2025-07-26 –, Track 1
Android Java Native Interface (JNI) provides a means to bridge the Java and C/++ world. While the Java Bytecode is relatively straightforward to decompile and analyse, these compiled JNI libraries (.lib, .so files) have pretty much been left in the shadows, especially with regards to reverse engineering broader aspects of the JNI API. This lack of vision on JNI Binary-fu, is a significant hurdle for security researchers and reverse engineers. Binaries can house sensitive logic, custom encryption algorithms, or even malware, making their analysis crucial for a comprehensive security assessment.
The talk presented here aims to shed some light on practical methodologies to reverse engineer and even automate vulnerability assessment for Android's JNI Libraries. Security Researchers and anyone looking to expand their Android mobile security assessment skill set should give this talk a listen.
Android applications aren't always purely Java or Kotlin. Many rely on the Java Native Interface (JNI) to tap into the power and performance of native code, often written in C or C++. These compiled libraries (.so files) become black boxes, obscuring critical functionality and potentially hiding security vulnerabilities from traditional Android analysis techniques. Understanding what's happening in these native layers is paramount for comprehensive security assessments and effective reverse engineering.
This talk will equip you with the essential knowledge and practical skills to begin dissecting Android JNI binaries. We'll start with a foundational overview of why native code is used in Android and the challenges it presents for analysis. We'll then dive into the necessary tools and techniques, including:
-
Understanding the basics:
We'll cover fundamental concepts like CPU architectures (ARM, x86), assembly language basics, and how JNI bridges the gap between Java and native code. -
Setting up your environment:
We'll discuss how to use binary analysis frameworks and debuggers (GDB) for dynamic analysis. -
Static analysis and symbolic execution: Learn how to navigate disassembled code, identify key functions, analyse control flow graphs, and spot potential areas of interest without running the application.
-
Dynamic analysis in action: We'll explore techniques for attaching debuggers to running processes (both emulated and on-device), setting breakpoints, inspecting memory, and tracing execution flow to understand runtime behaviour.
-
Identifying JNI Vulnerable patterns: Learn to recognise common JNI function signatures and how Java code interacts with the native layer, making it easier to pinpoint vulnerable areas.
Through demonstrations (some precooked and some live) and practical examples, you'll gain a solid understanding of how to approach the reverse engineering of Android JNI binaries. This talk is designed for security researchers, penetration testers, malware analysts, and curious Android developers who want to gain deeper insights into the native components of Android applications and enhance their ability to uncover hidden functionality and potential security flaws. By the end of this session, you'll be better equipped to peel back the native layer and gain a more complete understanding of the Android applications you analyze.
Keith Makan is an experienced cybersecurity consultant and researcher with a strong history of helping clients around the world manage information security risks. He is the co-founder of SonarSentry B.V. a cybersecurity startup based in the Netherlands. Keith is also a published author, having written "The Android Application Security Cookbook" and "Penetration Testing with the Bash Shell,". His security research contributions include identifying vulnerabilities in widely used software like Google Chrome. Recently, he completed his MSc in Computer Science, focusing on automated vulnerability analysis in binary formats.