DEX EDUCATION: PRACTICING SAFE DEX

Black Hat USA 2012

Presented by: Tim Strazzere
Date: Thursday July 26, 2012
Time: 14:15 - 15:15
Location: Augustus V+VI
Track: Malware

In an ecosystem full of potentially malicious apps, you need to be careful about the tools you use to analyze them. Without a full understanding of how the Android Dalvik VM or dex file interpreters actually work, it's easy for things to slip through the cracks. Based on learnings from the evolution of PC-based malware, it's clear that someone, somewhere will someday attempt to break the most commonly used tools for static and dynamic analysis of mobile malware. So we set out to see who was already breaking them and how, then, how we could break them more.

We've taken a deep dive into Android's dex file format that has yielded interesting results related to detection of post-compilation file modification. After deconstructing some of the intricacies of the dex file format, we turned our attention to dex file analysis tools themselves, analyzing how they parse and manage the dex format. Along the way we observed a number of easily exploitable functionality, documenting specifically why they fail and how to fix them. From this output we've developed a proof of concept tool - APKfuscator - that shows how to exploit these flaws. It's our hope that it can be a tool that helps everyone practice safe dex.

Tim Strazzere

Tim Strazzere is a Security Engineer at Lookout Mobile Security. Along with writing security software, he specializes in reverse engineering and malware analysis. Some interesting past projects include having reversing the Android Market protocol, Dalvik decompilers and memory manipulation on mobile devices.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats