Checking security of closed source Crypto-Apps by reverse engineering

Checking security of closed source Crypto-Apps by reverse engineering

 

One important rule in modern cryptography is Kerckhoffs’s principle: It tells that a cryptosystem has to stay secure, even if every detail of this system except the secret key is publicly announced.

For apps using cryptography it is important that everyone can check if the promises of the developers are true and the codes of the apps are really secure. So normally it is needed that these apps are open source. Then everyone is able to have a look into the source code and cryptographers can check this code for security issues.

There are some promising apps using cryptography, which seem to do a quite good job on the one hand. On the other hand the security of this apps cannot be proved, as they are closed source. One example is the app Threema. It’s an alternative to the well known WhatsApp. Threema uses end-to-end encryption for securing your Smartphone-Chats on Android and iOS. The developer of this app showed a way how it is possible to validate the used encryption by a program written in C:
https://threema.ch/validation/

It is also possible to analyze network traffic by tools like Wireshark or Shark for Root on Android systems. However, the analyization of network traffic and the validation tool alone is not a sufficient criterion. An analyzation of the source code is needed for a meaningful security check. However, although the source code of Threema is not published by the developer, principially it is possible to analyze the code of the android app. The magic word is called Reverse Engineering.

Be warned: The Threema license agreement explicitly prohibits reverse engineering of the app:  https://threema.ch/shop/eula
So I’m not recommending to do this! It is important to point out that I’m just showing an easy way how reverse engineering could be done in general with any Android-APK using Windows. Do the following steps only if you have an explicit permission for reverse engineering by the regarding app developer.

First you need the following things:
1. The .apk file of the app you want to analyze.

2. A tool called dex2jar. You can download it here: http://dex2jar.googlecode.com/files/dex2jar-0.0.7.11-SNAPSHOT.zip

3. Another tool called JD-GUI. Available here: http://www.softpedia.com/get/Programming/Debuggers-Decompilers-Dissasemblers/JD-GUI.shtml

4. Unzip dex2jar.

5. Set an entry in your path environment variable to the unzipped dex2jar-folder.

6. Open the .apk-File with a Zip program and Unzip it’s contents. The zipped .apk-File contains a file ending to .dex. This file contains the byte code for Androids Dalvik VM.

7. Open the console and go to the folder of the .dex-File.

8. Enter “dex2jar filename.dex” and replace “filename.dex” with the real name of the file.

9. This will extract the java bytecode from the .dex file and create a .jar-file. Now you have all the .class files with Java Bytecode within this generated .jar-file.

10. This Bytecode can be converted to Java-Code with JD-GUI. So go to JD-GUI and open the created .jar file with it.

11. Voila. Now You can see the extracted Java code.

Unfortunately this method has still some drawbacks:
1. For most apps this is illegal. So again: Do the steps above only for apps where reverse engineering is not forbidden!

2. The recovered original java code is not very nice to read as most of the class-, package and variable-names cannot fully be restored. Also the Java compiler has optimized parts of the code for speed so for example loops could be unfolded and some other things are done. Finally the code looks not as nice as the original. However the logical structure of the code is correct and with time and commitment it is probably possible to do a full source code analysis.

3. The reverse engineered code is only valid for the APK-version of an app but not for a version which might be distributed through Google-Play-Store. It is possible that the version distributed through the Play-Store is not the same like the APK-version. So it might be that the Play-Store-Version could have additional backdoors.

Finally it can be said that already today it seems to be possible to check the security of apps like Threema by analyzing the source code of the client app. Hopefully some crypto experts can analyze the source code, maybe with help of reverse engineering (of course only with permission by Kasper Systems) and can check if they find any security drawbacks in Threema’s code.