{"id":56,"date":"2013-03-21T21:55:52","date_gmt":"2013-03-22T05:55:52","guid":{"rendered":"http:\/\/www.android-decompiler.com\/blog\/?p=56"},"modified":"2013-03-25T09:44:27","modified_gmt":"2013-03-25T17:44:27","slug":"bad-apk-decompilation-means-partial-erroneous-conclusion-in-research-paper","status":"publish","type":"post","link":"https:\/\/www.pnfsoftware.com\/blog\/bad-apk-decompilation-means-partial-erroneous-conclusion-in-research-paper\/","title":{"rendered":"Bad Java decompilation means erroneous statement in research paper"},"content":{"rendered":"

Back in July 9, 2012, Martin Georgiev et al. published a paper entitled “The Most Dangerous Code in the World: Validating SSL Certi\ufb01cates in Non-Browser Software”<\/em> (download<\/a>) that points out broken SSL certificates validation in various applications and third-party libraries.<\/p>\n

One of the case studied is the Chase mobile banking app for Android. It turns out the version studied by the authors was 2.5 or earlier, released on April 23, 2012. (The APK can be found on Android-Drawer<\/a>.) In paragraph 10.1, the authors wrote:<\/p>\n

“Decompilation and analysis of this app\u2019s code show that it overrides the default X509TrustManager. The replacement code simply\u00a0returns without checking the server\u2019s certi\ufb01cate. The code below\u00a0is the result of reverse-engineering, thus variable names and other\u00a0details may differ from the actual code.”<\/p><\/blockquote>\n

While the first statement is true (X509Certificate.checkServerTrusted() is overriden), the second is false. The claim was made because of improper decompilation to Java:<\/p>\n

public final void checkServerTrusted(X509Certificate[]paramArrayOfX509Certificate,    String paramString)\r\n{\r\n  if ((paramArrayOfX509Certificate != null)\r\n    && (paramArrayOfX509Certificate.length == 1))\r\n    paramArrayOfX509Certificate[0].checkValidity();\r\n  while (true)\r\n  {\r\n    return;  \/\/ makes checkServerTrusted unreachable<\/span>\r\n    this.a.checkServerTrusted(paramArrayOfX509Certificate, paramString);\r\n  }\r\n}<\/pre>\n
The decompiled code is incorrect: the “while(true) { return; …”<\/strong>\u00a0is a misconstruct that lets the reverse engineer believe that this.a.checkServerTrusted() is never called.<\/p>\n
Unfortunately, the authors relied in part<\/strong> on this faulty piece of Java code to claim that:<\/p>\n
“Note the unreachable invocation of checkServerTrusted. We\u00a0conjecture that this was a temporary plug during development that\u00a0somehow found its way into the production version of the app.
\n…
\nChase [is]\u00a0completely insecure against a man-in-the-middle attack.”<\/p><\/blockquote>\n
Note that the conclusion that Chase is insecure to MiTM attacks is not disputed here. Martin Georgiev confirmed that the app was tested and was vulnerable to such attacks.<\/strong><\/p>\n
The authors may have run out of time and probably skipped the Dalvik bytecode verification step.<\/p>\n
In fact, the routine in question is pretty simple, and JEB decompiles it to a clean:\"1\"<\/a><\/p>\n
Now, it looks clear that the original\u00a0checkServerTrusted() gets called, if and only if<\/em> the certificates’\u00a0array is null or the array does not contain just one certificate.<\/p>\n
Decompilation is not a guaranteed process, but one should use professional tools to minimize exposure to bugs. A manual check of the low-level bytecode or assembly is also a requirement before making claims that a particular code path is or is not executed.<\/p>\n
Thanks to Juliano Rizzo<\/a> for pointing out this potential issue.<\/p>\n","protected":false},"excerpt":{"rendered":"
Back in July 9, 2012, Martin Georgiev et al. published a paper entitled “The Most Dangerous Code in the World: Validating SSL Certi\ufb01cates in Non-Browser Software” (download) that points out broken SSL certificates validation in various applications and third-party libraries. One of the case studied is the Chase mobile banking app for Android. It turns … Continue reading Bad Java decompilation means erroneous statement in research paper<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-56","post","type-post","status-publish","format-standard","hentry","category-decompilation"],"_links":{"self":[{"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/posts\/56","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/comments?post=56"}],"version-history":[{"count":0,"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/posts\/56\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/media?parent=56"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/categories?post=56"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/tags?post=56"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}