Tuesday 6th October, 2015
2:30pm to 3:20pm
Android malware is getting more and more sophisticated. So-called "sleeper" applications only trigger their malicious behavior after a certain time has passed or event has happened, effectively evading many dynamic analysis techniques. Other techniques include integrity checks as well as detectors for emulators, rooted devices, and hooks. If any such sign is detected, the malware refrains from its actual malicious behavior. For countering static analyses, these apps apply code encryption, packers, and code obfuscators. Together, these features render most automated analyses ineffective, leaving a manual analysis as the only viable option - a very difficult and time-consuming undertaking.
To alleviate the problem, we propose CodeInspect, a new integrated reverse-engineering environment extending the Eclipse IDE and targeting sophisticated state-of-the-art malware apps for Android. With features such as interactive debugging on a human readable representation of the application’s bytecode, CodeInspect aims to greatly reduce the time an analyst requires to understand and judge applications. Using CodeInspect, the engineer can debug an app in combination with the Android Open Source Project (AOSP) live, can rename (obfuscated) identifiers, jump to definitions, remove or add statements and more. Reverse engineers can even add new Java source classes or projects into the application, which can then be called from the original app’s code. This is especially useful when implementing decryption methods which can be directly tested in place.
CodeInspect also includes new code-analysis techniques that, to the best of our knowledge, are not available in any other reverse-engineering tool. These techniques include a fully-automatic de-obfuscation of reflective method calls, string de-obfuscation and a very precise data-flow tracking component that shows suspicious flows from sensitive sources to public sinks, all of which can be easily used in combination. Aside from malware, these features of CodeInspect also allow an analyst to assess the security of closed-source libraries, detect unwanted behaviors in advertisement SDKs, and check apps for security vulnerabilities such as hard-coded secrets.
This talk is aimed at Software Engineers as well as Security Experts. For Software Engineers we will demonstrate how fast users of CodeInspect can extract data from their apps’ bytecode, demonstrating that trying to hide secrets in the code is not secure. If you include keys or passwords in your app code, they are lost - even if you obfuscate them. We will also show how to easily upgrade a trial-version of an application to a full (paid) version with CodeInspect, circumventing prevalent mechanisms for in-app purchases. The goal is to sensitize developers for the risks posed by current technologies.
Maintainer of Soot and FlowDroid open source projects, Researcher at TU Darmstadt
Sign in to add slides, notes or videos to this session