• Click to edit Master text styles — Second level Deconstructing Kony Android • Third level Applications — Fourth level » Apps Fifth level Kony Past, Present, and Future
Agenda • • • •
Introduction Click to edit Master text styles Examining — Second and levelExploring Kony Apps Static vs. Dynamic Analysis • Third level — Fourth level Conclusions and Takeaways » Fifth level
About Me… • • •
Security fortext NCC styles Group North America Click to Consultant edit Master I— doSecond pentesting, level pentest all the things!! Free what’s that? I surf, take photos, play guitar, • time, Third level Fourth levelrandom stuff, other stuff you don’t design—and build care about» Fifth level • I have a serious gadget problem… serious(feel free to send me free stuff!!)
About You… • •
You AppMaster Dev and/or Clickare toan edit text Security styles person You are interested — Second level in how enterprise application deployments • Third levelwork — nothing Fourth levelbetter to do before lunch • You had » Fifth level • You work at Kony Studios :-P
About this talk… • Originally, a memory technique was used in Click to edit Masterdumping text styles conjunction with a Jolla phone. — Second level • This• worked pretty well to recover source code. Third level Fourth levelNo, not even close. Did it work. Barely, • Was it — efficient? but yes » Fifth level • Is that what I’m going to show you today? Definitely not, we have new hotness to work on and worry about
More about this talk… • The Clickprevious to editmethod Mastermentioned text styleswas discussed at Ekoparty October 2014. I hadn’t looked at a Kony — Secondinlevel Application since. Upon acceptance to Black Hat, I • Third level began — updating my research as the example Fourth level applications I was » Fifth levelusing were a year or two old.
More about this talk… • And I had bothered to look at Clickthe to only editreason Master texteven styles Kony was because — Second level of Jason Ross’s blog post from way back. I.E. – the part 2 that never came • Third level • Turns out, everything had changed. The Apps were no — Fourth level Fifth level longer the» Kony I knew(panic sets in).
Even more on this talk… • After the initial wave (and a couple Click getting to editover Master text styles subsequent waves of panic) I contemplated declining — Second level the•speaker slot. Third level • The outline I proposed was no longer valid, and I — Fourth level » Fifth level wasn’t even sure if I could find the time between full time consulting to redo the research given the new framework.
Even more on this talk… • Clearly, ended up accepting the speaker slot. Click toI edit Master text styles However, contents of the talk have radically — Secondthe level changed. • Third level • The following talk contains the trials and tribulations of — Fourth level » Fifth level my efforts…
WTF is Kony? • Not ClickThis to edit GuyMaster text styles — Second level • Third level — Fourth level » Fifth level
WTF is Kony?(cont. 2) • Write Click toonce editdeploy Mastermany text styles Application IDE — Second level • Third level — Fourth level » Fifth level
WTF is Kony?(cont. 3) •• • •
Write in HTML5 Clickyou to application edit Master text and/or stylesJavaScript Because native code development is so 2012 — Second level Also because “JavaScript is the language of the future” – OH • Third level someone, someplace, sometime — Fourth level » Fifth level
But where do I find Kony? •
companies(Kony ain’t cheap) • Large Click to edit Master text styles • Capital One Banklevel — SunTrust Second • • • •
• •
Southwest Airlines •Scottrade Third level HSBC — Fourth level
Take to Google Play Store, or 3rd Party App Stores » ,Google Fifth level Build Your Own Apps •
They recently started offering a trial preview of their Studio IDE
Why you should care? • Developers(at least good/decent Click to edit Master text stylesones) are expensive •— Hiring a Dev, or a Dev Team for each platform can be Second level • •
prohibitively expensive • Third level Additional overhead from managing multiple teams — Fourth level More and morelevel companies are starting to use multi» Fifth deployment framework models(Worklight/Cordova, Kony, Unity, Adobe AIR) – see Black Hat Asia talk by Grassi and Guerrero
Why you should care? • While theedit individual steps analyzing each Click to Master textforstyles framework will differ, the overall thought process will — Second level be similar. • Third level — Fourth level » Fifth level
Examining Kony Apps • Analysis Kony Apps using the "Standard Approach" Click to of edit Master text styles •— Extract file from device SecondAPK level • • •
Use Apktool • Third levelto unzip Dex2jar or baksmali the classes.dex file — Fourth level Get absolutely nowhere… literally nowhere. WTF!?!? » Fifth level
Examining Kony Apps • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level
Examining Kony Apps • Analysis Kony Apps using the "Standard Approach" Click to of edit Master text styles •— All paths level in the App more or less call KonyMain Second •
However this class is perpetually blank… What is going on • Third level here? — Fourth level
• Well, most» of the application is a wrapper, this wrapper Fifth level does the following:
• • • • •
Older Kony (version < 6.0) Click to edit Master text styles APK loads level — Second Establish • ThirdDalvik level Hooks Fourth level Search—for Lua Bytecode VM » Fifth level Run Bytecode VM
• The VM *is* the ClickBytecode to edit Master textApp(There styles are a few serialized — Seconddata level“.kds” files lying around that are parsed, but•the core code is the Bytecode) Third level • How do knowlevel if I have “old Kony”? Look for — IFourth » Fifth level “konyappluabytecode.o.mp3”
Examining Kony Apps • New (version > 6.0) ClickKony to edit Master text styles •— APK loadslevel Second • • • •
Establish Dalvik Hooks • Third level Search for libkonyJSVM.so library file — Fourth level Runs the file » library Fifth level Library file searches for startup.js and common-jslibs.kfm
Examining Kony Library unpacks the filestext in application • •Click to edit Master styles memory space
•
These files contain the application source code and — Second level necessary JS libraries • Third level
• How do I know if I have “new Kony”? Look for — Fourth level “libkonyJSVM.so, startup.js, and common-jslibs.kfm” in » Fifth level your APK file
“Standard Approach” Failures • Seems U no Work!? Click tolegit… edit YMaster text styles •— As previously Second levelstate, the source code is contained in either • •
bytecode format, or being run in the Android shared object • Third level library. — Fourth level Can’t simply “jd-gui” your way to victory » Fifth level This makes static and dynamic analysis a pain
“Standard Approach” Failures Using or other OSS tools that just didn’t • •Click to static editdecompilers Master text styles
quite work(errors, crashes, stack traces 4 dayzzzz) — Second level • Previous attempts to bypass this involved, hooking calls into •theThird level “Main” class, monitoring the inputs and monitoring the — Fourth level outputs » Fifth level
“Standard Approach” Failures • Click to edit Master text styles •— Massive Second device level memory dumping, fixing up, and reassembling images to get source code in memory. • Third level • Previously OSS decompilers namely unluac.jar didn’t quite — Fourth level work right, it has been updated and now works splendidly. » Fifth level • Still do love playing with my Jolla Phone though
•
Other tomfoolery and shenanigans that just didn’t work well
Expanding the “Standard Approach” • The Approach” works-ish… However we Click“Standard to edit Master textstill styles need to addlevel to it — Second • • • •
Extract • ThirdAPK levelfile from device Use— Apktool to unzip Fourth level Dex2jar»orFifth baksmali level the classes.dex file Choose your own adventure:
Expanding the “Standard Approach” Memory Dump your way to source • •Click to edit Master text stylescode Why would you
do this now? I mean other than to play with a shiny Jolla — Second device? level Thirdversion level < 6.0, then: unluac.jar and go home, you’re • •If Kony —now. Fourthlevel done Quick and easy » Fifth level • If Kony version >= 6.0 then: see the rest of this talk
Kony Past, Present, Future • •
What exactly changed? Click to edit has Master text styles Previous versions — Second level of the Kony Studio IDE used the compiled • ThirdLua levelbytecode. •
My — guess is that Fourth level this was expensive to maintain and/or crashed»often Fifth with level newer android versions.
Kony Past, Present, Future • Lua starting with Clickbytecode to edit support Master was text*deprecated* styles version 6.0level released December 14, 2014 — Second •
I• use thatlevel word loosely, looking through the IDE, there still Third seems to be plenty of legacy support. — Fourth level Bytecode = level old » Fifth
• Lua hotness
and busted: libkonyjsvm.so = new
Kony Past, Present, Future • Within libkonyjsvm.so Click tothe edit Master textcategory styles there are two camps: — Second level • •
Present: Applications you’ll probably find in the Play store • Third level now. — Fourth level Future: »Applications Fifth level that will probably be in the Play store soon
Kony Past, Present, Future • •
So what’s the difference? Click to edit Master text styles Sometime — Second after level version 6.0 they updated the framework and the Android shared object file to • Third level encrypt source — the Fourth level code. » Fifth levelthey did this, changelogs on the site • I’m not sure when seem to be sparse or I can’t find them
Kony Past, Present, Future • The currently working Clickversion to editI’mMaster text styleswith is Kony Studio version 6.3level — Second • So how does this change our analysis? • Third level — Fourth level » Fifth level
Kony Past, Present, Future • Again, it’sedit a choose your ownstyles adventure. Click to Master text •— • • •
Extract file from device SecondAPK level Use Apktool • Third levelto unzip Dex2jar or baksmali the classes.dex file — Fourth level Choose»your Fifthown leveladventure: • If startup.js = zip then: unzip all the things, you are done, go home • If startup.js = data then: see the rest of this talk
Kony Present • Yes, right, with the early version of the JSVM, Clickthat’s to edit Master text styles they actually made things easier for us. — Second level • Third level — Fourth level » Fifth level
Kony Present • •
That easy,Master why can’t they all be that easy? Clickwas to edit text styles Plug the source — Second level into whatever text reader you choose and• find bugs Third levelgalore — Fourth • Debugging thelevel App is slightly more complicated Fifth level debugging» solely using ADB will not really cut it.
Kony Present • IDA GDB up!! text styles Clickand/or to edit Master •— Start applevel in “Wait for debugger mode” Second • •
•
Attach or IDA to the process so you can analyze the • Thirdgdb level shared object library — Fourth level Attach ADB to level the application so you can debug the » Fifth actual application. Profit? IDK WTF
Kony Future • However, if they use the newer library with Click to edit Master text styles encryption… well then we have ourselves a process… — Second level • Third level — Fourth level » Fifth level
Kony Future • WTF Clickistodata editmeans? Master text styles •— Strings, etc… pretty useless if figuring out what Secondhexdumping, level •
this file was • Third level Analysis of the files determined that they were not — Fourth level compressed data or serialized data(/dev/tty0 blog post on » Fifth level the subject was great, link at bottom)
Kony Future Tried analysis, • •Click todebugging/dynamic edit Master text stylesthat didn’t really seem to
help(in gaining source code access) — Second level • What is one to do? •• Third Time tolevel put my “Dev” hat on and download the IDE •
— Fourth level
Started with the Application Build process and worked my » Fifth level way backward(BTW, I have never “HelloWorld’d” so hard in my life, must have built this app 200+ times)
Kony Future • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level
Kony Future • However, if they use the newer library with Click to edit Master text styles encryption… well then we have ourselves a process… — Second level • •
Start with the build process… • Third level We — need to break Fourth level it down and analyze what’s being done on the simplest Apps, » Fifth level so we can move on to more complex Apps
Kony Future • Build Click Process to edit Breakdown Master text styles •— Copy build process script and configuration details to project Second level • • •
folders • Third level Escape JavaScript source code — Fourth level If enabled, “encode” » Fifth level JavaScript source Generate zip files of JavaScript source
Kony Future • Click to edit Master text styles • Build Process Breakdown(cont.) — Second level • • •
Encrypt files • Third zip level Apply — Proguard Fourth levelif enabled(I didn’t enable this, but that should not affect » Fifth levelthe JavaScript source code at all) Package contents up and generate an APK file
Kony Future • Analysis Kony Apps using the "Standard Approach" Click to of edit Master text styles •— Start by hacking Second level apart the build process. • •
Definitely turn on debugging output at the build console • Third level Saw—that theylevel were using the file “build-jssource.xml” for Fourth the source code operations(escape, encode, zip, etc.) » Fifth level
Kony Future Thisto fileedit is basically an ANT • •Click Master textconfiguration styles script
•
So I added to the file
— Second level • Third level
— Fourth level » Fifth level
Kony Future • The case oftext kony_loadfile.exe Clickmysterious to edit Master styles •— ISecond went through level almost every file in the build process, some things stuck out… such as “yuicompressor.jar” or pictured • Third level below “EncodeScriptTask.jar” — Fourth level » Fifth level
Kony Future • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level
Kony Future • The case oftext kony_loadfile.exe Clickmysterious to edit Master styles •— However, DES encryption with a silly, simple key aside, Second level
kony_loadfile.exe stuck out the most, as it was kony_loadfile • Third level being called during the encrypt build process. — Fourth level » Fifth level
Kony Future • What is one do? To the of course. Why to locate Click to edittoMaster textIDA styles silly things like — Second levelthis: • Third level — Fourth level » Fifth level
Kony Future • Okay, so we that text this thing is encrypting the files, Click to editknow Master styles we know that the key that’s hardcoded into the binary. — Second level • • •
But do we really? … really…? • Third level So we searchlevel for a decryption process in the Android APK — Fourth After exhaustively » Fifth level searching the decompiled APK code, the only thing left to search was the shared object library. BINGO!!
Kony Future • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level
Kony Future • Oh there you are!! Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level
Kony Future • So weto should at the new library file vs the old Click edit look Master text styles library file for good measure. — Second level • Pull• anThird older Kony App from the Play store and reverse. level Fourthfriend level • Use my—good BinDiff or whatever binary » tool Fifth level differential or your choosing to get the same task done.
Kony Future • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level
BinDiff of newer libkonyjsvm.so file vs. older libkonyjsvm.so file
Kony Future • •
Okay, so no secondary Click to edit Master unmatched text styles functions. Everything in the old library stayed the same, they just — Second level added to it.level • Third — through Fourth levelwhat they added, primary unmatched • Looking Fifthto level functions »look be only the new crypto functionality. This is good, streamlines what we need to look at.
Kony Future • So weto DEFINITELY knowtext we have Click edit Master stylesthe key! •— •
Start yourlevel python… many lines of failure later Second Wait WTF? Why isn’t this working? • Third level
Fourth level • Seems—as though someone at Kony knows » Fifth level hardcoding keys is a bad idea
Kony Future • So theto hardcoded key seems to go through some Click edit Master text styles “magic” — Second level • After somelevel really long nights, copious amounts of • Third coffee,—and some Fourth level help from friends(Thanks to Dominic Fifth level Wang and» Jay Smith!!) We isolated the “magic”
Kony Future Kony • •Click to Key editMagic Master text styles — Second level • Third level — Fourth level » Fifth level
Kony Future • And probably impossible to see… Clickbecause to editthat’s Master text styles breakdown below: — Second level • •
•
Take the level command line arguments from the • Third kony_loadfile.exe call and do some charxor voodoo — Fourth level Take the» output of the charxor voodoo and the hardcoded Fifth level key and feed the into SHA256 Take the output of SHA256 and the IV and feed into AES256-CBC
Kony Future • So I asked myself “Self, text how styles am I to divine such Click to edit Master command — Second line levelparameters without the IDE and building the App myself?” • Third level • •
This—is Fourth AES, they level must be passing these values to the Android application some » Fifth levelhow. Not Immediately clear to me, so I turn to the build process
Kony Future • Add debugging to your build process. And Clickmore to edit Masteroutput text styles echo the parameters back to yourself in the build — Second level console. The Parameters are: • Third level • • •
App—IDFourth = HelloWorld easy to get level Package»Name = com.kony.HelloWorld also easy Fifth level Timestamp of the App build = 20150530095920 where is this located?
Kony Future • Everything youMaster need is text right styles before you Click to edit •— Turns out,level the timestamp is written into the APK in a file Second called application.properties located at • Third level $yourapkname/assets — Fourth level • So in the APK, we have all the VARs we need. » Fifth level • To the python!!
Kony Future • Eh… already us a binary, we already Clickno totime. edit They Master textgave styles spent the time — Second levelto reverse most of it. • •
Binary • ThirdPatching level FTW Note: — when Fourth calling level EVP_AES256, one of the parameters you pass in is encrypt, or “0” for decrypt. » “1” Fifthfor level
• So by patching one byte in this binary, we turn their encrypter into a decrypter!!
Kony Future Using patched binary • •Click to the edit Master text styles
— Second level • Third level — Fourth level » Fifth level
Kony Future Boom goesMaster the dynamite, source code!! • •Click to edit text styles
•— But… What Second levelif you really, really want to debug this new hotness? • Third level — would Fourth level • Why you want to do that? Honestly if you’re Fifth level“How do I debug these apps?” You asking»yourself already know why ;-)
Kony Future Beyond Various way to debug, previously describe method of ADB + • •Click to edit Master text styles
GDB and/or IDA still works… but wait, there’s more! — Second level • Back to the IDE we go… • Third level — Fourth level » Fifth level
Kony Future Included in the IDE are text two versions • •Click to edit Master stylesof libkonyjsvm.so
—
• libkonyjsvm_release.so Second level • libkonyjsvm_debug.so
• Third level
— Fourth level » Fifth level
Kony Future Beyond They us a debug • •Click to GAVE edit Master textversion!! styles But really what are the differences between these two? — •Second level • File size is, negligibly different…
• Third level • We can’t really just plug and play can we? — Fourth level
• Let’s look at the files using BinDiff… next slide » Fifth level
Kony Future • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level
Kony Future Seems pretty legit. Differences • •Click to edit Master text stylesseem to only apply
the debug — to Second level functionality that’s added. For printing out log info etc. • Third level • Possible tolevel rename and replace the debug shared — Fourth Fifth level object»library with the release one. Repackage, resign, re-run, and debug.
Kony Future Beyond Winning setup combination. Allows • •Click to editdebug Master text styles
of native functions, ADB + JNI/JDWP + — debugging Second level GDB and/or IDA + highly verbose ADB logcat • Third level • Combine — Fourththis levelwith a user-debug build of Android for » Fifth leveldevice your particular
Kony Future Beyond If you stuckMaster with me,text or even if you didn’t and you • •Click to edit styles
the slides and ran. At this point you should — grabbed Second level know: • Third level • Differences between 3 major revisions of the Kony — Fourth level Application Framework » Fifth level
Takeaways, Conclusions How analyze, decompile, and debug: • •Click toto edit Master text styles Kony Lua Bytecode VMs — •Second level
•• Kony using Android Shared library file Third applications level without encryption — Fourth level • Kony»applications Fifth level using Android Shared library file with encryption
Takeaways, Conclusions Misc. now know: • •Click tothings edit you Master text styles
—
• Kony is pretty regularly updating their framework Second level and techniques can change overnight with a new • These methods • framework Third levelupdate • You’ll have to keep track of their library files by pulling them from — Fourth level Apps yourself if you don’t grab the IDE » Fifth level
Takeaways, Conclusions Other Notes and Misc.: • •Click to edit Master text styles
•— If not already Second level done, will be working on a python script decrypt files statically in place. • Thirdtolevel Fourth level this research updated as framework • Will—try to keep » occur. Fifth level updates • Look for a step by step blog post coming in the near future.
Takeaways, Conclusions Notes process: There are options • •Click to on edit Master text styles for additionally
protecting with Proguard, JavaScript source “encoding”, and — Second level The methods and techniques were not FIPS encryption. • Third levelMaybe next time… or a future blog post investigated. — Fourth coming, wholevel knows. » Fifth level
Sources Sources andMaster links: text styles • •Click to edit •
https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2013/june/kony-2013-adifferent-kind-of-android-reversing/ http://www.kony.com/products/development#trial http://developer.kony.com/twiki/pub/Portal/Releases/ https://www.blackhat.com/asia-15/briefings.html#the-nightmare-behind-the-cross-platform— Fourth level mobile-apps-dream http://www.devttys0.com/2013/06/encryption-vs-compression-part-2/#more-1596 » Fifth level http://sourceforge.net/projects/unluac/?source=directory
— Second level • • •
• Third level • •
Thanks Thanks to myMaster company,text managers for paying me to hack • •Click to edit styles
stuff — Second level • To Black Hat for having me speak • Third level • Jason Ross for starting me down this dark path with his killer — Fourth level blog post » Fifth level • Friends and coworkers for giving me a hand or a kick when I needed it • To you all for listening!! Hope this stuff is helpful.
Thanks Reach hiring! • •Click to out, editWe’re Master text styles
•
Also, if you have questions, comments, hate mail feel free to — Second level send those too. • Third level • EMAIL:
[email protected] — Fourth level • Twitter:»crweedon Fifth level
• Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level
• Click to edit Master text styles • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level
— Second level • Third level — Fourth level » Fifth level
