Академический Документы
Профессиональный Документы
Культура Документы
petsas@ics.forth.gr - www.syssec-project.eu 1
Roadmap
The APK Structure
The Tools
Hacking Approach
Disassembly & App Analysis
Code Injection
petsas@ics.forth.gr - www.syssec-project.eu 2
The APK Structure
AndroidManifest.xml
classes.dex
res/
lib/ (sometimes)
META-INF
petsas@ics.forth.gr - www.syssec-project.eu 3
The Tools
Youll need
Android SDK
apktool (based on Smali/Baksmali)
jarsigner
keytool
petsas@ics.forth.gr - www.syssec-project.eu
Hacking Approach
petsas@ics.forth.gr - www.syssec-project.eu
Hacking Approach
1. Unzip APK & disassemble classes.dex
Disassemble (1)
(apktool/baksmali)
.smali
petsas@ics.forth.gr - www.syssec-project.eu
Hacking Approach
1. Unzip APK & disassemble classes.dex
2. Perform static analysis on the app
Disassemble (1)
(apktool/baksmali)
.smali
petsas@ics.forth.gr - www.syssec-project.eu
Hacking Approach
1. Unzip APK & disassemble classes.dex
2. Perform static analysis on the app
3. Inject byte-code into the app
Disassemble (1)
(apktool/baksmali)
.smali
Code injection (3)
petsas@ics.forth.gr - www.syssec-project.eu
Hacking Approach
1. Unzip APK & disassemble classes.dex
2. Perform static analysis on the app
3. Inject byte-code into the app
4. Reassemble classes.dex & zip/sign APK
Static analysis (2)
$ ls
$ AndroidManifest.xml apktool.yml
assets res smali
petsas@ics.forth.gr - www.syssec-project.eu
Analyzing the APK
$ ls Myapp/smali/com/example/myapp
StartActivity.smali
R$attr.smali
R$drawable.smali
R$layout.smali
R$string.smali
R.smali
petsas@ics.forth.gr - www.syssec-project.eu
Analyzing the APK
$ ls Myapp/smali/com/example/myapp
StartActivity.smali com.example.myapp
R$attr.smali
R$drawable.smali
R$layout.smali
R$string.smali
R.smali
petsas@ics.forth.gr - www.syssec-project.eu
Analyzing the APK
$ ls Myapp/smali/com/example/myapp
StartActivity.smali com.example.myapp
R$attr.smali
R$drawable.smali StartActivity.java
R$layout.smali R.java
R$string.smali
R.smali
petsas@ics.forth.gr - www.syssec-project.eu
Java to Smali
# virtual methods
public class StartActivity extends Activity { .method protected onCreate(Landroid/os/Bundle;)V
.locals 3
@Override .parameter "savedInstanceState"
protected void onCreate( .prologue
Bundle savedInstanceState) { invoke-super {p0, p1}, Landroid/app/Activity
super.onCreate(savedInstanceState); ;->onCreate(Landroid/os/Bundle;)V
setContentView(R.layout.activity_start);
const/high16 v0, 0x7f03
Log.i("StartActivity:", Message");
const-string v0, "StartActivity:"
} const-string v1, Message"
invoke-static {v0, v1}, Landroid/util/Log;
->d(Ljava/lang/String;Ljava/lang/String;)I
move-result v0
return-void
Java code .end method Smali Byte code
petsas@ics.forth.gr - www.syssec-project.eu 8
Java to Smali
# virtual methods
public class StartActivity extends Activity { .method protected onCreate(Landroid/os/Bundle;)V
.locals 3
@Override .parameter "savedInstanceState"
protected void onCreate( .prologue
Bundle savedInstanceState) { invoke-super {p0, p1}, Landroid/app/Activity
super.onCreate(savedInstanceState); ;->onCreate(Landroid/os/Bundle;)V
setContentView(R.layout.activity_start);
const/high16 v0, 0x7f03
Log.i("StartActivity:", Message");
const-string v0, "StartActivity:"
} const-string v1, Message"
invoke-static {v0, v1}, Landroid/util/Log;
->d(Ljava/lang/String;Ljava/lang/String;)I
move-result v0
return-void
Java code .end method Smali Byte code
petsas@ics.forth.gr - www.syssec-project.eu 8
Java to Smali
# virtual methods
public class StartActivity extends Activity { .method protected onCreate(Landroid/os/Bundle;)V
.locals 3
@Override .parameter "savedInstanceState"
protected void onCreate( .prologue
Bundle savedInstanceState) { invoke-super {p0, p1}, Landroid/app/Activity
super.onCreate(savedInstanceState); ;->onCreate(Landroid/os/Bundle;)V
setContentView(R.layout.activity_start);
const/high16 v0, 0x7f03
Log.i("StartActivity:", Message");
const-string v0, "StartActivity:"
} const-string v1, Message"
invoke-static {v0, v1}, Landroid/util/Log;
->d(Ljava/lang/String;Ljava/lang/String;)I
move-result v0
return-void
Java code .end method Smali Byte code
petsas@ics.forth.gr - www.syssec-project.eu 8
Class Representation in Smali
# static fields
.field public static final TAG:Ljava/lang/String; = String Static fields
# direct methods
.method public constructor <init>()V
.registers 1
.prologue
.line 5 Methods
invoke-direct {p0}, Ljava/lang/Object;-><init>()V Direct
Virtual
return-void
.end method
petsas@ics.forth.gr - www.syssec-project.eu
Class Representation in Smali
# static fields
.field public static final TAG:Ljava/lang/String; = String Static fields
# direct methods
.method public constructor <init>()V
.registers 1
.prologue
.line 5 Methods
invoke-direct {p0}, Ljava/lang/Object;-><init>()V Direct
Virtual
return-void
.end method
petsas@ics.forth.gr - www.syssec-project.eu
Class Representation in Smali
# static fields
.field public static final TAG:Ljava/lang/String; = String Static fields
# direct methods
.method public constructor <init>()V
.registers 1
.prologue
.line 5 Methods
invoke-direct {p0}, Ljava/lang/Object;-><init>()V Direct
Virtual
return-void
.end method
petsas@ics.forth.gr - www.syssec-project.eu
Class Representation in Smali
# static fields
.field public static final TAG:Ljava/lang/String; = String Static fields
# direct methods
.method public constructor <init>()V
.registers 1
.prologue
.line 5 Methods
invoke-direct {p0}, Ljava/lang/Object;-><init>()V Direct
Virtual
return-void
.end method
petsas@ics.forth.gr - www.syssec-project.eu
Class Representation in Smali
# static fields
.field public static final TAG:Ljava/lang/String; = String Static fields
# direct methods
.method public constructor <init>()V
.registers 1
.prologue
.line 5 Methods
invoke-direct {p0}, Ljava/lang/Object;-><init>()V Direct
Virtual
return-void
.end method
petsas@ics.forth.gr - www.syssec-project.eu
Class Representation in Smali
# static fields
.field public static final TAG:Ljava/lang/String; = String Static fields
# direct methods
.method public constructor <init>()V
.registers 1
.prologue
.line 5 Methods
invoke-direct {p0}, Ljava/lang/Object;-><init>()V Direct
Virtual
return-void
.end method
petsas@ics.forth.gr - www.syssec-project.eu
Class Representation in Smali
# static fields
.field public static final TAG:Ljava/lang/String; = String Static fields
# direct methods
.method public constructor <init>()V
.registers 1
.prologue
.line 5 Methods
invoke-direct {p0}, Ljava/lang/Object;-><init>()V Direct
Virtual
return-void
.end method
petsas@ics.forth.gr - www.syssec-project.eu
Smali Syntax Types
.method private doSomething()V
V void
Z boolean
B byte
S short
C char
F float
I int
J long
D double
[ array
petsas@ics.forth.gr - www.syssec-project.eu
Smali Syntax Classes
Lcom/example/myapp/MyClass;
# Static invocation
invoke-static {p2}, Landroid/text/TextUtils;
->isEmpty(Ljava/lang/CharSequence;)Z
# Virtual invocation
invoke-virtual {v0, v1}, Lcom/google/android/finsky/FinskyApp;
->drainAllRequests(I)V
petsas@ics.forth.gr - www.syssec-project.eu
Smali Syntax Registers
v0 - local 0
p0 - parameter 0 (this)
p1 - parameter 1
petsas@ics.forth.gr - www.syssec-project.eu
Smali Syntax Opcodes
petsas@ics.forth.gr - www.syssec-project.eu
Hacking the App
Lets inject some code in the APK:
A toast message hacked!
Java code:
Toast.makeText(getApplicationContext(),
"Hacked!", Toast.LENGTH_SHORT).show();
petsas@ics.forth.gr - www.syssec-project.eu
Result
Toast.makeText(getApplicationContext(),
"Hacked!", Toast.LENGTH_SHORT).show();
Java code
petsas@ics.forth.gr - www.syssec-project.eu
Result
Toast.makeText(getApplicationContext(),
"Hacked!", Toast.LENGTH_SHORT).show();
Java code
petsas@ics.forth.gr - www.syssec-project.eu
Result
Toast.makeText(getApplicationContext(),
"Hacked!", Toast.LENGTH_SHORT).show();
Java code
petsas@ics.forth.gr - www.syssec-project.eu
Rebuilding the APK
$ apktool b ./MyApp
build out directory (produced previously)
petsas@ics.forth.gr - www.syssec-project.eu
Installing the APK
# then, install it
$ adb install ./MyApp/dist/MyApp.apk
petsas@ics.forth.gr - www.syssec-project.eu
Practical Session
petsas@ics.forth.gr - www.syssec-project.eu 20
Steps to follow
petsas@ics.forth.gr - www.syssec-project.eu 21
Step a. Inject a Toast Message
ToastMessage(Hacked!)
Build
petsas@ics.forth.gr - www.syssec-project.eu 22
Step a. Inject a Toast Message
ToastMessage(Hacked!)
Build
petsas@ics.forth.gr - www.syssec-project.eu 22
Step a. Inject a Toast Message
ToastMessage(Hacked!)
Build
petsas@ics.forth.gr - www.syssec-project.eu 22
Step a. Inject a Toast Message
ToastMessage(Hacked!)
Build
petsas@ics.forth.gr - www.syssec-project.eu 23
Step c. Verify the repackaged app
petsas@ics.forth.gr - www.syssec-project.eu 24
HINTS & TIPS
petsas@ics.forth.gr - www.syssec-project.eu 25