GOTO is a vendor independent international software development conference with more that 90 top speaker and 1300 attendees. The conference cover topics such as .Net, Java, Open Source, Agile, Architecture and Design, Web, Cloud, New Languages and Processes

Presentation: "All Your Code Belongs To Us - Dismantling Android Secrets With CodeInspect"

Track: Android / Time: Tuesday 14:30 - 15:20 / Location: Christiansborg

Android malware is getting more and more sophisticated. So-called "sleeper" applications only trigger their malicious behavior after a certain time has passed or event has happened, effectively evading many dynamic analysis techniques. Other techniques include integrity checks as well as detectors for emulators, rooted devices, and hooks. If any such sign is detected, the malware refrains from its actual malicious behavior. For countering static analyses, these apps apply code encryption, packers, and code obfuscators. Together, these features render most automated analyses ineffective, leaving a manual analysis as the only viable option - a very difficult and time-consuming undertaking.
To alleviate the problem, we propose CodeInspect, a new integrated reverse-engineering environment extending the Eclipse IDE and targeting sophisticated state-of-the-art malware apps for Android. With features such as interactive debugging on a human readable representation of the application’s bytecode, CodeInspect aims to greatly reduce the time an analyst requires to understand and judge applications. Using CodeInspect, the engineer can debug an app in combination with the Android Open Source Project (AOSP) live, can rename (obfuscated) identifiers, jump to definitions, remove or add statements and more. Reverse engineers can even add new Java source classes or projects into the application, which can then be called from the original app’s code. This is especially useful when implementing decryption methods which can be directly tested in place.
CodeInspect also includes new code-analysis techniques that, to the best of our knowledge, are not available in any other reverse-engineering tool. These techniques include a fully-automatic de-obfuscation of reflective method calls, string de-obfuscation and a very precise data-flow tracking component that shows suspicious flows from sensitive sources to public sinks, all of which can be easily used in combination. Aside from malware, these features of CodeInspect also allow an analyst to assess the security of closed-source libraries, detect unwanted behaviors in advertisement SDKs, and check apps for security vulnerabilities such as hard-coded secrets.

This talk is aimed at Software Engineers as well as Security Experts. For Software Engineers we will demonstrate how fast users of CodeInspect can extract data from their apps’ bytecode, demonstrating that trying to hide secrets in the code is not secure. If you include keys or passwords in your app code, they are lost - even if you obfuscate them. We will also show how to easily upgrade a trial-version of an application to a full (paid) version with CodeInspect, circumventing prevalent mechanisms for in-app purchases. The goal is to sensitize developers for the risks posed by current technologies.

Download slides

Steven Arzt, Maintainer of Soot and FlowDroid open source projects, Researcher at TU Darmstadt

Steven Arzt

Biography: Steven Arzt

Steven is a researcher at TU Darmstadt and his core research topics are static and dynamic analysis of Java programs as well as applications on the Android mobile platform.

You can also see Steven's papers on his Google Scholar profile.

Steven is one of the current maintainers of the Soot open-source program analysis framework. Soot is an ideal basis for developing static analyses for Android and Java application as well as for instrumenting these apps for runtime monitoring. Furthermore, he is the maintainer of the FlowDroid static data flow tracker which is used in various research projects around the world.

Twitter: @CodeInspect