Talk With Angel Garcia!

Talk With Angel Garcia!

a blog about software and beers

Don’t put sensitive data in the client side: Reverse engineering published Xamarin Forms apps.

Let’s begin with the following statement: “Secrets are not safe to store in your code even if you put them as part of your CI/CD pipeline”.

Disclaimer: this article was not made with bad intentions or to put any app at risk, it is purely for academic purposes and to show that it is not good practice to leave sensitive things as part of our code.

No matter how hard you try to hide something in your app’s code, at the end of the day when you publish them the result is a compressed format (IPA or APK) with all the necessary DLLs to run your Xamarin apps, and if you know about tools like ILSpy for browsing and decompile .NET assemblies is so easy to take those DLLs and look at your typical Constants.cs class.

Before starting the process for both platforms, install ILSpy as a VS Code extension, in that way we could use it on Windows/Linux/MacOs.

Decompiling your favorite Xamarin app from App Store.

Getting the IPA file is an easy process (and legal) if you have the app installed in your iPhone and you have a Mac.

First you need to install Apple Configurator 2, then follow this guide for extract the IPA file.

Now you just need to unzip the file using:

unzip TheNameOfTheFile.ipa

Locate the DLLs you want to decompile/browse the code and open the Visual Studio Code Command Palette (View > Command Palette) then type ilspy to show the commands, choose Decompile IL Assembly (pick file) and open the preferred assembly.

Voilà, just click on any of your picked DLLs to see the code:

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/3b225ecb-78fa-4507-9e9f-9668e9943e42/Screen_Shot_2020-11-15_at_7.55.14_PM.png

With all the code exposed it is just a matter of time for you to find any “secret” string out there.

Decompiling your favorite Xamarin app from Google Play Store.

For Android, the process of getting the APK is as simple as:

  1. Go to the Play Store website.
  2. Locate the your app.
  3. Copy the URL or the package name (it appears in the URL).
  4. Go to this webapp called APK Downloader and paste the URL or package name.
  5. Click “Generate Download Link”, the wait and you will get the APK file link.

Repeat the same step we did for the IPA (now pointing to the APK) to unzip the file using:

unzip TheNameOfTheFile.apk

For Xamarin Android apps, the DLLs will be located in a folder named assemblies.

Open the files you want to see the code with ILSpy (same way as we did before).

If the APK that you downloaded was built using a version of the Xamarin.Android SDK launched after May (see PR) you won’t be able to see the DLL content, this is because ILSpy don’t support the new compression format that Xamarin is now using for Android, the lz4.

Don’t worry, I was looking for a solution and I found this Python Script for decompress lz4 compressed DLLs (credit to the people of X41 D-Sec GmbH), just run:

python Xamarin_XALZ_decompress.py YourApp/assemblies/YourApp.dll YourApp.Uncompressed.dll

Then you can open the uncompressed DLL with ILSpy.

Conclusions.

  • If you have the option to have your secrets in the server side, PLEASE DO IT.
  • Use HTTPS, with a simple network sniffer anyone could look at your app requests and see secrets without even have to do the reverse engineering if you are not over SSL connections.
  • Threat public APIs as they are, sooner or later someone will discover this “Secret URL” and will try to use it.
  • Obfuscation will just slow the process, there are several tools for deobfuscation and I’m sure you are not ready for accept the costs of maintaining the obfuscated code.
  • Start considering security as a feature of all your apps from the initial planning before the development team put a single line of code.

Happy hacking, sorry, happy coding!

3 Comments

  1. Mark

    Extremely interested in this article
    however from what you are saying the only option is to have the secret keys Server Side.
    However then how do you secure the URL to the server side if you need keys before authenticating?

    Many thanks

    Reply
  2. Mark

    Thanks for your reply.
    But then if endpoint is public potentially anyone could get the keys
    This is a big problem really. The only way is to get the keys on ly when authenticated I guess which does not help my usecase.

    Reply

DROP A COMMENT

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.