search

OWASP / owasp-mastg

The Mobile Application Security Testing Guide (MASTG) is a comprehensive manual for mobile app security testing and reverse engineering. It describes the technical processes for verifying the controls listed in the OWASP Mobile Application Security Verification Standard (MASVS).
https://mas.owasp.org/
Creative Commons Attribution Share Alike 4.0 International
11.75k stars 2.33k forks source link

[UNDER REVIEW] 0x5c - Reversing - Static Analysis of Java bytecode and binary code on Android #425

Closed muellerberndt closed 7 years ago

muellerberndt commented 7 years ago

The following sections are ready for review:

https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05c-Reverse-Engineering-and-Tampering.md#user-content-statically-analyzing-java-code

https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05c-Reverse-Engineering-and-Tampering.md#user-content-statically-analyzing-native-code

anantshri commented 7 years ago

5c: java code looks all good to me.

5c: native code

spell check : Dalvik and ART both support the Java Native Interface (JNI), which defines defines a way for Java code to interact The app is not excatly spectacular:

besides these

  1. Why not show wget and adb install instructions also for "Download HelloWorld-JNI.apk from the OWASP MSTG repository and, optionally, install and run it on your emulator or Android device."

  2. any thoughts about x86 so files and how to deal with them

Additionally under debugging and tracing "Note: If you experience JRE compatibility issues with apksigner, you can use jarsigner instead:"

we need to point out that if jarsigner is used we need to run zipalign after jar signer.

I will pick up the remaining section when its marked as done.

mhelwig commented 7 years ago

Added a small PR for

https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05c-Reverse-Engineering-and-Tampering.md#user-content-statically-analyzing-java-code

otherwise it looks fine to me.

As an enhancement, we might want to add a note on Bytecode Viewer, which is a nice Gui that combines various decompilers and let's you show decompilation and smali disassembly side by side. Thought it was already part of this section but seems it isn't. https://bytecodeviewer.com/

mhelwig commented 7 years ago

Regarding

https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05c-Reverse-Engineering-and-Tampering.md#user-content-statically-analyzing-native-code

which I also reviewed: It's basically okay (- see my PR for spelling corrections) but a little short.

  1. I think we really should at least mention another decompiler than IDA since OWASP tries to be vendor neutral. Ideally would be another subsection in the tools section at the beginning of the document, I'll see if I can add something here. I think we should add at least a basic description of radare2, Hopper and BinaryNinja as alternatives to IDA (we can stick with IDA in the example, though). I don't know if there are more that should be mentioned. If you have suggestions let me know.

  2. I'm lacking a deep knowledge of ARM opcodes and the average reader probably as well. So the explanation of the disassembly is a little short. Do we have an intro to ARM disassembly somewhere? If we don't have it or add it (it might be too much or out of scope) we might at least link to some documentation for the opcodes (I think http://infocenter.arm.com would be a good place) and add one or two paragraphs on arm assembly specifica.

anantshri commented 7 years ago

add a +1 for radare2 instructions as this is opensource and within reach of everyone.

as @mhelwig mentioned references to more details would be a plus.

muellerberndt commented 7 years ago

@mhelwig @anantshri are you available to add some of those items? I need to move on from the Android reversing guide, so much other stuff that needs attention.

muellerberndt commented 7 years ago

No takers, so I'm closing this.