从Android APK或.so文件中提取机密

上下文

作为一项练习，我正在研究在android移动应用程序二进制文件中隐藏秘密的所有方法...是的，我知道，通过或多或少的努力，它们总是可以通过静态分析，运行时来提取。内省或遭受MITM攻击。

在隐藏秘密的研究中，我发现Android的最佳方法是使用JNI / NDK，直到现在我还找不到反向工程的方法。


注意：我了解逆向工程师的高级概念，但是我没有任何经验。


我的尝试

$ strings -aw lib/x86/libnative-lib.so | grep -C 1 -irn 'the-secret-api-key-goes-here' -
932-[^_]
933:the-secret-api-key-goes-here
934-cannot allocate __cxa_eh_globals

所以我在二进制文件中找到了API密钥，因为我知道它，但是我希望能够找到它通过搜索变量可以将其与以下内容关联：

$ strings -aw lib/x86/libnative-lib.so | grep -C 1 -irn 'JNI_API_KEY' -
$

或

$ strings -aw lib/x86/libnative-lib.so | grep -C 1 -irn 'SECRETS_API_KEY' -
$

都没有返回任何结果...我也尝试使用hexdump和objdump，但没有成功！！！

我也尝试了q431207 9q和radare2，但是我的知识不足可能无法帮助我找到要访问的API密钥。

作为最后一次尝试，我用MobSF反编译了二进制文件，并搜索了smali代码来查找retdec， JNI_API_KEY和SECRETS_API_KEY没有成功。

此时，我不想求助于Frida或xPosed来获得运行时逆向工程技术或MITM攻击方法...

因此，现在我只想知道是否可以使用其他二进制或反编译技术来查找API密钥？


注意：寻找开源工具，而不是商业用途


代码

我用来在Android应用程序中使用JNI和NDK隐藏API密钥的代码如下...

文件：native-lib.cpp

#include <jni.h>
#include <string>
#include "api_key.h"

extern "C" JNIEXPORT jstring JNICALL
Java_com_example_secrets_MainActivity_stringFromJNI(
        JNIEnv *env,
        jobject /* this */) {

    // To add the API_KEY to the mobile app when is compiled you need to:
    //   * copy `api_key.h.example` to `api_key.h`
    //   * edit the file and replace this text `place-the-api-key-here` with your desired API_KEY
    std::string JNI_API_KEY = SECRETS_API_KEY;

    return env->NewStringUTF(JNI_API_KEY.c_str());
}

文件：api_key.h

#ifndef SECRETS_API_KEY
#define SECRETS_API_KEY "the-secret-api-key-goes-here"

#endif / SECRETS_API_KEY

文件：CMakeLists.txt

# For more information about using CMake with Android Studio, read the
# documentation: https://d.android.com/studio/projects/add-native-code.html

# Sets the minimum version of CMake required to build the native library.

cmake_minimum_required(VERSION 3.4.1)

# Creates and names a library, sets it as either STATIC
# orJNI_API_KEY SHARED, and provides the relative paths to its source code.
# You can define multiple libraries, and CMake builds them for you.
# Gradle automatically packages shared libraries with your APK.

add_library( # Sets the name of the library.
        native-lib

        # Sets the library as a shared library.
        SHARED

        # Provides a relative path to your source file(s).
        native-lib.cpp)

# Searches for a specified prebuilt library and stores the path as a
# variable. Because CMake includes system libraries in the search path by
# default, you only need to specify the name of the public NDK library
# you want to add. CMake verifies that the library exists before
# completing its build.

find_library( # Sets the name of the path variable.
        log-lib

        # Specifies the name of the NDK library that
        # you want CMake to locate.
        log)

# Specifies libraries CMake should link to your target library. You
# can link multiple libraries, such as libraries you define in this
# build script, prebuilt third-party libraries, or system libraries.

target_link_libraries( # Specifies the target library.
        native-lib

        # Links the target library to the log library
        # included in the NDK.
        ${log-lib})