Android binary libraries

Mediacode.apk

The application contains DEX code and binary blobs.

One version for each architecture.

• armeabi: ARM 32bits no Floating Point

• mips: MIPS

• x86: intel X86 32bits

Libraries export symbols to be used through JNI.

• nm -gD lib/x86/librrnad.so | grep JNI

Before the binary libraries can be used, Java must load them.

• System.loadLibrary: argument is the library name (without lib, architecture or .so).

• System.load: generic object load. The argument is the full path to the object.

• The JNI_OnLoad method is called automatically (in the lib).

  • Allows automatic setup of data structures and generic initialization.

  • May be abused if malware is present.

Without the library, the application will crash when external methods are requested.

JNI Arguments

Native methods support arguments from Java code.

• Arguments are pointers to Java structures.

• Must be processed using specific methods, capable of handling the native Java types.

Native methods can also be called Java methods and classes.

• Mainly achieved by the first argument of any JNI method: JNIEnv*.

JNIEnv* is a pointer to a structure with a large number of functions.

• JNI Methods use it to invoke Java methods and handle Java types.

In the Java world native methods are declared:

• With the keyword native.

• Without implementation.

Easy to spot if we have the Java or Smali code.

• Java: public native String decryptString(String).

• Smali: .method public native decryptString(Ljava/lang/String;)Ljava/lang/String