Android Applications Reversing 101

Every day we see a bunch of new Android applications being published on the Google Play Store, from games, to utilities, to IoT devices clients and so forth, almost every single aspect of our life can be somehow controlled with “an app”. We have smart houses, smart fitness devices and smart coffee machines … but is this stuff just smart or is it secure as well? :)

Reversing an Android application can be a (relatively) easy and fun way to answer this question, that’s why I decided to write this blog post where I’ll try to explain the basics and give you some of my “tricks” to reverse this stuff faster and more effectively.

I’m not going to go very deep into technical details, you can learn yourself how Android works, how the Dalvik VM works and so forth, this is gonna be a very basic practical guide instead of a post full of theoretical stuff but no really useful contents.

Let’s start! :)


Read More

How I Defeated an Obfuscated and Anti-Tamper APK With Some Python and a Home-Made Smali Emulator.

During this Saturday afternoon I was chatting with a friend of mine ( Matteo ) and he asked for some help to fix a Python script he was working on.

He was trying to deobfuscate an APK in order to understand its obfuscation and anti tampering (more on this later) protections so I started working on it as well.

This was definitely way more challenging ( and fun! ) than my usual APK reversing session ( dex2jar -> jd-gui -> done ), moreover this required me to write a new tool which I find kinda cool and unique ( IMHO of course ), so I’m going to share the story in this post.

I’m going to intentionally skip a few details here and there because I do not want to cause any harm to the people who wrote that application, all the involved protection mechanisms are there to avoid piracy.

Read More

Autopwn Every Android < 4.2 Device on Your Network Using BetterCap and the addJavascriptInterface Vulnerability.

Recently I’ve been playing with Android’s WebView based vulnerabilities, focusing on how to exploit them using a MITM attack.
One of the most interesting ones is the addJavascriptInterface vulnerability ( CVE-2012-6636 ) which affects every device running a version older than Android 4.2.

Read More

Dynamically Inject a Shared Library Into a Running Process on Android/ARM

If you’re familiar with Windows runtime code injection you probably know the great API CreateRemoteThread which lets us force an arbitrary running process to call LoadLibrary and load a DLL into its address space, this technique called DLL Injection is often used to perform user space API hooking, you can find a good post about it on Gianluca Braga’s blog.

Unfortunately there’s no CreateRemoteThread equivalent on Linux system, therefore we can only rely on ptrace and our brain :D
In this post I’ll explain how to perform DLL Injection on Linux systems and more specifically on Android/ARM.

Part 2 of this post on “Android Native API Hooking with Library Injection and ELF Introspection.”

Read More

dSploit Merges With ZImperium zANTI2

Some of you, the ones who know me personally, already know that starting from the last July I’ve become part of the ZImperium family as a software developer and security researcher.
I’ve been “unofficially” already working/hacking with Elia, one of the two founders for 4 years, during this summer I met Zuk in Amesterdam and later on all of them in Tel Aviv.

Read More

About (Re)distributing Open Source Apps ( dSploit )

It’s a while I see compiled dSploit versions pop up on Google Play Store, most of the times the actual changes are just a matter of icons, other times are merely compiled versions of one of the nightly releases.

Altough I can not ( and really don’t want to ) avoid this, I’d like to write a few lines about this kind of conduct and the ethics behind open source software.

As most of my personal projects, dSploit was released from the beginning under the GPL 3 license, this means that you can modify it at your own will, distribute it for free or even as a paid software and share it with your friends.
You are only asked to make your changes available under the same license and make references to the original authors of the software itself. That’s it, this is so simple.

Beyond the fact I find deeply unfair not putting even the smallest link to the original repository or some credits on the description of those compiled distributions, there are a few things anyone who wants to make such thing should be aware of before blindly cloning the repository and compiling the source code.

Read More