Protecting Source Code
-
Upload
godfreynolan -
Category
Technology
-
view
5.189 -
download
0
description
Transcript of Protecting Source Code
![Page 1: Protecting Source Code](https://reader033.fdocuments.us/reader033/viewer/2022052303/554be5feb4c9056b348b4a4a/html5/thumbnails/1.jpg)
Godfrey Nolan
![Page 2: Protecting Source Code](https://reader033.fdocuments.us/reader033/viewer/2022052303/554be5feb4c9056b348b4a4a/html5/thumbnails/2.jpg)
Hear no evil, see no evil Decompiling APK demo Raising the bar
![Page 3: Protecting Source Code](https://reader033.fdocuments.us/reader033/viewer/2022052303/554be5feb4c9056b348b4a4a/html5/thumbnails/3.jpg)
Easy access to APKs APK design Nobody using obfuscation
![Page 4: Protecting Source Code](https://reader033.fdocuments.us/reader033/viewer/2022052303/554be5feb4c9056b348b4a4a/html5/thumbnails/4.jpg)
![Page 5: Protecting Source Code](https://reader033.fdocuments.us/reader033/viewer/2022052303/554be5feb4c9056b348b4a4a/html5/thumbnails/5.jpg)
![Page 6: Protecting Source Code](https://reader033.fdocuments.us/reader033/viewer/2022052303/554be5feb4c9056b348b4a4a/html5/thumbnails/6.jpg)
According to DuoSecurity Over 50% of Android phones are rootable
See Xray.io for more information Vulnerabilities
ASHMEM
Exploid
Gingerbreak
Levitator
Memoproid
etc.
![Page 7: Protecting Source Code](https://reader033.fdocuments.us/reader033/viewer/2022052303/554be5feb4c9056b348b4a4a/html5/thumbnails/7.jpg)
Logins
API keys
Credit card information Fake apps
![Page 8: Protecting Source Code](https://reader033.fdocuments.us/reader033/viewer/2022052303/554be5feb4c9056b348b4a4a/html5/thumbnails/8.jpg)
sdcard Rooting phone Download from forums
![Page 9: Protecting Source Code](https://reader033.fdocuments.us/reader033/viewer/2022052303/554be5feb4c9056b348b4a4a/html5/thumbnails/9.jpg)
![Page 10: Protecting Source Code](https://reader033.fdocuments.us/reader033/viewer/2022052303/554be5feb4c9056b348b4a4a/html5/thumbnails/10.jpg)
Obfuscation Android NDK SQLCipher for SQLite Google Closure for JavaScript in HTML5/CSS Don’t use keys - login each time Break tools
Dex2Jar and Baksmali
Google Encryption in Jelly Bean (RIP) Hide key info elsewhere (see resources)
![Page 11: Protecting Source Code](https://reader033.fdocuments.us/reader033/viewer/2022052303/554be5feb4c9056b348b4a4a/html5/thumbnails/11.jpg)
![Page 12: Protecting Source Code](https://reader033.fdocuments.us/reader033/viewer/2022052303/554be5feb4c9056b348b4a4a/html5/thumbnails/12.jpg)
Obfuscation Theory
Layout
Control
Data
![Page 13: Protecting Source Code](https://reader033.fdocuments.us/reader033/viewer/2022052303/554be5feb4c9056b348b4a4a/html5/thumbnails/13.jpg)
Obfuscation Type Classification Transformation
Layout Scramble identifiers.
Control Computations Insert dead or irrelevant code.
Extend a loop condition.
Reducible to non-reducible.
Add redundant operands.
Remove programming idioms.
Parallelize code.
Aggregations Inline and outline methods.
Interleave methods.
Clone methods.
Loop transformations.
Ordering Reorder statements.
Reorder loops.
Reorder expressions.
Data Storage and encoding Change encoding.
Split variables.
Convert static data to procedural data.
Aggregation Merge scalar variables.
Factor a class.
Insert a bogus class.
Refactor a class.
Split an array.
Merge arrays.
Fold an array.
Flatten an array.
Ordering Reorder methods and instance variables.
Reorder arrays.
![Page 14: Protecting Source Code](https://reader033.fdocuments.us/reader033/viewer/2022052303/554be5feb4c9056b348b4a4a/html5/thumbnails/14.jpg)
Obfuscators
ProGuard and DexGuard
DashO
![Page 15: Protecting Source Code](https://reader033.fdocuments.us/reader033/viewer/2022052303/554be5feb4c9056b348b4a4a/html5/thumbnails/15.jpg)
![Page 16: Protecting Source Code](https://reader033.fdocuments.us/reader033/viewer/2022052303/554be5feb4c9056b348b4a4a/html5/thumbnails/16.jpg)
Application size Performance Remove logging, debugging, testing code Protection
![Page 17: Protecting Source Code](https://reader033.fdocuments.us/reader033/viewer/2022052303/554be5feb4c9056b348b4a4a/html5/thumbnails/17.jpg)
At the bytecode level
Dead code elimination
Constant propagation
Method Inlining
Class Merging
Remove logging code
Peephole optimizations
Devirtualization
![Page 18: Protecting Source Code](https://reader033.fdocuments.us/reader033/viewer/2022052303/554be5feb4c9056b348b4a4a/html5/thumbnails/18.jpg)
Nothing is unbreakable, you can raise the bar:
Reflection
String encryption
Class encryption
Tamper detection
Debug detection
Emulator detection
![Page 19: Protecting Source Code](https://reader033.fdocuments.us/reader033/viewer/2022052303/554be5feb4c9056b348b4a4a/html5/thumbnails/19.jpg)
![Page 20: Protecting Source Code](https://reader033.fdocuments.us/reader033/viewer/2022052303/554be5feb4c9056b348b4a4a/html5/thumbnails/20.jpg)
![Page 21: Protecting Source Code](https://reader033.fdocuments.us/reader033/viewer/2022052303/554be5feb4c9056b348b4a4a/html5/thumbnails/21.jpg)
Bug fixing Unit testing Obfuscation = defactoring
![Page 22: Protecting Source Code](https://reader033.fdocuments.us/reader033/viewer/2022052303/554be5feb4c9056b348b4a4a/html5/thumbnails/22.jpg)
WordPress
ProGuard & DexGuard
DashO
HoseDex2Jar
NDK
![Page 23: Protecting Source Code](https://reader033.fdocuments.us/reader033/viewer/2022052303/554be5feb4c9056b348b4a4a/html5/thumbnails/23.jpg)
DexToXML DexToSource Giveaway
What does Dex stand for?
![Page 24: Protecting Source Code](https://reader033.fdocuments.us/reader033/viewer/2022052303/554be5feb4c9056b348b4a4a/html5/thumbnails/24.jpg)
http://www.strazzere.com/papers/DexEducation-PracticingSafeDex.pdf https://www.pcisecuritystandards.org/security_standards/documents.php?document=mobile_payment_security_guidelines1 http://xray.io http://www.netmite.com/android/mydroid/dalvik/docs/dalvik-bytecode.html http://source.android.com/tech/dalvik/dex-format.html http://pallergabor.uw.hu/androidblog/dalvik_opcodes.html http://www.saikoa.com/dexguard http://www.preemptive.com/products/dasho/overview http://android.wordpress.org/development/ http://selinuxproject.org/page/SEAndroid
![Page 25: Protecting Source Code](https://reader033.fdocuments.us/reader033/viewer/2022052303/554be5feb4c9056b348b4a4a/html5/thumbnails/25.jpg)
http://www.decompilingandroid.com @decompiling [email protected] http://www.riis.com