Android claims to be the better phone OS, basing on Linux reputation for openness, stability and security. But there is a certain detail where the doubt starts: In contrast to most linux applications, those for Android are typically downloaded from a market platform in binary form only. For many power users this is a crack in the mirror of Android success story.

In the talk we illustrate the architecture of the runtime environment for Android user space application, the Dalvik VM. We show how this is similar and, mostly important, how it differs from Java. From this basis we move forward to the various tools of trade to analyze Dalvik bytecode. But as most Dalvik apps are compiled from an object oriented, staring at isolated mnenomics does not really help to achieve an overall understanding of the code, especially when used in a code audit scenario, when speed delivery of results is precious.

Moreover code flow analysis is required to follow the way of information from (untrusted) input to critical system functionality. We therefore enhance bytecode analysis with a reverse transformation to java bytecode, that is a well understood medium for security analysis and program understanding and further decompilation. As a practical result of the talk we release Undx2, the next major version of the undx transformation library and analysis tools exclusively at HITB 2010 Dubai and conclude the talk with live demos.

About Marc Schoenefeld

Marc Schönefeld has been involved with the deeper details of Java security for about seven years and showed the success of the presented method by finding a large range of CVE relevant vulnerabilities. After having worked in the banking IT for 10 years he moved to a large operating system vendor to identify and prevent vulnerable parts in open source java distributions. He has spoken on major conferences such as Blackhat, RSA, XCon, HackInTheBox and PacSec.