User Account

All Pages

Repackaging android apps to disclose sensitive information

Assignment Help JAVA Programming
Reference no: EM132295620 , Length: word count:1000

Assignment - Repackaging Android apps to disclose sensitive information

Each student needs to choose an Android app and repackage it.

Tasks -

1) Choose an Android app

Ideally, choosing popular apps on Google Play.

After repackaging, if the app can no longer be installed, you need to change another app for repackaging.

Reporting this and explain why it cannot be installed can be a plus to this assignment.

2) Select the location where the code will be changed.

This can be a single place or multiple places. The complexity of considered places will be taken into account when marking.

3) Do the actual change (attack).

Here various tools can be leveraged.

For simplicity, ApkTool can be used to modify the code at the Smali code level.

For flexibility, Soot can be leveraged to instrument the code in Android APK files.

No matter which tool is selected, the final attack should be done automatically.

4) Demonstrate the change via video and write the process in a report.

Android Repackaging Attack Lab -

Lab Tasks -

Task 1: Obtain An Android App (APK file)

To launch the repackaging attack, we need a host app. In real attacks, attackers usually choose popular apps, because they can get more people to download their repackaged apps. For this task, you can write your own app or download an existing app.

It should be noted that we are using an Android VM in this lab, not a physical Android device, so some apps may not run on the VM (they will crash). One of the possible reasons for crashing is that the application may have native code. Native code compiled for a real Android device has binary code for ARM processors, while our Android VM runs on x86 processors. To get these apps running in our Android VM, the native code needs to be recompiled for x86 processors. That requires source code, which is hard to get. Therefore, if you have encountered this problem, just find another app. This limitation is only caused by the lab environment, and it is not an issue for the attacks in the real world.

Task 2: Disassemble Android App

To launch the repackaging attack on an app, we need to modify the app. Although we can directly modify the APK file, it is not easy, because the code in the APK file contains Dalvik bytecode (dex format), which is not meant for human to read. We need to convert the bytecode into something that is human readable. The most common human readable format for Dalvik bytecode is known as Smali. The names "Smali" and "Baksmali" are the Icelandic equivalents of "assembler" and "disassembler", respectively.

In this task, we will use a tool called APKTool to disassemble dex code (classes.dex) to smali code. APKTool is a very powerful reverse engineering tool for Android apps. It is useful to decode and rebuild Android apps.

Task 3: Inject Malicious Code

In this task, we will inject malicious code into the target app's smali code. There are many ways to do that. One approach is to directly modify some existing smali file, so we can add malicious logic into it. Another approach, which is much easier, is to add a completely new component to the app; this new component is independent from the existing app, so it does not affect the app's behavior. Since each independent component can be placed in a separate smali ?le, using this approach, we just need to create a new smali file.

Task 4: Repack Android App with Malicious Code

After we have inserted your own malicious smali code, we are ready to reassemble everything together, and build a single APK file. The process takes two steps.

Step 1: Rebuild APK - We use APKTool again to generate a new APK file. The command is shown in the following. By default, the new APK ?le will be saved in the dist directory.

Step 2: Sign the APK file - Android requires all apps to be digitally signed before they can be installed. This requires each APK to have a digital signature and a public key certificate. The certificate and the signature helps Android to identify the author of an app. From the security perspective, the certificate needs to be signed by a certificate authority, who, before signing, needs to verify that the identify stored inside the certificate is indeed authentic. Getting a certificate from an accepted certificate authority is usually not free, so Android allows developers to sign their certificates using their own private key, i.e., the certificate is self signed. The purpose of such self-signed certificates is meant for apps to be able to run on Android devices, not for security. Developers can put any name they want in the certificate, regardless of whether the name is legally owned by others or not, because no certificate authority is involved to check that. Obviously, this entirely defeats the purpose of certificate and signature. Google Play Store does some name verification before accepting an app, but other third-party app markets do not always conduct such a verification.

In this lab, we will just use a self-signed certificate. The entire process consists of three steps.

1. Step 1: Generate a public and private key pair using the keytool command.

2. Step 2: We can now use jarsigner to sign the APK file using the key generated in the previous step.

Task 5: Install and Reboot

In this final step, we will install the modified app on our Android VM, and test whether the attack is successful or not. We need to connect to the Android VM using the "adb connect" command from our Ubuntu VM, and then install the app using the "adb install" command. We need to know the IP address of the Android VM; we can ?nd it on Android by going through the following process: SettingsApp - About - Status. We can also ?nd the IP address by running the netcfg command in Android terminal app.

To demonstrate whether the attack works, we just need to add a few contacts in the Contacts app, turn off the Android VM, and start again. If your attack is successful, you should see that all the contact records that you just entered are deleted.

A common problems. We need to launch the installed repackaged application once to register the receiver. Otherwise, the injected code will not be executed if we just reboot the VM after the installation.

Questions -

After finishing all the lab tasks, you need to answer the following questions in your lab report.

Question 1: Why is the repackaging attack not much a risk in iOS devices?

Question 2: If you were Google, what decisions you would make to reduce the attacking chances of repackaging attacks?

Question 3: Third-party markets are considered as the major source of repackaged applications. Do you think that using the official Google Play Store only can totally keep you away from the attacks? Why or why not?

Question 4: In real life, if you had to download applications from untrusted source, what would you do to ensure the security of your device?

Attachment:- Assignment Files.rar

Reference no: EM132295620

Questions Cloud

How the delivery of a program can be improved : The steps for process evaluation outlined by Bliss and Emshoff (2002) may seem very similar to those for conducting other types of evaluation.
Discuss the importance of a fair : Using an example from your workplace, discuss the importance of a fair, well-designed incentive system.
How can culture influence the way we act : Does an individual's membership in a diverse population define his or her personality, or does the personality determine the diverse populations.
What would your response be and why : If a person said to you it is easy to reduce turnover just pay people more money.-what would your response be and why? Please be detailed.
Repackaging android apps to disclose sensitive information : Repackaging Android apps to disclose sensitive information. Why is the repackaging attack not much a risk in iOS devices
What is meant by the phrase earnings management : Briefly describe the "ratchet effect" associated with the use of peer groups in setting compensation levels. Why is it a problem?
Why is an effective interviewing process important : How should the human resources department and the supervisor function together? During organizational changes?
Discuss the impact of taking notes in class on quiz grades : Topic-The impact of taking Notes in class on quiz grades. Any action possesses a reaction. In this case, taking notes in class influences positive grades.
Analyze two implications of on customers : Critically evaluate three reasons why you think the management adopted this policy. Analyze two implications of this on customers.

Reviews

len2295620

4/29/2019 12:47:35 AM

No Of Pages/Words: 1000. Please follow the assignment requirements to repackaging android apk. you can use msfvenom to produce payload apk, then use apktool to convert payload apk to package, then copy the metasploit folder to chosen apk package and place it under package/smali/com, then add needed user permission in manifest and modify mainactivity.smali to add trigger or follow the provided lab tutorial which is add receiver code. anyway, you can choose you own methods as long as meet the assignment requirements, and you do not need choose some popular apk because most of them are difficult to repackaging. i think the attack like delete the photos, get the contacts, or get the text of location can be accepted. also, you can use payload to meet the requirements. the repackaging instruction is provided and you can find on the internet. the report could have some screenshots of some processes. NOTE: this assignment should be delivered by tomorrow. please contact me if there are any other questions. Kali linux could be used to complete the tasks. i can provide the android or ubuntu virtual machine if you need.

len2295620

4/29/2019 12:47:18 AM

Criteria for marking the assessment - 80% of the assignment mark will be based on the technique report written by the students. The remaining 20% will be the quality of the replication package, which should contain enough message that your tutors (as well as your classmates) can easily re-do your experiments. nderstanding the repackaging process and the selected Android app (30%) an overview is expected. Quality and depth of explanation of the selected app and the repackaging process (40%) need to explain why the certain behaviour is selected to attack (or to change). Clarity/correctness of the demonstration code (interview) (30%) Ideally, not only the code but also video demonstration is expected.

len2295620

4/29/2019 12:47:12 AM

Submission and Demonstration - You need to submit a detailed lab report to describe what you have done and what you have observed, including screenshots and code snippets (if needed). You also need to provide explanation to the observations that are interesting or surprising. You are encouraged to pursue further investigation, beyond what is required by the lab description.

Write a Review

JAVA Programming Questions & Answers

  Recursive factorial program

Write a class Array that encapsulates an array and provides bounds-checked access. Create a recursive factorial program that prompts the user for an integer N and writes out a series of equations representing the calculation of N!.

  Hunt the wumpus game

Reprot on Hunt the Wumpus Game has Source Code listing, screen captures and UML design here and also, may include Javadoc source here.

  Create a gui interface

Create GUI Interface in java programing with these function: Sort by last name and print all employees info, Sort by job title and print all employees info, Sort by weekly salary and print all employees info, search by job title and print that emp..

  Plot pois on a graph

Write a JAVA program that would get the locations of all the POIs from the file and plot them on a map.

  Write a university grading system in java

University grading system maintains number of tables to store, retrieve and manipulate student marks. Write a JAVA program that would simulate a number of cars.

  Wolves and sheep: design a game

This project is designed a game in java. you choose whether you'd like to write a wolf or a sheep agent. Then, you are assigned to either a "sheep" or a "wolf" team.

  Build a graphical user interface for displaying the image

Build a graphical user interface for displaying the image groups (= cluster) in JMJRST. Design and implement using a Swing interface.

  Determine the day of the week for new year''s day

This assignment contains a java project. Project evaluates the day of the week for New Year's Day.

  Write a java windowed application

Write a Java windowed application to do online quiz on general knowledge and the application also displays the quiz result.

  Input pairs of natural numbers

Java program to input pairs of natural numbers.

  Create classes implement java interface

Interface that contains a generic type. Create two classes that implement this interface.

  Java class, array, link list , generic class

These 14 questions covers java class, Array, link list , generic class.

Free Assignment Quote

Assured A++ Grade

Get guaranteed satisfaction & time on delivery in every assignment order you paid with us! We ensure premium quality solution document along with free turntin report!

Submit Assignment

Academics

Major Subjects

Majors

Get In Touch

whatsapp: +91-977-207-8620

Phone: +91-977-207-8620

Email: [email protected]

TERMS & POLICIES

HELP & SUPPORT

All rights reserved! Copyrights ©2019-2020 ExpertsMind IT Educational Pvt Ltd