We have previously covered mobile reverse engineering Android apps on our blog before, but our latest discussion goes beyond the 101 level, featuring the expertise of Corellium researcher Steven Smiley. In a recent webinar, Steven gave us a better understanding of the nuances of reverse engineering on Android devices as well as a case study that sheds light on how reverse engineering unfolds in practice. Watch the webinar on-demand here, and read on for the top highlights.
Reverse engineering is the process of breaking something down to understand how it works. Reverse engineering Android apps typically involves deconstructing, analyzing, or observing the compiled application components to understand their underlying functionalities. In mobile app use cases specifically, we are looking at the code and figuring out exactly what it is doing, searching for vulnerable sections and blocks, and identifying exploits and hard-coded secrets.
Static reverse engineering is the process of modifying local files and searching for the hard coded values like email addresses, usernames, passwords, API keys, and other data. These values could be potential entry points for unauthorized access or data breaches. The modification process works by decompiling the application, modifying the code, patching it out, and repackaging the application in order to execute a root connection bypass without using any other scripts or frameworks.
Dynamic reverse engineering works by decompiling the application, looking at the code, finding vulnerable sections, and then building custom scripts designed to decrypt data or bypass certain components or parts of an application.
Note: Decompilation is the process of reversing a compiled application back into its original source code form. In mobile security research, decompilation can help researchers analyze code logic, pinpoint vulnerable sections and weak authentication mechanisms, and identify instances where sensitive information is stored or transmitted insecurely.
When we take an application through reverse engineering, we get a better understanding of the application, how it’s working, how the system is running, and how data is being processed. The key here is to look for those hard coded values and find a path toward exploiting the application. This will allow us to gain further insight to build additional custom scripts for applications that have been tested multiple times and where it might be harder to find mobile vulnerabilities.
For Android reverse engineering, specifically, unzipped APK (Android Package Kit) files can uncover application misconfigurations, hardcoded values or at a minimum a better understanding of the application and a path forward to exploitation. The Android “manifest” also has great information including package name, activities, URL schemes, resources, and permissions. This data is a great starting point to identify applications components that can potentially be modified along with areas of the application that are vulnerable to more advanced attacks.
While we are on the subject of tools, let’s take a closer look at some Android testing tools that might be useful in discovering new exploits.
JADX is a DEX to Java decompiler that assists in converting Android application code into more human-readable Java source code. It is a valuable tool for decoding and rebuilding APK files, decompiling applications, examining local code, patching binaries, and subsequently reconstructing them.
Radare2 is a reverse engineering tool that allows you to search within the binary and potentially patch it out. It is a great tool for navigating application pathways through obfuscated code.
Frida allows you to take what you’ve discovered through reverse engineering and then build scripts or use scripts that are available online to exploit the application you are working on.
Reverse engineering can be employed for mobile threat research. By using the tools discussed to decompile and analyze the code of mobile applications, researchers can get a better grasp of their inner workings and identify malicious behavior and implemented security controls to be bypassed such as:
Corellium Café is a fictitious coffee shop application where users can purchase beverages. The application itself was developed in an insecure manner to showcase how reverse engineering, static analysis, and misconfigurations could be used on a vulnerable app.
In the webinar, we explored how the blog component functionality of the app could be exploited through a Frida script and root detection.
The code could be decompiled using JADX alongside the Corellium Café application to get a better look at the code. In order to manipulate the web view, two things were noted:
In the second scenario, the script loads the URL via the string using the customized script that includes the variable that we have added and manipulates the code to do what we want it to do.
Be sure to check out the full webinar on demand for more examples of static and dynamic reverse engineering using a slew of other tools at your disposal on Corellium’s virtual hardware platform.
Equip your security teams with unprecedented tools for both manual and automated testing, freeing up valuable engineering time and saving money. Discover the power of Corellium’s high-fidelity virtual devices and spin-up near limitless combinations of device and OS with one-click jailbreak/root access. Book a meeting today to see how we can streamline your processes and reduce costs.