Android apk security note

tgdf15-share.md

Decompile -> Analytic -> Pack -> Sign

Tools

• apktool
• dex2jar
• jd-gui
• ilspy
• ildasm
• SignAPK
• Charles

apktool

>>setup for mac

apktool d xxx.apk
apktool b xxx

ilspy && MonoDevelop

assets/bin/data/Managed/Assemvly-CSharp.dll
assets/bin/data/Managed/Assemvly-UnityScript.dll

ildasm

>>decompile il

ilasm /dll xxx.il /resource=xxx.res

dex2jar & jd-gui

classes.dex -> Smali (dalvik)

1. from classes.dex to classes_dex2jar.jar

   dex2jar classes.dex

2. jd-gui viewer

• dex2jar official site
• jd-gui official site

signapk

>>signapk official

1. remove /META-INF

2. sign

   java -jar signapk.jar certificate.pem key.pk8 xxx.apk xxx_Signed.apk

Ref: how-to-sign-apk-zip-files

Mobile APP Reverse

• Assets Hack (China)
  • Unzip > Modify > remove /META-INF > SignAPK
• Unity Hack
  • ilSpy & ildasm
• Packets Hack
  • dex2jar > apktool d > smali > apktool b > signapk
• Charles Proxy + WireShark

Defense

• ProGuard for java
• obfuscar for C#
• eazfuscator for C#
• md5 checksum
• update sensitive data every time
• no HTTP request

Ref:

• Protecting your Android content - Unite Korean 2013
• Unity Security - GStar 2013