It is said that if you know your enemies and know yourself, you will not be imperiled in a hundred battles. – Sun Tzu
With the pressure for every company to have an app (or two, or three) in both iTunes and Google Play, the pressure is on both security teams and development teams to make sure those apps are secure. If you’ve ever read viaForensic’s 42+ Secure Mobile Development Best Practices paper, you know that Android app developers are at a disadvantage. Simply put, it’s harder for a developer to secure an Android app than an iOS app.
If you have an app available for download from Google Play, an attacker (or security researcher) can download that app and take it apart with relative ease. Maybe the attacker is looking for a tidbit they can use to gain a foothold in your organization, analyzing the app as a form of passive reconnaissance (i.e., never touching the systems you’re monitoring with your SIEM). Or maybe the attacker wants to develop a competitive app, and s/he has no problem with stealing your source code to get a “head start.”
Whatever the reason, the simple truth is this: if you have an app in Google Play, you need to make sure you’ve taken the appropriate steps to protect that app.
How easy is it to decompile an Android app? If you have an Android tablet and a Windows laptop with the right tools installed, it takes all of 10 minutes (if that). Here’s how:
- Install Apk Extractor on your Android device
- Download your target app from Google Play
- Run APK Extractor to send the .apk file to your laptop
- Download the Android SDK (Eclipse/ADT) and unzip
- Download dex2jar and unzip
- Download JD_GUI and unzip
- In Eclipse/ADT, click File > New > Java Project
- Name your project, then click Next > Finish
- Right click on your project, then click Build Path > Configure Build Path
- On the Libraries tab, Select Add External Jars, browse to your unzipped dex2jarlib directory, select all the .jar files, and click Open > OK
- Drag your .apk file into the Eclipse/ADT project (choose Copy Files > OK)
- Right click on your project, then click Run As > Run Configurations
- Right click on Java Application, then click New
- Set Project to the same name you assigned to your project
- Set Main class to com.googlecode.dex2jar.v3.Main
- Go to the Arguments tab, and type the name of the .apk file in the Program arguments field
- Click Run (will create a new .jar file in your project workspace directory)
- Minimize Eclipse/ADT and go to your project workspace directory (if not sure, right click Project > Properties > Resource > Location)
- Run jd-gui.exe
- In jd-gui, click File > Open, and point to the .jar file created in your Eclipse/ADT workspace directory
- Boom. Source code.
If the process is so simple that a script kiddie can do it, then that should be an indicator that you need to take the necessary steps to secure your code. One technique you can (and should) apply is code complexity and obfuscation. This includes:
- Anti-debug techniques
- Restricting debuggers
- Trace checking
- Stripping binaries
You should also consider using tools like ProGuard and DexGuard. Otherwise, some security researcher is likely to download your app, tear it apart, and publish an article about how weak your app is when it comes to app security.
If you want a little more info on how to integrate appsec into your mobile appdev process, check this out.