERS


2/80

IntroductionDisclaimer

Types of Mobile DevicesPlatform Models

ARM PrimerMalware on MobileStatic AnalysisDynamic AnalysisConclusionQ&A


3/80

Who are you, and what are you doinghere? CrowdStrike

Stealth mode Startup

Hand picked A Team of technical talent

26 Million Venture Funding

You dont have a malware problem, you have an adversary problem

Adam Director of Intelligence

10 years at SRA International - Defense Contractor

Security Consultant/Penetration Test Team/Forensic Technician/Security Architect

Reverse Code Analysis


4/80

Goal

Learn about ARM/RISC processors, assembly, nuances versus x86

Learn about diferent mobile operating system architectures

Learn approaches for static and dynamic reverse engineering

Have fun!


5/80

Hacker Fail

Fall 2008 a promise is made

Meet JK Benites

This genius left his name (unobfuscated) in the malware he wrote to steal banking

credentials and ended up at a certain US Government Agency

i'm JK Benites.I like the music, i love the rock N metal, i'm aperson that like stranges things, likeadredaline, be good with friends, make newthings... i play the guitar, my guitar is my life,with she i can show that i feel.i like the Pcs, too....Visit my profil in Hi5: http://jkprotection.hi5.comCity: PiuraHometown: Piura


6/80

Compliance

Angry Birds

lulz

APT

Cyberwar

Kill Chain DFIR


7/80

IntroductionDisclaimerTypes of Mobile DevicesPlatform ArchitecturesARM PrimerMalware on MobileStatic AnalysisDynamic AnalysisConclusionQ&A


8/80

Disclaimer

Standard legal-mumbo jumbo.

You have the right to remain si lent. Anything you say or do can and will be used against you in a court of law. Youhave the right to an attorney. If you cannot a ford an attorney, one will be appointed to you.

Prohibition on Reverse Engineering, Decompilation, and Disassembly. You may not reverse engineer, decompile,or disassemble the SOFTWARE PRODUCT, except and only t o the extent that such activity is expressly permitted byapplicable law notwithstanding this limitation.

The right of the people to be secure in their persons, houses, papers, and efects, against unreasonable searchesand seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath orarmation, and particularly describing the place to be searched, and the persons or things to be seized.

(2) Intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains

(A) information contained in a financial record of a financial institution, or of a card issuer as defined in section1602 (n) of title 15, or contained in a file of a consumer reporting agency on a consumer, as such terms aredefined in the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.);

(B) information from any department or agency of the United States; or

(C) information from any protected computer;

I pledge allegiance to the flag of the United States of America, and to the republic for which it st ands, one nationunder God, indivisible, with liberty and justice for all

Energy can be transformed (changed from one form to another), but cannot be created or destroyed.


9/80



10/80

Why mobile is important

Increase 3Q11 from 3Q10 = 34,000,000


11/80

Diferent Flavors

IOS (iPhone/iPad/AppleTV)

Android (Multiple Types)

Symbian

Windows Mobile

Blackberry Q2 2011


12/80

Diferent Platforms

Same OS


13/80

Similar Platforms

Diferent OS


14/80



15/80

About

Platform Architecture is a high level overview of the way a complex system isimplemented

Understanding mobile system architecture is important to understanding how toReverse Engineer on that platform


16/80

Android Architecture


17/80

IOS Architecture


18/80

Cocoa UI Framework

Address Book UI Eventkit UI Gamekit iAd MapKit Message UI UIKit

Media Frameworks

Assets Library AV Foundation Core Audio Core Graphics Core MIDI Core Text

Core Video Image I/O Media Player OpenAL OpenGL Quartz Core

Core Services Frameworks

Address Book CFNetwork Core Data Core Foundation Core Location Core Media

Core Telephony Event Kit Foundation Mobile Core Quick Look Store Kit SysConf

Core OS Layer

Accelerate External Accessory Security System

IOS Frameworks


19/80

Cocoa Touch

Multitasking Printing Data Protection Push Notification

Local Notification Push Notification

File Sharing

P2P View Controller External Display

Media Layer

Graphics Technologies Audio Technologies AirPlayVideo Technologies

Core Services Layer

Block Objects Grand Central Dispatch In-App Purchase SQLite XLM Support

Core OS Layer

Accelerate External Accessory Security System

IOS Layer


20/80

Windows Mobile


21/80

Windows Mobile


22/80

Symbian


23/80

Blackberry

Blackberry classes net.rim.device.api.system

Application Interfaces

Hardware Interfaces (SMS, Radio, Etc)

Events

Etc

Java classes Error Handling

Memory

JVM

MIDP

CLDC

etc


24/80

If you really need a pic

19

net.rim.device.api.system

Application Hardware Interfaces Security System

Java J2E

MIDP CLDC Garbage Handler Memory Manager Error Handling


25/80


26/80

What is ARM

Most mobile and embedded devices run on a CPU architecture called ARM

Advanced Risc Machine (ARM) (a/k/a Acorn RISC Machine)

Reduced Instruction Set Computer

RISC emerged in the 1970s, the concept was simpler CPU instructions would increase performance

Made possible by higher (than assm) level languages

First chips emerged 1987

ARM Processor Families

ARM7/ARM9/ARM11/ARMCortex

Difer from ARM Architecture (eg ARMv7 == Cortex)


27/80

ARM versus x86

Reduced Instruction Set

More instructions per complex operation as compared to x86assembly

Fixed Width Instructions

x86 can have variable length instructions

ARM has fixed 32 bit instructions*

Memory Alignment

ARM/RISC requires aligned memory (impacts on exploit dev)

Aligned memory requires padding

Conditional Execution

Top 4 bits of each instruction contain a condition code**

EQ Equal

NE Not Equal

CS Carry Set

HS Unsigned High

CC Carry Clear

LO Unsigned Lower

MI Minus or Negative Result

PL Positive or Zero Result

VS Overflow

VC No Overflow

HI Unsigned Higher

LS Unsigned Lower

GE Signed Greater or Equal

LT Signed Less Than

GT Signed Greater Than

LE Signed Less Than or Equal

LA Always


28/80

Thumb-State

Thumb state is designed to optimize code density by allowing the processor toenter a state that uses fixed instructions of 16 bit size

Thumb == 16bit mode

Several diferent implementations of Thumb modes exist depending on processor

Thumb

Thumb2 (additional features/instructions)

32bit unconditional instructions

ThumbEE Jazelle Runtime Compilation Target (RCT)

Jazelle

Direct Bytecode eXecution (DBX) feature supporting Java byte code execution

Initiated using the Branch and eXchange to Java (BXJ) instruction

Thumb mode 16 bit equivalent instructions are defined when applicable


29/80

ARM Registers

ARM 16 general purpose registers

Named R

R0 - R15

R0 - Argument1/Return Value/Temporary Register

R1 - Argument2/second 32 bits of return value (optional)/Temporary Register

R2/R3 - Arguments/Temporary Registers

R4-R10 Permanent Registers

R11 ARM Frame Pointer/Permanent Register

R12 Temporary Register

R13 Stack Pointer/Permanent Register

R14 Link Register/Permanent Register (Return Address stored here)

R15 Program Counter

CPSR Current Program Status Register

Upper four bits contain conditional flags: Negative, Zero, Carry, oVerflow

Additional control codes in lower 8 eg: Thumb Instruction Set, Operating Mode Etc

SPSR Saved Program Status Register (Exception modes)


30/80

CPSR

31 30 29 28 7 6 5 4 3 2 1 0

N Z C V I F TM4

M3

M2

M1

M0

{Conditional Flags:

NegativeZeroCarryoVerflow

{

Interrupt Table

Thumb Mode

OperatingMode


31/80

Operating Modes

User: This mode is used to run the application code. Once in user mode the CPSRcannot be written to and modes can only be changed when an exception isgenerated.

FIQ: (Fast Interrupt reQuest) This supports high speed interrupt handling. Generallyit is used for a single critical interrupt source in a system

IRQ: (Interrupt ReQuest) This supports all other interrupt sources in a system

Supervisor: A protected mode for running system level code to access hardwareor run OS calls.

Abort: If an instruction or data is fetched from an invalid memory region, an abortexception will be generated

Undefined Instruction: If a FETCHED opcode is not an ARM instruction, anundefined instruction exception will be generated.


32/80

Exception Modes

Exceptions occur for three possible reasons

Executing an Instruction (e.g.: Bad Instruction)

Side efect of executing and instruction (e.g.: fetching from invalid memory)

Exception unrelated to execution (e.g.: Interrupt)

Exception Flow

Switch to Processor to Privileged Mode

PC+4 -> LR

SPSR == CPSR

Interrupts Disabled

PC == Exception Vector Address

Vector Address derived from exception vector table


33/80

A Rx by any other name

R15 == PC (Program Counter)

R14 == LR (Link Register/Address)

R13 == SP (Stack Pointer)

R12 == IP (Inter Procedure Call Stack Register)

R11 == FP (Frame Pointer) R10 == SL (Stack Limit)

R9 == SB (Stack Base)

R4-R11 == V1-V8 (Variable Registers)

Ro-R3 == A1-A4 (Scratch Registers)


34/80

ARM Instructions

Branching Instructions

B, BL, BX, BLX, BXJ

Arithmetic

ADD, ADC, SUB, RSB, SBC, RSC

Bitwise Operations

ASR, LSR, LSL, ROR, RRX Logical Operations

AND, ORR, EOR, BIC, ORN

Comparisons

CMP, CMN

Data manipulation

MOV, MVN, MOVT

Detailed breakdown:


35/80

Branching

B = Branch

Branch can include condition

BL - Branch with Link

Calling a routine

PC+4 -> LR

SubRoutine Address -> PC

Return PC -> LR

BX/BLX = Branch eXchange Instruction (Switch between Thumb and ARM Mode)


36/80

Diferent than x86

ADD R11, SP, #0x12ADD Operand1, Operand2 (optional)

SUB R11, SP, #0x12SUB Operand1, Operand2 (optional)

LDMIA R1, {R2, R3}LDMIA Memory Location {Destination 1, Destination 2}

SUBS R11, SP, #0x12 ; Status Flags SetSUBS Operand1, Operand2 (optional)


37/80

IntroductionDisclaimerTypes of Mobile DevicesPlatform Architectures



38/80

Malware On Mobile

Lots of devices out there and malware is beginning to target these devices which inaddition to everyday life are quickly invading the corporate network - Oh noes!

Malware on mobile has a few places to live

Mobile Application (User land)

Mobile Platform/OS (Kernel land)

Other (SIM chip, Bootloader, Baseband, etc)

Detection/Prevention is dicult do to limited security tools (Mobile DeviceManagement)

So many diferent platforms this makes malware tracking and analysis a movingtarget

k


39/80

Attacker Vectors

Mobile malware can originate in diferent locations

AppStore Malware

Google Appstore

3rd Party Appstores

iTunes AppStore

etc

Attack Payload Drive-by (Web attack)

Spearphish/Social Engineering

mdot seeding (m.mydomain.com)

Malicious Mobile Apps get all the attention right now:


40/80


41/80

D W


42/80

Dog Wars

August 2011 Kage games releases Dog Wars

Beta code circulated on Warez sites

Modified apk contains class rabbies

Rabbies generates SMS message to contacts

"I take pleasure in hurting small animals, just thought you shouldknow that"

S dB


43/80

Kernel

SandBoxes Access Control System/Profiles == Sandbox

...in computing, sandboxes should be applied broadlyto all apps, ideallyensuring that they cannot cause much harm if they get compromised. -Apple

MyApplication

SystemSandBoxSubSystem

User Mode Calls

User Land

Kernel Land

SandboxKernel

ComponentyesNo

Code Signing


44/80

Code Signing

Ensure that if an app is signed and this is validated by the appstore, it *should* besafe

Asymmetric Cryptographic Systems

Reverse Engineering Challenge

Primarily impacts IOS due to iTunes distribution mechanism

IPA - more on static analysis

Sample Collections


45/80

Sample Collections

Contagio Mobile Malware Mini-dump

Searching google: site:.cn filetype:apk == win

Searching google: site:.cn filetype:jad

Etc

Mobile Packages


46/80

Mobile Packages

Blackberry - JAD/COD

WinMo - CAB (Cabinet Archive)

Android APK

Contains:

AndroidManifest.xml

META-INF

classes.dex

res/ resources.arsc

iPhone/iPod/iPad IPA

Contains:

iTunesMetadata.plist

iTunesArtwork

Payload/.app

Symbian SiS/SiSX

Contains:

private/

resource/

sys (/bin/(application name>.exe)

Typically these files are compressed and contain amanifest of some form and binary executable code

iOS Malware packages may be designed for jailbrokenphones, this is typically a more realistic attack vectorto avoid vendor detection - this will be manifested asa gzipped package

Device Forensics


47/80

Device Forensics

Device forensics can assist in identifying malicious applications

Blackberry - Look for .cod files that shouldnt be there

IOS - Most malware requires jailbreak, th is will generally leave forensics artifactssuch as Cydia

Android - Harvest apk files from OS, unfortunately the location of an APK can varybased on a number of factors

Symbian/WinMo/etc


48/80



About


49/80

About

Static analysis analyzes something in a non-executing state

Little danger of compromise

Diferent approaches depending on system

Meta Data Extraction:

Strings

Dump Manifest File

Android: DeCompilation, diferent approach due to Davlik EXecutable (DEX), this can reproducenearly compilable code

IOS/Symbian/WinMO: IDA Pro/Hex-Rays DeCompiler

BBerry:Coddec (Good luck)

Tools


50/80

Tools

IDA Pro (www.hex-rays.com/)

HexRays ARM Decompiler (www.hex-rays.com/)

Dex2jar (code.google.com/p/dex2jar/)

Sisxplorer (www.symbian-toys.com/sisxplorer.aspx)

AXMLPrinter2.jar

Apktool.jar Coddec

Cheat Sheet


51/80

Cheat Sheet

Operating System Static Analysis Tool

iOS Strings, IDA Pro

Android

AAPT, Dex2Jar, JD-GUI

SymbianStrings, IDA Pro

WinMO Strings, IDA Pro

Blackberry Coddec

Encryption/Signing


52/80

Encryption/Signing

Android Applications are signed by the developer

Apple applications are signed by the developer, applications obtained via iTunesgenerally have an encrypted component courtesy of FairPlay DRM

Detection can be accomplished by unpacking the ipa and using the Apple object tool (otool)

Symbian packages may be signed, in some cases they are not and the user can signusing something like Symbiansigned.com

Blackberry .cod files are signed and utilize the Rimm cryptographic package Windows Mobile has two diferent signing mechanisms depending on distribution

method

Windows Marketplace Method

Windows Mobile Code Signing via Verisign

Obfuscation


53/80

Obfuscation

Various obfuscation techniques are available for mobile applications

Proguard ( ) - Java Obfuscator Android and probably Blackberry

Objective C (iOS) manual techniques, which might be optimized out by compiler

dotfuscator, a commercial solution from PreEmptive Solutions is typically used for obfuscatingWindows Mobile

Not very common

Obfuscation varies on the available platforms and is not widely used, thoughincreasingly Android malware seems to be using it

Developer.Android.Com recommends the use of ProGuard and mentions it isintegrated into build system

Package Contents


54/80

Package Contents

Packages in general contain graphics images resourced by the application

Various configuration files either in a binary format or text

The configuration files contain lots of useful information about the application you are reversing

Binary executables (The application) may be spread across diferent files dependingon the mobile platform

WinMo may have an installer exe and several executables

The application functions may be spread across diferent binaries to limit memory footprint

Package Analysis


55/80

Package Analysis

Most packages can be decompressed and analyzed with zip or other commericalopen source compression utilities

Windows Mobile uses Cabinet files thus requiring cabextract

Symbian .sis files requires special tools to extract (e.g.: sisxplorer)

MetaData Extraction Symbian


56/80

MetaData Extraction Symbian

Several files to look at

$ strings *.rscREGIFileRegisterExit

Registration

Enter license keyEnter license keyRegistration successful!B"

Registration

Registration**\resource\apps\Registration_0x20033401.mifRegistration_0x20033401&&\resource\apps\Registration_0x20033401

Resource Files

$ strings malware.exeEPOC*}OK15XLeaveException11CSMSHandler19MMsvSessionObserver15CCommController19MNotifyCommObserver19CGpsPositionRequest15CContactManager18MContactDbObserver

8CIMEIApp8CIMSIApp12CCallHandler17CRemoteSmsReciverc:\data\loc.txt15CDeviceLocationAPGRFX{000a0000}[10003a3c].DLLCNTMODEL{000a0000}[10003a71].DLLCOMMSDAT{000a0000}[10204ddb].DLLESTLIB{000a0000}[10003b0b].DLL...http://***REDACTED***/servicerequest.phpMalware Client17MHTTPDataSupplier24MHTTPTransactionCallback8CIMEIApp8CIMSIApp21TRegistrationItemdata

Binary Files

MetaData Extraction WinMo


57/80

eta ata t act o o


$ strings _setup.xml


58/80


appleIdiTunes user who installedartistId365399302artistNameApp Maker USA, Inc.

bundleShortVersionString2.1.1bundleVersion2.1.1copyright2011 App Maker USA, Inc.

drmVersionNumber0

Plist Files

o~*hAOQaqtLwx1)k^^S'6L`j^Lo+86,(p&Aa0W1`7$_9f[F];3Bd@b Ee^FJ0EYC/


59/80

yp g

Dumping requires a jail broken device

Per Stefan Essers recommendation I use an iPod 4G with a tethered jailbreak (nodealing with baseband etc)

Use DumpDecrypted Tool ( ) also byStefan

MyAppM A

MyApp

MetaData Extraction iOS Dumped IPA


60/80

MetaData Extraction iOS Dumped IPA


appleIdiTunes user who installedartistId365399302artistNameApp Maker USA, Inc.bundleShortVersionString2.1.1bundleVersion2.1.1copyright2011 App Maker USA, Inc.

drmVersionNumber0

Plist Files

setViewControllers:arrayWithObject:SETTING_RATINGURLsetAppStoreID:sharedInstanceMFMailComposeViewControllerDelegateapplicationProtectedDataDidBecomeAvailable:applicationProtectedDataWillBecomeUnavailable:applicationWillEnterForeground:applicationDidEnterBackground:application:didReceiveLocalNotification:application:didReceiveRemoteNotification:application:didFailToRegisterForRemoteNotificationsWithError:application:didRegisterForRemoteNotificationsWithDeviceToken:application:didChangeStatusBarFrame:v28@0:4@8{CGRect={CGPoint=f}{CGSize=f}}12application:willChangeStatusBarFrame:application:didChangeStatusBarOrientation:...

Binary Files


61/80

MetaData Extraction iOS JB/Cydia


bplist00CFBundleIdentifier_CFBundleInfoDictionaryVersion_CFBundleResourceSpecification_CFBundleVersion_CFBundleExecutable_LSRequiresIPhoneOS_CFBundleDisplayName_MinimumOSVersion_CFBundleSupportedPlatforms_CFBundlePackageType_CFBundleSignature]NSMainNibFile^DTPlatformNameYDTSDKName_CFBundleDevelopmentRegion\CFBundleName_com.yourcompany.malwareS6.0_

Plist Files

__dyld_make_delayed_module_initializer_calls__dyld_mod_term_funcswindow@"UIWindow"viewController@"MyFilesViewController"setWindow:v12@0:4@8@8@0:4setViewController:dealloc

v8@0:4applicationDidFinishLaunching:T@"MyFilesViewController",&,N,VviewControllerT@"UIWindow",&,N,VwindowMyFilesAppDelegatereleaseviewmakeKeyAndVisible

...

Binary Files

Disassembly


62/80

Remember that our disassembly will be for ARM

Beyond the diference in the instruction set the primary thing to be cognizant of iswhen the application has switched to Thumb-mode

MOVLS R0, R4MOVLS R1, SPBLS sub_BF40CMP R4, #4BNE sub_8000MOV R0, SPLDR R4, [SP,#arg_10]TST R4, #0x20LDRNE R1, [SP,#arg_50]

Decompilation - HexRays


63/80

Works as expected :D

Automatic Thumbswitch (you may need to go manual if something looks wrong)

int __fastcall sub_8010(int a1, int a2){int v2; // r4@1int v3; // r5@1int v4; // r0@1

v2 = a2;v3 = a1;*(_DWORD *)(a2 + 60) = 0;v4 = UserHeap::SetupThreadHeap();if ( !v4 )v4 = sub_BF38(*(_DWORD *)(v2 + 8), *(_DWORD *)(v2 + 12), v3);

return User::Exit(v4);}

ARM Calling Conventions


64/80

myHandle = Loadlibrary(DLL.dll)

IOS


65/80

Objective C is detected by IDA

This can be a little ofputting at first but the analysis by IDA is very nice to have forparsing the structures

objc_msgSend(*(void **)&v2->UIViewController_opaque[*(_DWORD *)dword_7860], "setHidden:", 1);objc_msgSend(*(void **)&v2->UIViewController_opaque[*(_DWORD *)dword_7880], "setHidden:", 1);objc_msgSend(*(void **)&v2->UIViewController_opaque[*(_DWORD *)dword_788C], "setHidden:", 1);

DeCompiling Android


66/80

Diferent approaches are possible, this is one

Tools:

Dex2Jar ( ) multiple tools for converting DEX to Java Class

Eclipse (http://www.eclipse.org) - Opensource Integrated Development Environment (IDE)

Android SDK (http://developer.android.com/sdk/) - Android toolchain for developers

JD-GUI ( ) - Java DeCompiler

Other decompilers: JAD, Mocha, JadClipse, etc

Basic premise:

Unpack APK (Not required to DeCompile but contents may be interesting)

Convert DEX to Java using Dex2Jar

Decompile using JD-GUI

Dex2Jar


67/80

$ sh ../dex2jar.sh malware.apkdex2jar version: translator-0.0.9.7dex2jar malware.apk -> malware_dex2jar.jarDone.$

JD-GUI


68/80

Where to start?


69/80

Depends

Android Asset Packaging Tool (AAPT) - from SDK will decode the contents of theAndroidManifest.xml inside of the APK

launchable-activity: name=package: name='kagegames.apps.DWBeta' versionCode='18' versionName='0.981'sdkVersion:'4'targetSdkVersion:'9'uses-permission:'android.permission.VIBRATE'uses-permission:'android.permission.INTERNET'uses-permission:'android.permission.ACCESS_COARSE_LOCATION'uses-permission:'android.permission.READ_PHONE_STATE'uses-permission:'android.permission.SEND_SMS'uses-permission:'android.permission.WRITE_SMS'

uses-permission:'android.permission.READ_CONTACTS'uses-permission:'android.permission.RECEIVE_BOOT_COMPLETED'application-label:'Dog Wars - Beta'application-icon-160:'res/drawable-hdpi/icon.png'application-icon-240:'res/drawable-hdpi/icon.png'application: label='Dog Wars - Beta' icon='res/drawable-hdpi/icon.png'launchable-activity: name='kagegames.apps.DWBeta.DogWars' label='Dog Wars - Beta'icon=''uses-feature:'android.hardware.location'

uses-feature:'android.hardware.location.network'uses-feature:'android.hardware.telephony'uses-feature:'android.hardware.touchscreen'uses-feature:'android.hardware.screen.landscape'uses-feature:'android.hardware.screen.portrait'mainapp-widgetother-activitiesother-receiversother-servicessupports-screens: 'normal' 'large' 'xlarge'supports-any-density: 'true'locales: '--_--'densities: '160' '240'

I t d ti


70/80



About


71/80

Dynamic analysis on mobile platforms is dicult

Options for analysis are emulator or real hardware device

Emulators are clunky and detectable

Real Hardware is expensive

Either way potentially detectable that the device is being debugged

Emulators


72/80

iOS

Simulator package comes with xTools

Limited capability to install Application and dicult to jailbreak

iEmu is Qemu emulator for iOS (http://www.iemu.org/index.php/Main_Page) supportsdebugging :D

Android

Android SDK contains very functional emulator

Supports control from host including installation of arbitrary packages, and fuzzing user input/behavior

Possible to build automated sandbox very easily (Ive done this in python)

Windows Mobile

Requires Visual Studio (definitely works with VS10) and platform SDK

Supports debugging via Visual Studio

Symbian

Depends on hardware platform targeted S60/N97

Part of SDK

IDA supports

Blackberry

Emulator is part of the SDK (painful on non-windows)

Supports on-device debugging or emulator debugging

Theory


73/80

Dynamic analysis on mobile platforms is dependent on the platform and target

Analysis

Fire up an emulator in a controlled environment

install package (via web/appstore/manual)

attach debugger

launch targeted application

simulate input from user dump logs (capture trac if network enabled)

refresh the emulator*

This can be scripted

Demo time


74/80

Introduction


75/80



Conclusion


76/80

Reversing on mobile is not too diferent than on conventional platforms

ARM instruction set is very diferent than what we may be used to

Plenty of (mal)code sources out there with some creative googling

Static analysis is more or less the same

iOS Fairplay exception

Dynamic analysis requires a little more efort than firing up a windows virtual

machine Instrumentation of debugger is a little harder

Reverse engineering mobile applications is fun :D

Secure Mobile Best Practices


77/80

Code Hardening

Code Signing

Principle of Least Privilege

App Sandboxing

Privilege Separation

Introduction


78/80



Questions?


79/80

[email protected]

Twi4er:@Adam_Cyber


80/80

paper.rverse.engineers.mobile.apps.meyers source meet

Documents