Application and Defence in android
According to the structure of Android’s application, we can change apk/dex file or the mapped memory to hack application. There are two methods differ from when to change the application, one is static while the changing is happened in the not running period of this application such as changing the install packge, another is dynamic while the changing is happened in the period while the application is running. Dynamic method will change the excutable binary code of Dalvik. A. Static Method This method will change the application’s execute files, that’s dex and/or apk files. The changing will happen before the installation or after the installation. Before the installation, we can change the package file:apk file; after installtion we must change the corresponding dex file in the directory dalvik-cache which is in the target machine. The first kind of change can be executed in pc client. The principle of this method is that after changing the code, re-compute the checksum and re-assign the file to avoid the detection of Android. The main steps are: 1.Analysis the apk and dex file, locate the attack point. 2.Change the code. 3.Re-compute the checksum; write back to the file. 4.If it is apk file, must to re-assign the apk file. To analysis the apk/dex file, there are a lot of tools to use, such as dedexer or IDA Pro; even we can a binary file edit tool such as ultraedit to change the target file. Another important problem is how to locate the attack point. The feasible solution is to watch the running character of this application, such as a special string, then locate the string, read the corresping code near the string, then find the attack point. At last, while re-assign the apk, we can use the public assign-key to do it. B. Dynamic Method Dynamic method will change the memory mapped dex file while the application is running. In Android system, the instruction set of Dalvik can not change the application execute code. We use native library to do this because the native library has the same permission as the Dalvik virtual machine. The principle of this method is using local library to access this application’s Dalvik execute code memory then change the byte code. First we must to locate the attack point. According to the mapping procedure of dex file, after the dex file mapped to memory, on the head of this memory file, it has magic bytes. So in the native library we can search the magic bytes from the start position of the application’s memory, we can locate the dex file’s header location. Then we parse the memory according to the dexfile to get the base address and offset of all componets, finally we can locate class’s and string’s location. Then we can locate the attack point as the same as the static method. After we locate the attack point, we need map this memory to writtable because the original attribute is read only. Using mprotect function we can do this. After that we can change the target code. Finally while the Dalvik virtual machine calls this function the changed code will be called.Protection Method For static method, it will change dex or apk file, so compute the current file’s hash value and compare it to the original file’s hash value will detect whether this file is hacked or not. This method is the general detection method. This method is very effective, the defect is that it needs the original hash value while at some situation it is hard to get. For dynamic method, it will change the execute byte code using locale library while running. So we also can use the previous method to detect. That is compute the origianl hash value while the dex file is mapped to memory at the first time, then compute this memory’s hash value while running. If ther are not the same, the memory is changed. The defect of this detection method is that it is hard to decide the detection point because the detection procedure will consume system’s resource while the mobile’s compute resource is limited. Another method is to hook the critical system function such as mprotect. While the appliction call this function, system will analyse the context and if it is suspicious then send an alarm to user or stop application directly. A common method to protect this kind of attack is to to confuse the apk file to make it hard locate the attack point. If it can’t find the attack point then no effective attack will be happened. One way is to add a shell for the file and this will confuse the byte code then the file’s structure is the not well known format, or encrypt the file and decrypt it while loading. But some of those kinds of protections have one vulnerability that it can’t protect the mapped memory so it can’t resist dynamic attack. Another way is using C/C++ to write critical code then build as a native library. The native library is more hard to be hacked and using confuse technology will make it more hard. CodeShoppy
In this paper we first controduce the Android system and analysis the file structure and the application loading preocss, then propose two methods: static and dynamic methods to hack the Android application, then we discuss how to detect and protect this kind of attacks. At last give a sample to simulate how to hack android application by static method. In the future, we believe that after the deep research of Android system, more better methods will be proposed and the Android system will be more safe.