We have previously covered reverse engineering Android apps on our blog before, but our latest discussion goes beyond the 101 level, featuring the expertise of Corellium researcher Steven Smiley. In a recent webinar, Steven gave us a better understanding of the nuances of reverse engineering on Android devices as well as a case study that sheds light on how reverse engineering unfolds in practice. Watch the webinar on-demand here, and read on for the top highlights.
What Is Reverse Engineering?
Reverse engineering is the process of breaking something down to understand how it works. Reverse engineering Android apps typically involves deconstructing, analyzing, or observing the compiled application components to understand their underlying functionalities. In mobile app use cases specifically, we are looking at the code and figuring out exactly what it is doing, searching for vulnerable sections and blocks, and identifying exploits and hard-coded secrets.
Static reverse engineering
Static reverse engineering is the process of modifying local files and searching for the hard coded values like email addresses, usernames, passwords, API keys, and other data. These values could be potential entry points for unauthorized access or data breaches. The modification process works by decompiling the application, modifying the code, patching it out, and repackaging the application in order to execute a root connection bypass without using any other scripts or frameworks.
Dynamic reverse engineering
Dynamic reverse engineering works by decompiling the application, looking at the code, finding vulnerable sections, and then building custom scripts designed to decrypt data or bypass certain components or parts of an application.
Note: Decompilation is the process of reversing a compiled application back into its original source code form. In mobile security research, decompilation can help researchers analyze code logic, pinpoint vulnerable sections and weak authentication mechanisms, and identify instances where sensitive information is stored or transmitted insecurely.
How Is Reverse Engineering Used in the Mobile Security Research and Development Process?
When we take an application through reverse engineering, we get a better understanding of the application, how it’s working, how the system is running, and how data is being processed. The key here is to look for those hard coded values and find a path toward exploiting the application. This will allow us to gain further insight to build additional custom scripts for applications that have been tested multiple times and where it might be harder to find vulnerabilities.
For Android reverse engineering, specifically, unzipped APK (Android Package Kit) files can uncover application misconfigurations, hardcoded values or at a minimum a better understanding of the application and a path forward to exploitation. The Android “manifest” also has great information including package name, activities, URL schemes,, resources, and permissions. This data is a great starting point to identify applications components that can potentially be modified along with areas of the application that are vulnerable to more advanced attacks.
Tools for reverse engineering
While we are on the subject of tools, let’s take a closer look at some Android testing tools that might be useful in discovering new exploits.
JADX
JADX is a DEX to Java decompiler that assists in converting Android application code into more human-readable Java source code. It is a valuable tool for decoding and rebuilding APK files, decompiling applications, examining local code, patching binaries, and subsequently reconstructing them.
Radare2
Radare2 is a reverse engineering tool that allows you to search within the binary and potentially patch it out. It is a great tool for navigating application pathways through obfuscated code.
Frida
Frida allows you to take what you’ve discovered through reverse engineering and then build scripts or use scripts that are available online to exploit the application you are working on.
Threat Detection
Reverse engineering can be employed for mobile threat research. By using the tools discussed to decompile and analyze the code of mobile applications, researchers can get a better grasp of their inner workings and identify malicious behavior and implemented security controls to be bypassed such as:
- Rootkits and backdoors: Reverse engineering uncovers the presence of rootkit components that hide the presence of malicious actors. This prevents them from remotely executing files and changing system configurations.
- Tamper proofing: Tamper proofing can involve obfuscation techniques that transform the source code and make it hard to reverse engineer.
- Certificate Pinning: Reverse engineers need to understand how certificate pinning is implemented and either patch the binary or create a script to bypass the control.
Corellium Café Case Study
Corellium Café is a fictitious coffee shop application where users can purchase beverages. The application itself was developed in an insecure manner to showcase how reverse engineering, static analysis, and misconfigurations could be used on a vulnerable app.
In the webinar, we explored how the blog component functionality of the app could be exploited through a Frida script and root detection.
The code could be decompiled using JADX alongside the Corellium Café application to get a better look at the code. In order to manipulate the web view, two things were noted:
- Set JavaScript Enable was set to ‘True’: Which allows JavaScript to be executed resulting in a potential exploitation, or cross-site scripting.
- Load URL with a String: A script can be created after reverse engineering to replace a hardcoded URL string with one of your choosing.
In the second scenario, the script loads the URL via the string using the customized script that includes the variable that we have added and manipulates the code to do what we want it to do.
Be sure to check out the full webinar on demand for more examples of static and dynamic reverse engineering using a slew of other tools at your disposal on Corellium’s virtual hardware platform.
