How to hack an Android app?
Disclaimer
Why?
How to hack secure an Android app
Type of attacks
- Network
- System
- Bytecode modification
- Binary code modification
Work environment
Tools
- AAPT
- ADB
- jarsigner/zipalign/Uber Apk Signer
- APKTool
- JADX/d2j-dex2jar/jd-cli
- APK Studio
- java2smali
- charlesproxy
- IDA Pro
- Il2CppDumper
- https://hexed.it/
- https://armconverter.com/
- ...
CHARLES
APK Studio
IDA Pro
Network
How to protect your app
HTTPS ?
Yes but not only
- Https
- App Signature
- Rooted
- SSL Pinning
System attacks
Change time
Rooted devices
- access to the app private files
- fake stores (Lucky Patcher, Freedom, ...)
How to protect your app
- Don't trust device time for sensitive calculation
- Don't store sensitive data in the app private folders
- Asymmetric cryptography
- Check rooted devices
- Check purchase server side
Bytecode modification
Unpack the app
Modify ressources
Modify code
unlock
pro
premium
buy
if (BuildConfig.DEBUG)
purchase
What are we looking for ?
Modify code
Modify code
Modify code
java2smali to the rescue
How to protect your app
Proguard/R8 obfuscation
Be careful with string
Code as badly as you can
No single point of faillure
Use inline in kotlin
Verifying App Signature
Binary code modification
Unity APK
Il2CppDumper
IDA Pro
armconverter.com
IDA Pro
How to protect your app
Be careful with string
No single point of faillure
Conclusion
How to secure an Android app?
How to discourage hackers?
How to hack an app
By Florian Paillard
How to hack an app
- 92