ShmooCon 2013: Armor For Your Android Apps

hey folks welcome to dr. crispy spook on schwag time band so somebody likes you first some t-shirts for smaller people the t-shirt sizes are the t-shirt sizes I can’t wear this stuff that’s a moose oven mitt this I’m not checking this is going to hurt somebody sit this that this is the control of hack game it’s a white hat security hacking in the form of a card game what member of the shmoo group helped develop this you know android apps hey guys all right um my name is Ramon and today I’m going to talk about war stories what kind of war stories um well so there’s you know we’re going to talk about some of the interesting things that have been happening in the world of Android application security over the past couple years some of the some of the interesting a vulnerability is profound and we’re going to talk about what those vulnerabilities were how to avoid them you know how to how to how to fix how to fix those issues right most of those things are going to be pretty simple but you know they’re notorious they’re they’re simple to fix but unfortunately they’re still there so so we’re going to talk about this and also at the end of the talk I’m going to demo an app that I’ve written which is kind of like a hackneyed style application it’s an Android application that you know hopefully hopefully you guys will have fun taking apart so um you know I feel justice talk maybe may be useful you know two people who are you know developing some apps for Android one if you’re at pentester who’s looking to get into the field of enjoy android security testing and you want to learn some more about Android security this may be this may be an interesting talk for you too so all right just a quick a quick caveat here in terms of what this talk is not about cuz I kind of have to kind of say this um no dramatic we’re now going to discuss any like dramatic zero days today we’re not going to talk about Colonel exploitation or platform securities probably not going to be the talk but like I said hopefully you guys will have fun that listening to this so so with this we are starting so war stories so these are these are some of the categories of different issues that we’ve been seeing and you know not only us when we do our penetration tests but also you know things that mobile I washed up 10 has been talking about for quite a while so these are some of the very common issues and so and so with a lot well what why don’t we like fun of you write an app right when we present have to try to cover some of those very common issues and so the app that I’m going to demo at the end of the talk is going to be pretty accurately mapped to all of those all of those categories and there’s going to be there’s going to be a topic for four hmm each one of those each one of those categories this is a quick review of what the app is going to look like and where don’t want to start with logging so I wanted to kind of start with this because this is one of the very easy things to I don’t want to say exploit necessarily but I would say take advantage off rather because to get to a log that an Android application is throwing to the logcat is actually relatively easy right i mean you know to do that the only thing you have to do if you are a if you are a hacker and you have the phone is you just just hook it up with the USB cable or you know some some apps and we’re going to get to this in a

minute could also read blogs a little while ago and so the point of this is that there is a pretty high probability of some sensitive information that’s being put out to the log so if you think that you know stuff like usernames you know passwords IDs authorization authentication tokens stuff like that doesn’t get logged well it does and so here’s a couple examples you know passwords that are being revealed in the Android log or Facebook authentication tokens auth tokens or last four digits of a credit card number being main outputs you know even more passwords so so so the thing is like I said this is one of the very very old issues and what are the earlier samples of malware they had the they had basically requested reblogged permission and and requested every lock permission was given the capability to read other apps other apps logs so all right should start for this no I’ll probably keep this until the end all right so all right I can start making cocktails here um anyway so before android 4.1 accessing accessing your application logs was actually pretty easy because all that and malicious have had to do was to request read logs permission if you as a user granted that permission now that app could go out and grab those logs now from android 4.1 and of it made it a little bit difficult a little bit more difficult because now even though you can request the redox permission you’re really not going to get so so the system is not going to to granted permission so that gives you some degree of protection but at the same time you know android 4.1 plus is is a delimited the limited distribution in the in the in the marketplace right now so it’s still important to you know look for look for the places in your code if you’re a developer or in the code that you’re reviewing as a pen tester for log entries because there is a lot of juicy stuff in there so like is a developer it’s probably going to be hard to like fine find those things because they sent them to hide especially know if you have if you have a pretty big application um but at this at the same time you know a lot and a lot of a lot of interesting stuff it isn’t there so so yeah this is that so this is basically it uh makes you make sure nothing nothing sensitive it gets dumped to a too long oh and one more point I guess you know if a malicious application is running is rude than you know all those protections don’t really don’t really work anymore so it’s going to be able to read your logs no matter what alright so moving on to file permissions so what MOOCs so when I talk about file permissions what I’m what would I mean most of the time is I want to talk about world writable and world readable files so even though this may not happen as often as some other vulnerabilities that we’re seeing when it does happen the consequences tend to be pretty disruptive and and and pretty bad and so I wanted to bring to bring in an example of lookout security which is which is a NOAA security product android security product and vulnerability in which was discovered by by a teaching job so that jaan bhai the exact one year as well as Tavis raimondi can independently independently discovered the vulnerability as well and so what the vulnerability was that the application decided that it can place its system database and a configuration file inside its app directory except me except make it world readable and writable so any app could go out and update update those two files what ended up happening and this is an exploit that Travis or monday ended up writing he ended up updating those files to have them picked up by the lookout security application and that resulted in the like administrative actions being carried out on behalf of a malicious app by the local security products um so you know enjoy tries pretty hard will not enjoy like the whole development

environment tries pretty hard I to prevent you from setting like relaxed permissions on application file right like eclipse for example throws a ton of warning saying hey are you really sure are you absolutely sure that you want to set a world writable permission on the file so you know most of the time I would recommend it again if your apprentice or to your clients don’t don’t use world writable stuff there’s really no reason no reason to do that and also a special case is SD card permission so as the card being you know being most of the time formatted as a thief at a file system there’s really the lack of concept of file ownership and because there’s no file ownership anyone can access everything so don’t put secrets onto a punch and SD card that that may not be such a good idea because the whole world is going to be able to UM read it oh and just as a as a little uh I guess having us here is like all the vulnerabilities that i’m talking about have already been passed so like I said no zero days today um alright moving on to content provider so why would I need a content provider you needed to share right but when you share most of the time you want to share only with select people select apps select entities right and and basically what a content provider is an Android it’s like a structured storage mechanism that for all intents and purposes acts as a database right and so so you can use that just to share data with the outside world with the app so one example is let’s say you have an email program that reads um you know you can read emails and in the program and you can also open up attachments like let’s say there’s an image and if you want to view an image with a is on the view the image with a gallery of you earth and you know gallery or they may choose to access the email clients contact provider to get the data so one of the problems that that are there with content providers or could be there is when it starts to leak which means that other apps can all of a sudden start I’m accessing those providers and here another war story is on the drop box and in 2011 Tyrone Erasmus found a vulnerability where you could access the content provider as it was advertised that was shared ad by the by the dropbox application and you could read the entire database and as we and as a result of that it’s like being a malicious application you could just upload users data for public access to to to anyone and so if you look at the little snippet of code you’ll see that the provider tag and first of all it doesn’t list it doesn’t list any permissions whatsoever and also the grantee or I permission tagged has a path prefix attribute set to slash so that effectively makes the whole database available for for others to what to look at so so that’s a bit of a problem so make sure that that when you when you share when they share a content provider you only share it with granular permissions so so you specify who exactly you’re sharing it with it may be a good idea to use signature level permissions so with signature level permissions what happens is only the applications that have been signed by the same key as your application can now access can now access your resource or content provider in this case so one other one of the report that they have here the slide that I wanted to talk about separately is the parameterize methods for queries since you know content provider implements several several database database methods it it’s normally a good idea to just use the methods that are provided by the google platform and not try to write your own code in order to not open yourself up for for for sequel injection because sequel injection can happen anywhere it doesn’t have to be a web app it can also happen locally inside you’re inside your application if your input is not is not properly melody so this little of this little diagram is actually taking from the Android developers website from the Google reference that shows how how the query arguments and the query arguments is used to basically pull stuff from the content provider how at the maps 2 2 the sequel statements or work or just sequel sequel operators and keywords and so most of this most of the time what you

need to do with sick well you can only you could also do with with cognate provider methods such as the query method so use that all right so your rise um the URI is effectively a scheme that lets you invoke an application to handle a certain type of resource right so if you have a nation picon / / that’s a uri scheme that may trigger a browser if you have in my app calling / / blah blah blah that we trigger them my tab application so you would normally declare the the uri scheme in the in the manifest under the data tag and the example that i wanted to talk about here a pretty destructive one or destructive it in a funny way I guess is an example that that Colin mulliner presented i believe it was ninja con in 2011 and so this was a this was a case where it was an NFC an NFC token an NFC tag that that that that was presented to a phone and then the Android system would force out the URI out of the data encoded in the tag and then the the you’re right that was extracted was passed over to the foursquare app because it was registered as the handler for that URI and well guess what happened so the URI I’m sorry the Foursquare application just goes ahead and makes an authenticated call to the server completely trusting the data that came from the tag so why is this a problem well so so so what happened was let’s say that if you wanted to UM to check in at at time square so and by the way like all the all the screenshots here all the screenshots here came from calling Collins presentations on credit than Kim for this so let’s say that you want to check in at Times Square what happens in the Foursquare application in the back end is it gets associated with a certain with a certain name of the the venue name right but what does not happen is that the name is not associated with the venue ID so for example if an attacker were to create a little Aloha um you know fake fake and FC transponder that would that one when you or fake NFC tag I’m sorry that will have a venue name that was times square which is where you think you are but the venue ID that was different you end up checking in someplace else in Chippendales so well I guess I guess everyone sees like potential issues with that especially if you do this during work hours that thing so some other potential scenarios potential scenarios that could happen here is effectively what’swhat’s cross-site request forgery right what if the application just blindly passes they think that that’s been received from the tag it gets it over to the server well if you have some more sensitive functionality such as you know add a follower at the friend things like that you end up making all of those requests in the context of an authenticated session and as a result you may end up like adding adding adding a follower that you didn’t really want to follow so all sorts of stalking issues come up here so the moral of the story is you know I this is like this is a really a really all thing and I’m sure you guys have heard this multiple times already but this is another example why you shouldn’t trust anything that comes coming from from from from outside your application even if it’s like an NFC interface that you know you may think it may be more secure for whatever reason choose the matter is it may not be oh so another interesting another interesting vulnerability here is what happens when we take a you’re right handler and we somehow combine this with a webview so this may not make sense right now but hopefully it will in a few minutes so what’s a webview essentially it’s like a simple a simple class simple mechanism to view web-based content and application even though it’s pretty simple it actually supports some pretty interesting functionality it’s a force a

bit more than just static pages for example JavaScript other plug like other client side stuff as well but javascript is an example that I want to talk about today so a JavaScript interface you can you can you can add the capability for your web view to interact with your application so even though by default javascript is disabled you can deliberately enable it and well there could be potentially issues with that as well and you really have to ask yourself a question do you need that do you need JavaScript what happens if the JavaScript that I’m putting in my web view has an interface in my application that it can access and that interface supports some sensitive functionality well what could happen is let’s say I register a you are right handler called voix so everything everything that starts with blah is going to be handled by my app so then i take whatever data came from the uri i stick that into a javascript-enabled web view so now there’s stuff JavaScript client side stuff running in the webview but then there’s an interface just ripped interface that’s exposed that my application can now talk back that the JavaScript can talk back to the application through so if i post a link on any page right that contains this you are a handler and I specify a malicious payload it will effectively end up involving some potentially destructive functionality on the application because you can talk to it through the JavaScript interface so here’s here’s here’s a real life example here this is a manifest where you have a data scheme blah right and then this is where stuff that was that got into the get into the application from the from the URI gets stuck it to the webview so this is a link that I can put on my website so that it would be all right it is it is better all right who have I been talking to all this time all right anyway so so yeah when you take when you take stuff that that came from the from the from the from the URI and it’s got into the webview now if i advertised and a JavaScript interface inside my application and it eventually makes it into the webview well I can invoke codes with a JavaScript interface through the JavaScript interface functionality and then you told within the application this is the code that’s being run would it be and so stuff goes from the web into the application application takes the exposures de all right puts it to the webview web deal runs and then called stuff back on the application on the JavaScript interface so possible problems here you know you can you can end up just giving up control of your application to malicious entity to a bad guy who ends up posting a link on the web page or you know I’ll alter your data so there is there’s a whole bunch of different bad things that can come out of this so if you can a couple things that I would recommend here first make sure that you limit the domains that you can load through the webview there’s really no reason for your web view to load stuff other than from places that you that you would expect to load stuff wrong so if you have some server back-end that serves you know HTTP content you can specify that as one of the restrictions and also be very careful with the JavaScript interfaces because you don’t want to convert this functionality but that may be invoked by my code that comes in through the web view in in the malicious in a malicious fashion all right now let’s talk about intense so I’m hoping most you know that in with intense your you’re essentially compassing kind of event based messages between different applications and even though stuff happens locally you know the same input validation paradigm build or not at last year as well so here you should also make sure that you you know

don’t trust stuff in the intent blindly and required permissions every time you’re handling handling intense the example here is Google what and this is something that that our interpreters guys and found in april of 2012 where a malicious application could enable remote logging ah i take it back not remote logging it could enable logging of of last four digits of a credit card through throwing a a and intent and the application the Google Wallet did not verify the sender of it intent and so this little snippet of code here shows well this is basically in a piece of the exploit code so what happens here is an intent get declared by let’s say our application written by interpreters we set the action too blah blah blah blah blah changelog priority level and that’s and that’s the action that Google Wallet will have an intent filter for then we add a little extra field to turn on verbose logging and then we just kind of bless bless it out and what happens is well of course the application starts dumping the dumping the parts of the credit card number so this is what the so so this is what the receiver like looked back then right so anyone can just send stuff to it because it will be intercepted by the intense field it will be called by the intense filter the receiver of the broadcast receiver would act on that this could have probably fixed it because once you don’t export your intent now you not now you can be sure that only the components of your application can can access can contend consent stuff to the send stuff to the to the receiver another way to you know to expose this intent but only limited to certain entities that should be calling stuff in it would be to require two required permissions so when you requested permission and especially that’s it that’s again a signature signature based permission right you’re ensuring that whoever whoever sent a what whoever sends an intent to your receiver or you’re with your to your application has the has the same signature as your app I mean you don’t have to use signature permissions but I’m just saying that because signature permissions are normally transparent to the users but to the users they don’t have to actually go and click say hey it’s fine I accept your apt except with your app needs dis permission so because of this because of the fact that it’s transparent it may be it may make for a better user experience when when you when you do it this way so a couple of things to watch out for so if there is an intent filter the activity instantly becomes exported so you have to make sure that if you don’t mean to export you and your activity or only have it accessible by your internal components you said they explore the attribute to false and like I said poor sensitive actions definitely make sure that whoever calls into your app has the proper proper permission level and also you know when you can both activities big granular and when I say big granular basically require out require that the activity is invoked by the class name if possible now I understand this may not be possible in all times because sometimes you just don’t know what the class name is going to be if you’re calling it to a different application that said think about a scenario where you’re intense that you’re throwing matches several intensive intent filters and so if it matches several intent filters this could potentially bring about a security issue because what happens if someone who’s trying to intercept my intent end up being malicious and I as a user say alright I’m going to open this link with either Google Maps or g 00 google maps and i end up clicking on the wrong thing and the intent end up going to the wrong place and this kind of goes back to their to the prior recommendation that i mentioned about not putting sensitive stuff and indents in the first place all right encryption issues over the network we’re going to talk about a couple things here first of all I think it’s

pretty safe to assume right now that you know since you’re mostly are probably been in the pen testers I’m guessing you know intercepting stuff locally is pretty easy right so many of the middling stuff is amended meddling stuff if you’re if you’re local is relatively easy not so much when you’re when you set on a different machine but if you’re if you’re local that’s easy and you know when developers do something like they use self-signed certificates in their production code well guess what happens all right so you’re essentially getting getting rid of the whole see a validation modal and authorities because any any certificate is now a good certificate I can put whatever I want as a man in the middle and and see the traffic when would that happen when it well if you override the the trust or the default I’m sorry the default trust manager in Java that’s what this was going to happen by the way it’s difficult overriding that manager is difficult but we’ve seen it done the thing is like I said like like with some other other items Eclipse makes it difficult Java complains a lot about this so don’t override default trust manager so how does how does a ssl validation work on enjoy so most of the time the SSL validation will be done by the end road system so it would look in the unit trusted certificate authorities a certificate authority store right and it would say hey this certificate that then that I am seeing from a server is that good can I trust it cannot trust it and then makes the decision based on that so if as an attacker you end up pushing to seek your certificate into the trust or you can now see the traffic well before android 4.0 you could use like you could use the ark a source PKS trust or but you had to be routed to push stuff to push your certificate you’re signing certificate into that store with android 4.0 things have become a lot easier you can now use user certs which means that all you have to do is just put your son insert on SD card and just import it and and that’s it now you’re now as your system trusts any certificate at a seat so what do you do about this as a developer it may be a good idea to use certificate thing with certificate painting what what you would essentially do you would you would give within the public key of your server to the main name to your domain name so every time every time that every time that your application tries to reach out to a server it would know it would know are the exact the exact exists certificate that it should be seeing another another way to do certificate pinning is instead of pushing the the exact certificate hash of the hash of the public key into the code you can also have the signing certificate of the certificate authority that only you can sign your search with and that way you can check if the server sir that you’re connecting to you if if at cert has been signed by known CA now now you know it in your code you’re pinning it to certain CA and now that you know that it can be trusted so in a way you’re kind of removing the normal see a validation out of the you’re removing it from the picture completely um so is pinning a good idea definitely is that a silver bullet probably not there are ways to there are ways to bypass those like isaac partners enjoyed ssl bypass tool has been written specifically to bypass spinning on on android applications but the thing is it’s not an app it’s not an app that’s like you know very very easy to kind of break break out and use it definitely makes the hackers job of breaking the application a lot harder so i would i would say that it’s still it’s still a good idea to to to add another degree of complexity to to the to the hackers to the hackers job and by the way if you guys are interested in that you know really more about certificate pinning i would suggest reading the Moxie Marlinspike blog he’s got a great entry on unpinning so i would definitely recommend doing that all right now now we’ve talked about encryption that was

done locally let’s talk about encryption I’m sorry encryption over the network let’s talk about encryption or encryption that’s that that’s done that’s done locally so I’ve seen this take one of three common forms number one hard-coded keys all right you know wick encryption algorithm you know people peoples still using a week ciphers and all that stuff or maybe some stronger encryption algorithm but those where their strengths are completed the heated by the fact that they are used in properly and and and security decisions are are made locally and can be and can be completely bypassed so one example that they have is an app that has a has an authentication token that it presents to the server and the token is a sha-1 hash that’s based on a phone number let’s think about this sha-1 hash based on the phone number showing hash or it’s reasonably secure that’s fine but it’s something that we control locally so once we know that the phone number is what’s used to generate the shower and hash the question as well can we maybe she’ll one hash other phone numbers and all of a sudden become different users of the application so so so this is actually exact exactly what happened I mean who’s a pretty pretty massive fail so I do that on request sure this guy may not know a lot about encryption they are all right so it’s going to recap the whole encryption thing here a few suggestions so don’t abuse ssl if there’s a trust manager use it as intended don’t try to you know don’t try to get around it even even it even in the in the development code augment egg mentor start by appending certificates you can use other stuff you can use you know mutual authentication is also a good idea to use so that you are now presenting clients earth to the server so that the server would know who is connecting to it also check the local signature of an application to make sure that your application hasn’t been messed with maybe a little extra bit of work but still worth it and you know in terms of protecting you’re protecting your application from maybe remote men in the middling it would be you know you can’t really force traffic out of out of a specific interface on enjoyed as far as I know but you can certainly prefer one interface over and over another and so um what i would do is in my code i would i would assume that everything goes over Wi-Fi that can be controlled by an attacker and prefer and prefer to send traffic out of the cell network all right so here is some some tech some technical suggestions you know remove the bugging code secure apps resources meaning make sure that you’re you know file permissions file permissions are set properly you can use certificates painting definitely use office cares make sure if you use proguard it’s free Android let’s let’s say use it for for everything if you’re right it also strips unused code which which is a good idea anyway but but most of the time you know try to try to try to really look at the big picture and and recommend to others to look at the big picture so trying to try to you know think think like a hacker and what it means is look at your application from a bear a level perspective try to enumerate the wrist maybe there are certain things that you did not intend to happen and they would happen anyway right so um so there could be no risks to your data could risk to the to the infrastructure and so these are some of the things that you need to keep in mind as you’re as as you are pulling together your app next step identify the attack surface and so and so I think what that what the cat was doing there was trying to apply the attack surface with what a turtle so think about you know what sensitive info is transmitted by your app what’s stored are you may be using some some insecure libraries is in so all these things together they really help they really help create and more secure application from the get-go you know as a post as opposed to as opposed to know trying to

patch it later and you know finally challenge your assumptions about about about security I gave you an NFC example right where an assumption was made or possibly made it’s something that came from from an NFC interface is somehow more secure may not necessarily be the case because you know you may think that attacker may not have access to the hardware required to write to your tag or you know do some or deal with some other technology but the truth the matter is it it’s actually much more possible that you may think it is so just keep that in mind and challenge your own assumptions heart and and you know finally it’s it’s important to understand you know how Android reversing work so you know there is a lot of conversations about how secure or insecure Android platform is the truth the truth is that the oversight on what advocate push into the market may not be known as as rigorous as some other platforms and going to let you guess which platforms I’m talking about so you can pull apps from the phone you can recompile them here you can patch them you can recompile them pretty easily there’s ton of tools available you can change the code because the apps are written in Java so there’s a lot of there’s a lot of things that you can do with with a little nap so the most important thing is you know you really should know how the appt could be broken and with this I’m going to move to the IG learner app demo that so this is going to be a demo of the IG learner app and it’s like a city up style at City F there’s the for those who don’t know capture the flag tap application it’s it’s a bit easier than a regular City app but it’s like a lesson base like it’s like a level based type of thing where you have a whole bunch of challenges and you’re supposed to and you’re suppose to solve those challenges the QR code here links to the market I’m telling you it’s totally legit to go head and download that take my word for it I I really like watching people’s reactions to take my word for it ok and now and we also have the code up on github for this there’s a walkthrough it’s currently being finalized out so please check back on interpreters inside blog and also you know I definitely wanted to mention two more things you know shout out to Jack Menino who kind of inspired whose go droid project kind of inspired me to write this definitely check out that project it’s it’s it’s awesome highly recommended and the entire mobile or was top 10 there are quite a few differences between you know this and go joyed and you’ll see them but i would say to definitely check out check out jack meninas are almost at em project and they go droid application all right and by the way you don’t really need anything besides the APK cheat around us so all right demo alright so I’m going to move this over so what happens here is what happens here is this is the listing of lessons so we have lesson for for for every every topic that you can see the instructions if you want to read these instructions then you can all right clothes instructions you’re outside I probably should have made the video i will go a little bit faster apologies um so you can try to tap in some some garbage in there and so by the way like right now I’m burning and burning one of the lessons this is like the most trivial lesson of the application it’s it’s really really simple really easy but I just wanted to make sure it you see the you get the flavor of what this is so this dumped a whole bunch of debugging output to the lochhead console and there are the secret code is lurking in there somewhere and I’m going to I’m going to show you how this how this works alright so that’s the code right there alright so the next step is going to be I’m going to punch this code into my appt again it’s blur I’m going to I’m going

to punch in the correct code here alright and so you know like I said an important and important thing that I want to mention here is that this is a really trivial lesson and the other lessons are quite a bit harder but I think they kind of go increasingly harder as you progress through the exercise and so this is just a quick overview of some the tools that you want to use as you’re taking apart the application if you want to so that’s to jar will give you will translate the APK the installation file to our a readable Java code the problem with Java code you even though you can read it and understand the logic of the application a lot easier than otherwise you can’t really won’t compile it back into an application if again this is something that you would normally use to just try to understand the logic of the app and then just put it into a java decompiler and running this inside a JD you too so here this is let’s see like this is my logging logging garbage method you can see that the code is not office cated it was actually not an office carried on purpose and this is a virtual studio tool that I used to look at the smaller code and smaller code is is it is it it is effectively the instructions of running the dalvik VM and the smaller representation of an apk something that you would use to actually pass the code make changes to it and recompile it back so I’m going to actually go you’re here here because just to save some time but I’m going to tell you that I will this tool which is by the way great tool vs 10 studio is its name what you can do is you can just written violet and push it back at the click of a button which is pretty pretty simple and you can just take my word fight again that it’s actually going to push back and execute just fine so I know that I’m running a little bit short of time so I’m just going to close this up right here and say that here we’re done if you still want to get the app download the app the QR code is right there so thanks very much for coming out thanks very much for listening to me and if you have any questions that think that you have time for questions I would rather take something No so so so the question was whether there were any any any methods for reversing provide alpha station and if and if apps were using proguard so you know public participation is that sometimes you may not know what the problem was up for skated with provide i would say i mean i would i would say like knowing the transition between the source code and the techno me by the source code a lot of a lot of people do use brevard but but but yeah that’s that’s that sometimes a little bit difficult to figure out though what it was where it was a escaped with and then in terms of anti confiscation you can have some indirect methods of trying to figure out how things were obfuscating but these are really like said that the QR is indirect method right you can deduce by let’s say following the class truck class hierarchy to say hey but this seems to inherit from this class in this seems your hammer from this class this is what’s probably this is what’s probably happening but there is no no tool that I’m aware of that would just take anything of taking an office game.apk and turn that into an obfuscated code you that answer the question oh and yes thanks guys all right