Creating a kewl and simple Cheating Platform on Android presented at DeepSec 2014

by Milan Gabor, Danijel Grah,

Summary : Number of mobile applications is rising and Android still holds large market share. As these numbers of applications grow, we need better tools to understand how applications work and to analyze them. There is always a question if we can trust
mobile applications to do only that they are allowed to do and if they are really secure when transmitting our personal
information to different servers. Sometimes when communication between mobile application and server is encrypted we
have hard time to decrypt it to understand how things actually work. So we need to find new method or even tools to make
our lives as security testers much easier and to achieve better results. In the presentation some runtime techniques will be
discussed and a tool will be presented that offers two approaches to analyze Android applications. Basic principle of first approach
is injecting small piece of code into APK and then connect to it and use Java Reflection to runtime modify value, call methods,
instantiate classes and create own scripts to automate work. This method is possible with little knowledge and it even works on
non-rooted Android devices. The second approach offers much the same functionality, but can be used without modifying an
application. It uses Dynamic Dalvik Instrumentation to inject code at runtime so that modifying of APK's isn't necessary. In this case
Android JNI is used to hook some methods and then to inject our code at runtime without modification of APK packages. And this
method is new method based on some research in this area lately. Tool is Java based and simple to use, but offers quite few new
possibilities for security engineers and pentesters and eases a process of analyzing mobile applications. It offers new possibilities to
see, evaluate or even change internal variables an in this way opens news horizon of evaluating security of mobile applications.
With help of this tool we can also create really simple cheating platform as a side effect and this will be demonstrated at the end.