How to hack an Android app?

Disclaimer

Why?

How to hack secure an Android app

Type of attacks

  • Network
  • System
  • Bytecode modification
  • Binary code modification

Work environment

Tools

  • AAPT
  • ​ADB
  • jarsigner/zipalign/Uber Apk Signer
  • APKTool
  • JADX/d2j-dex2jar/jd-cli
  • APK Studio
  • java2smali
  • charlesproxy
  • IDA Pro
  • Il2CppDumper
  • https://hexed.it/
  • https://armconverter.com/
  • ...

CHARLES

APK Studio

IDA Pro

Network

How to protect your app

HTTPS ?

Yes but not only

  • Https
  • App Signature
  • Rooted
  • SSL Pinning

System attacks

Change time

Rooted devices

  • access to the app private files
  • fake stores (Lucky Patcher, Freedom, ...)

How to protect your app

  • Don't trust device time for sensitive calculation
  • Don't store sensitive data in the app private folders
  • Asymmetric cryptography
  • Check rooted devices
  • Check purchase server side

Bytecode modification

Unpack the app

Modify ressources

Modify code

unlock

pro

premium

buy

if (BuildConfig.DEBUG)

purchase

What are we looking for ?

Modify code

Modify code

Modify code

java2smali to the rescue

How to protect your app

Proguard/R8 obfuscation

Be careful with string

Code as badly as you can

No single point of faillure

Use inline in kotlin

Verifying App Signature

Binary code modification

Unity APK

Il2CppDumper

IDA Pro

armconverter.com

IDA Pro

How to protect your app

Be careful with string
No single point of faillure

Conclusion

How to secure an Android app?

How to discourage hackers?

How to hack an app

By Florian Paillard

Made with Slides.com

How to hack an app

  • 92

More from Florian Paillard