Dismantling droids for breakfast - The current state of app reverse engineering

06/04/2015 - 14:30 to 15:10
Stage 3

Session abstract: 

Android malware is getting more and more sophisticated. To wit, Google Play hosted many malicious “sleeper” apps that camouflaged its malicious behavior with a so called “timing bomb” where the malware waits for a certain time or event before becoming active. In addition, modern malware families try to evade analysis through code encryption, packers, code obfuscators, and detectors for emulators, rooted devices, or hooks as well as through integrity checks. Those features render many automated analyses ineffective, leaving a manual analysis as the only viable option - a very difficult and time-consuming undertaking.

To alleviate the problem, we propose CodeInspect, a new integrated reverse-engineering environment extending the Eclipse IDE and targeting sophisticated state-of-the-art malware apps for Android. With features such as interactive debugging on a human readable representation of the application’s bytecode, CodeInspect aims to greatly reduce the time an analyst requires to understand and judge applications. Using CodeInspect, the engineer can debug an app in combination with the Android Open Source Project (AOSP) live, can rename (obfuscated) identifiers, jump to definitions, remove or add statements and more. Reverse engineers can even add new Java source classes or projects into the application, which can then be called from the original app’s code. This is especially useful when implementing decryption methods which can be directly tested in place.

On top of the above CodeInspect includes new code-analysis techniques that, to the best of our knowledge, do not exist in any other equivalent tool. These techniques include a fully-automatic de-obfuscation of reflective method calls, string de-obfuscation and a very precise data-flow tracking component that shows suspicious flows from sensitive sources to public sinks, all of which can be easily used in combination.

This talk is aimed at Software Engineers as well as Security Experts. For Software Engineers we will demonstrate how fast users of CodeInspect can extract data from their apps’ bytecode, demonstrating that trying to hide secrets in the code is not secure. The goal is to sensitize developers for the risks posed by current technologies.

Security experts will learn about the current state of the art in reverse-engineering techniques and how CodeInspect saves them time and money in analyzing potentially malicious applications.

An excerpt of CodeInspect can be found on our website: http://sseblog.ec-spride.de/tools/codeinspect/



University of Darmstadt