I’ve got way too many emails from this blog, but one has found my attention: a reader has emailed me asking for advice on Android Native Code obfuscation, in the same line of previous posts. It’s pretty clear that ProGuard it’s an excellent solution for the main language of the Android platform, Java, but there is no clear alternative for native development in C/C++ with ARM binaries.

The best way to frame this question is to start defining what would be the preferred tools to decompile/disassemble the binary code by Mallory, our evil cracker. Many tools have existed over the years to decompile C code (REC, DCC), Hex-Rays being the latest and most powerful one ever, so it would be the first in her tool chest. Fixed the chosen scalpel, the most effective countermeasure against that, and any decompiler, is self-modifying/metamorphic code, since it breaks their over-reliance on static binary analysis. But the downside of it being that it’s very difficult to create good, reliable self-modifying/metamorphic code, especially in these times in which almost everyone abhors assembly programming, so protecting most parts of the binary and decrypting them at program load time it’s a realistic substitute, much like UPX does (but no, it’s no protection at all).

Most people would recommend following the conventional route of code obfuscation (Mangle-It, Stunnix C/C++ Obfuscator, COBF, Thicket), but there also are some very creative approaches, vg: use the LLVM compiler infrastructure with the C back-end to produce an intermediate C representation, to be recompiled with gcc; or my favorite one, try to use a virtual machine like Oreans or Python for the most critical parts of the program.

For the sake of completeness, there has also been some very interesting papers on cryptographically-aided obfuscation, my favourite being the following one:

GDE Error: Error retrieving file - if necessary turn off error checking (404:Not Found)

And remember, enabling full compiler optimizations will always help!

 

I get more than a hundred visits a day to my iPhone Decompilation & Obfuscation post, that’s why writing an Android equivalent and comparing the results between them will be so interesting to assess platform demand from developers.

To decompile an Android .apk file, you must follow the next steps:

  1. Download the app from the Android Market to your smartphone and backup the app with a tool like Titanium to get the .apk file
  2. Next, use apktool to get back the project file structure and resources
  3. Then, use dex2jar to the obtain .class files from the .dex files
  4. After that, use jd-gui or JAD to decompile the .class files
  5. Most bytecode won’t perfectly decompile and some routines will be hard to reconstruct from the bytecode: get ready to read java ASM disassembled with smali

To obfuscate/protect your application, consider following these steps:

  • ProGuard is the most complete and useful tool to obfuscate applications, but you must use it with the following configuration file to avoid any problem. Note that ProGuard is pre-packed in the SDK from Android 2.3
  • Use LVL for your paid applications, but remember that it has already been broken.
  • Lastly, consider using Android NDK for the most critical code. Writing JNI code is a really cumbersome and error-prone, process that’s why using specialized tools is essential to avoid errors and speedup development: to interface C libraries with Java, try SWIG and  GlueGen; in reverse, to interface Java with C try HawtJNI. It’s a pity that the Integrated Debugger for Java/JNI Environments is only available for the Apache Harmony JVM, as it really helps in the difficult Java/JNI debugging process.

As a final note, the results from the superb paper “On the (Im)Possibility of Obfuscating Programs” will always tame our aspirations in the obfuscation enterprise:

Download (PPS, 31KB)

 

BOM (Bill of Materials) for Mobile Phones

The mobile industry is not like the PC industry, populated by manufacturers that are just component assemblers of the various parts (memory, CPU, HD, …). In the mobile industry, the more vertical integrated mobile manufacturer is Samsung, a market leader in displays, memory and CPUs for mobile phones that also sells its quality components to other OEMs and ODMs (Apple To Buy Components Worth $7.8 Bln From Samsung Electronics This Year).

As shown in the graph above of a typical bill of materials of a mobile phone, those parts are the costlier and more important of a mobile phone: from this point of view, Samsung looks like a vertical mainframe manufacturer from the 60-70s, but with much of its software developed by an external provider (Android). So not only they have an obvious cost advantage on the low end of the smartphone market, they are also the leaders managing component droughts and bullwhip effects, which are very profit destroying in the mobile industry. Finally, note that the first reason Nokia has decided to go the Microsoft’s route is to differentiate enough from Samsung’s Android offerings, the second biggest mobile manufacturer after Nokia.

 
  • DynJava. Java dynamic scripting interpreter engine. Gives you runtime access to all protected and private methods and fields of all running applications, and executes arbitrary Java code with all permissions.
  • AndroidShell. You can invoke any Android APIs from PC and see the execution result immediately.
  • aLogCat. View color-coded, scrolling (tailed) Android device (logcat) logs directly from your phone. No USB, adb, or emailing necessary.
  • adbWireless. adbWireless enable ADB wireless connection to connect to the phone as if connected by USB.
  • Titanium Backup. Backup, restore, freeze your apps + data + Market links, even protected apps.
  • Android Scripting Environment. Scripting Layer for Android (SL4A) brings scripting languages to Android by allowing you to edit and execute scripts and interactive interpreters directly on the Android device. These scripts have access to many of the APIs available to full-fledged Android applications, but with a greatly simplified interface that makes it easy to get things done.
  • touchqode. View and edit source code on Android phone. Touchqode is a true mobile code editor that comes with syntax highlighting, autocomplete and other features found in a desktop IDE. We support Java, HTML, JavaScript, Python, C++, C#, Ruby and PHP.
  • aGrep. aGrep is a open-source text search program like a “grep”.
 
Set your Twitter account name in your settings to use the TwitterBar Section.