Presentation Material
Abstract
Learn how any Mobile Expert aims to crack the application open. While testing / reviewing Android or iOS applications, you will love these handy tricks which will teach you to extract the program code of any Mobile Application. Be it the famous encryption of Apple Applications or Google all famous Android or the RIM claimed Blackberry application, you got the application, you’ll get the learning to view the code. Using demonstrations on platforms/ gadgets like Apple, Android, Blackberry, Windows Mobile, we will highlight the benefits of using the same in day to day pen-testers life cycle.
Objectives: •To give live demonstrations of cracking the code open from the various Android/Apple/Blackberry/Windows Mobile Applications. •To share tested and proven methods of discovering insecurities via reverse engineering. •To learn how to efficiently conduct reverse engineering of mobile applications. •To develop a process doc for Mobile Reverse Engineering.
AI Generated Summary
The talk presented a systematic methodology for decompiling native mobile applications across platforms including Android, iOS, Windows Phone, and Blackberry, emphasizing a replicable process over tool-specific knowledge. The core approach involves gaining access to the application executable, identifying the underlying technology (e.g., Java for Android, .NET for Windows Phone), extracting the embedded object code (such as DEX files or DLLs), and employing platform-specific translators to recover source code.
Key techniques demonstrated included using 7-Zip or similar archive tools to unpack executables, then applying tools like dex2jar and JD-GUI for Android APKs to convert bytecode to Java source, and ILSpy for Windows Phone XAP files to decompile .NET assemblies into C# projects. For iOS, the speaker noted increased difficulty with obfuscation in newer versions. The process consistently concluded with “treasure hunting”—searching the recovered source for hardcoded sensitive data such as passwords, encryption keys, API endpoints, and hardware identifiers (e.g., UDID). Successful decompilation of native apps was stated to have a near-100% success ratio for finding such vulnerabilities, unlike hybrid or browser-based apps.
Practical implications for security testers include the ability to bypass client-side authentication checks by modifying and recompiling the app, and to identify critical flaws like hardcoded database credentials. The talk underscored that the methodology is platform-agnostic; the fundamental steps remain consistent even as specific tools evolve. Mitigation strategies were highlighted, primarily advocating for code obfuscation using freely available open-source tools to protect against reverse engineering. The overarching takeaway was that effective