Jun 06

Code to Create a JD-GUI Error

When evaluating Android applications, I often use dex2jar to take an Android APK file and convert it to a Java JAR file.  With the APK-turned-JAR file I can examine the decompiled Java source for the application using JD-GUI or Mike Strobel’s Procyon.

Procyon is the far superior Java decompilation tool, which gracefully handles many conditions that JD-GUI cannot.  Still, Procyon requires a few additional steps to use as a command-line tool, while Procyon has a nice GUI interface for quick and easy analysis (to be fair, Procyon does have a third-party GUI interface as well, though it lacks some of the features in JD-GUI).

As part of an exercise I am writing for my SANS Institute SEC575: Mobile Device Security and Ethical Hacking course, I needed to force the student’s hand and require them to use Procyon.  I needed to reproduce a situation where my sample code was not decompiled by JD-GUI properly.  I lowered my standards enough to look at page 2 of Google search results, but I still could not find an example of Java code that could not be decompiled by JD-GUI.

Looking through some APK files I had handy, I spotted an method that JD-GUI could not handle.  Reversing the same code with Procyon gave me the method source, which I was able to narrow down to just a few lines of Java.  If you are in the position where you want to stop someone from using JD-GUI to reverse-engineer a method, insert this code:

// Add these lines to your import section
import java.io.IOException;
import java.io.OutputStreamWriter;

// Add this code to a method that you want JD-GUI to generate an error on
OutputStreamWriter request = new OutputStreamWriter(System.out);
try {
	request.close();
} catch (IOException e) {
}
finally {
	request = null;
}

The block of code opens the System.out object (the stdout reference), and then closes it. The rest is just being graceful. When decompiled with JD-GUI, the user will see this error:

JD-GUI Error

Error produced by JD-GUI when decompiling the shown code.

So, the next time you need to stop people from reversing your code, add these lines to a method, and hope that they don’t know about Procyon.

-Josh

Jun 21

The Mobile Malware Connection

Today was Part II of the Taste of SANS Mobile Device Security and Ethical Hacking webcast trilogy, “The Mobile Malware Connection“.  In this session we looked at the growing prevalence of mobile malware, primarily affecting Android devices but also appearing in iOS and BlackBerry devices as well.  Malware authors have been quick to realize the benefits of exploiting mobile devices, with opportunities to intercept security-related content over SMS messaging, and the ability to make a quick buck at a victim’s expense.

Check out the presentation for more fun details about Android, iOS, BlackBerry and Windows Mobile devices.  The next and final session in this trilogy will be at 1PM ET on July 19 titled “2012: A Mobile Penetration Test” where we’ll be looking at techniques for exploiting mobile devices, and their associated infrastructure to evaluate the risks to your organization.

-Josh

Jun 01

Invasion of the Mobile Phone Snatchers

Slide Title Presentation PageToday I delivered the first of a trilogy of webcasts promoting my new course with the SANS Institute “Mobile Device Security and Ethical Hacking” (Security 575). In the presentation we look at the threat of lost or stolen mobile devices, examining how an attacker can use backup tools to extract data from mobile devices, bypass PIN authentication on Apple iOS and BlackBerry devices, and how to mitigate the impact of lost devices. Check it out!

-Josh