Post on 22-Jan-2018
TRUESEEING: EFFECTIVE DATAFLOW ANALYSIS
OVER DALVIK OPCODES
Takahiro / Ken-ya Yoshimura (@alterakey / @ad3liae)
WHO WE ARE
➤ alterakey
➤ Security Researcher
➤ iOS/Android Apps
➤ Android System
➤ Network
➤ ad3liae
➤ Security Researcher
➤ iOS Apps
➤ At Monolith Works Inc.
MOBILE APP SECURITY
➤ Attack Vectors
➤ Malicious App
➤ Malicious User
➤ Risks
➤ Vulnerabilities
➤ Unwanted Behaviors
FINDING VULNERABILITIES
➤ Static Analysis
➤ Reversing the target and deriving its behavior
➤ Reversing data flow is important
➤ Decompilers (such as JD-GUI) are essential tools
➤ Decompiling takes time
➤ Dynamic Analysis
➤ Running the target and seeing its behavior
PROBLEMS
➤ Dynamic Analysis
➤ Often unwanted :(
➤ Obfuscation
➤ Common practice
➤ Hinders decompilers
➤ What can we do?
RELATED WORKS
➤ Mixing multiple decompilers(QARK et al.)
➤ Speed: even more time
➤ Fragility
➤ Mixing alone does not answer the question, IMHO..
GO DIRECT
➤ Trueseeing
➤ Capable of
➤ Reversing data flow
➤ Loosely guessing constants/typesets/…
➤ Manifest analysis (of course)
➤ Uses no decompilers
➤ Speed
➤ Resiliency
DISASSEMBLING
➤ apktool
➤ SQLite3 DB
MARKING UP
➤ Constants
➤ Invocations
➤ Stored as tables/views
DATAFLOW TRACING (1)
➤ Call tracing
➤ Reading backwards
➤ Climbing call stacks up
DATAFLOW TRACING (2)
➤ Static trace
➤ Matching sget/sput
➤ Solving constants in sput
DATAFLOW TRACING (3)
➤ Instansic trance
➤ Matching iget/iput
➤ Ignoring instance identity
➤ Solving constants in iput
REPORTING
➤ HTML: clarity
➤ gcc-style: CI
CAPABILITY
➤ Most of OWASP TOP 10 Mobile (2015)
➤ M1: Improper Platform Usage
➤ M2: Insecure Data
➤ M3: Insecure Communication
➤ M4: Insecure Authentication
➤ M5: Insufficient Cryptography
➤ M6: Insecure Authorization
➤ M7: Client Code Quality Issues
➤ M8: Code Tampering
➤ M9: Reverse Engineering
➤ M10: Extraneous Functionality
FIN.30.7.2017 Monolith Works Inc.
BRING YOUR APK!