 Okay, hello everybody and welcome to my talk all your fitness data belongs to you reverse engineering the Huawei health Android app My name is Kristen Kudler and I'm a security analyst and researcher at SBA research Furthermore, I'm a PhD candidate at to mean and I'm mainly interested in IOT embedded and hardware security Okay, can we please turn on the microphone? Thanks Okay, before we start I want to give you a short overview about my talk We will start with my motivation Why I started to reverse engineer the who have a health Android app? Afterwards, I will give you a brief introduction into Bluetooth low energy then we will talk about static and dynamic program and analysis and In the ending we will talk about the who have a link protocol and I will give you a short conclusion So let's start with my motivation in December I decided that I want to buy a fitness variable and The reasons for that was that I was very interested in my pulse monitoring in the tracking of my activities and I hope that it motivates me to do more sports This worked not out this quite well because the first three weeks after receiving the watch I used every three minutes to reverse it so here you can see the watch and also in this picture and My reasons for the who they watch Were that I wanted a watch with a good battery life and this watch has an incredible battery life About 10 to 14 days It has a fraudable price and it has a reliable hardware according to some reviews you can find in the internet So here you can see a screenshot of a pulse recording of one day and This screenshot is from the who have a health app And the problem with this app is that it's not possible to export your fitness data and your heart ratings Or your heart monitoring At least this was the problem before I started the reverse engineering Because all the data are stored in an encrypted SQLite database But now I'm able to do this I can extract the data out of the encrypted database and I can use the data for any proposed I want for example here. I created a Simple Python met polite lip plot for the same day So what was my motivation for reverse engineer in the whole way lf app? First of all, I do not wanted to be dependent on the who away ecosystem. I Don't want to upload my personal data to the internet in any cloud The who are ecosystem has no possibility to export the data at least no export Possibility to local file storage. You can share your data with Google fit, but this was not an option for me And I think another big problem with all these ecosystems is the end of product life cycle for example for a soon-to-moves count application, there is this moves count web application and the life cycle will end in 2020 and When you have a old soon-to-device you cannot use it anymore then and of course reverse engineering is a lot of fun So what are my objectives of this talk? my objectives of this talk is to give you a Introduction into Android reverse engineering and to share my results with you about Communication protocol and how you can extract the app out of the data and During the reverse engineering my objectives were to understand the communication protocol between the smartphone and the watch and To extract the personal data out of this encrypted database So let's talk about Bluetooth low energy In this image you can see how the generic attributes work in general Bluetooth low energy has a stack with different layers but for this talk only the generic attributes are interesting and At the generic attribute layer The There's a client and the server that the client can get some information from the server and in our case the client is the smartphone and the server is the Huawei watch and The generic attributes define a hierarchical data structure that is exposed to connected Bluetooth low energy devices and The top level of the hierarchy is a profile which contains more or more services So we can see the services here in orange and each of this service contains characteristics and You can read these characteristics You can read the manuals from these characteristics. You can bite a new value into this characteristic So who way is using this career characteristic concept a little bit different? they Only use two characteristics one to write to the watch and send their own Commands and they use a second characteristic to extract the data So when I started with the reverse engineering I had no idea about the communication protocol The only thing I know was that is using Bluetooth But at Android you can sniff the Bluetooth communication This is an option in the developer options. You can see it here in the picture. You can enable it and then The smartphone will create a lock file stores it to the SD card You can download it from the SD card and open it with wire shark so here you can see a screenshot of my wire shark analyzes and In this picture, you can see the first white command from the smartphone to the watch and Of course, I had no idea what this white command Was and I was very interested to find some information about that so I decided to do some static program analysts and the first step is that you need the app before you want to analyze it and I started with the extraction and There are different methods how you can extract the app out of your smartphone or how you can receive the Android app And I think the easiest one is a web page called a PK mirror It's an a brief of downloadable Android apps And you can download the current versions, but also older versions. That's really nice because this is not possible with play store Of course only three apps are available since it became your has a no privacy policy But unfortunately not all three Android apps are available So sometimes you need to use some different method and Another method is the Android debug bridge. This is a command line tool that lets you communicate with your device And it's part of the Android SDK platform tools And it can be used to extract the app from non-rooted or rooted devices So you can hear in this slide you can see an example how I did this for the Android health app In the first step you have to find the AP key name of the Huawei health app then in a second step you have to find the path and Afterwards you can use the adp pull command to download the app to your local system So the third method I want to show you is an app called AP key extractor and you can install this app from play store and This apps extractor app and stores it on the SD card And it does not require root access But in my opinion it has new disadvantages You have some advertisement in the app and you have to trust the developer of the app that it does not modify the app during the extraction so after I Was able to extract the my the Huawei health app. I wanted to Decode it to get some information out of it So and in general APKs are zip files containing resources and assembled Java code and If you simply unzip the APK you would be left with binary files for example, the Android manifest XML is in format Android binary XML so they are not human readable and It doesn't really make sense to unzip APK But there's a cool a tool called APK tool which can decode apps You can see the example here in the black window for the health app and For me the Android manifest was very interesting. So let's talk about the Android manifest Every app must have an Android manifest in its root directory and this manifest provides essential information about the app to the Android system and The Android manifest is very interesting from a security point of view because it answer the question if debugging of the app is allowed and if you are allowed to create a backup of the app's data and unfortunately both Flags were disabled For the Huawei health app. So you are not allowed to create backups and you are not allowed to debug the app So I thought okay with MPK tool. I also can Repatch the app. I can change the Android manifest. I turn on the debugging. I turn on the backup function But it's not that easy Because there's a known issue for apps which uses and rescued and rescued is a obfuscation tool and When you use this obfuscation tool, you cannot rebuild the resources with APK tool but Repatching the Android manifest requires the decoding of the resources So for the Huawei health app, you can only modify the source code, but not the resources and not the Android manifest But I think it's very good to know how it works. So therefore I prepared one slide to show you so You can rebuild the app with APK tool and then before you can install it you have to re-sign it and On github there is a ready-to-go Tool or framework which can do that and you can re-sign it with Android test certificate and After the rebuilding and designing you can install the app with adb tool and even if the Repatching would be possible for for the Huawei health app Yeah, it's not that simple Because the Huawei health app checks its signature during startup and if the signature doesn't match with the store signature It exists with an error So there are two possible solutions One solution is to find the signature check and modify it, but this is very time-consuming and The other possibility is to modify the app during runtime. This is easy and we will come to that So in the beginning of my talk, I also told you that they are encrypted SQLite databases and I was very interested about this databases and I wanted to extract them So there are three different methods how you can extract the apps data and I want to show you to them. The first one is the run as method, but it requires the debugging permission So you have to check before if debugging is allowed in the Android manifest and If you are allowed to Execute the run as command you can simply copy the data to a SD card and afterwards You can download it to your file system Another method is the creation of a backup also with adb But it needs the permission That the backup creation is allowed and Then you create a backup or when you start this backup creation you will be asked on your smartphone if A backup really should be created. You can see it in the screenshot here and And after you have created this backup you can extract it with a tool called Android backup extractor And the third method is the in my opinion preferred method, but it requires a rooted device and there you can simply Copy as root the data to the SD card and afterwards you can download it Okay, so let's talk about the compilation the application and code analysis So how does code execution on Android works? An Android application package APK contains one or more Dalvik execute averse So you have a classes dot tags a class is two dot tags and so on and The Dalvik execute a real specification limits the total number of methods that can be referenced to about 65,000 methods and The Huawei health app has over one hundred seventy thousand Methods so might be text files are necessary So you see the who of a health app is a huge app. It has a lot of lines of codes so reverse engineering you Can spend a lot of time doing that and the Dalvik execute a book contains bytecode which is Executed by the Android runtime Okay, so how can we decompile a Java application? Android application There's a tool. I prefer it's called jdx and It's a command line and graphically user interface tool and you can use it to decompile text files and APKs So with the tool you can also use it for a static source code analysis in the graphical user interface But I prefer to use Android studio It has also a de-obfuscation functionality, but I prefer to do it manually because of false positives And sometimes jdx is not able to decompile Some methods then you have to try other decompilers and On the end of the side you can see an example how you can decompile app with jdx So after the decompilation you can import it into Android studio So let's take a small recap After my wire shock analysis. I know that it's using Bluetooth low energy. I Know that I'm not allowed to debug the app and I have extracted the app and have decompiled it so I Searched in the internet how does Bluetooth in combination with Android works and I found The documentation for the generic attributes in the Android SDK You can see it here in this screenshot and it says if you want to connect to a remote device You have to use the connect keff method And Android studio has a really great functionality. You can search in all files and When you do so So you open this functionality with the keys control shift and F and Then you enter your search string and then you do so You get the results But you also get a preview window for each result and you can click on the results and See a small code preview window. So I really like this feature and I found one Class which also contained this method the method on services discovered and in my opinion this method is very interesting because it has the you IDs in here which are used by the characteristics and the services in the gut layer and I found them already with fire shark and he also have some strings in This method for example this one here and this strings are very interesting because I think they come from some logging factory and You can use these strings for the obfuscation For example, you can get the class name and the method name out of these strings or Sometimes you even can get the variable name out of these strings. So Then you want to manually obfuscate your source code. You are analyzing You can click on a class name or a method name or a variable name and then you can open the refactor function or dialogue and When you enter the name and afterwards you click refactor and Would still be asked to you about all the local variables if they should be refactored and Again, you have here this preview window so it's very fast to do so and You can select them and then select all but if you refactor something in my opinion It's very important to make some comment where say okay, this was Ctp before I refactored it because sometimes entered studio is not able to find all variables and Afterwards, you're really happy when you know, okay, which was the old name of that Another useful functionality is defined usage functionality. You can click on a class name or a variable or a method and Then press the old shift and seven key and Android Studio will tell you okay Where is this function used what is class used and after quite some time reverse engineering I found a method and I was able with Strings I found in this method to rename the method to the class now Bluetooth handshake manager and to the method name device link parameter and On the beginning of my talk I said, okay, this is the first white command centered from the smartphone to the watch and Here in the code you have a byte array Which has the same values as part of this command So this looks very promising and we already know the name of this method So this command has something to do with the link parameter So I already mentioned it state decode and analysis Requires some effort and yes, if it is a lot of work and I'm a lazy person So I decided to try something else and That's where dynamic program analysis gets into the game and There's a great tool Called freedom and freedom is a dynamic instrumentation toolkit for developers reverse engineers and security researchers It's script able so you can inject your own scripts. You can do function hooking and you can trace application code It's portable and different Operating systems are supported It requires a router device in theory You can also use a non-router device But then you have to modify The application you want to analyze and this is not an option for us because of the code signatures check And it requires the installation and execution of the free the server on your smartphone So I used freedom a lot during my Reverse engineering process and I want to show you one use case. I Told you that the personal data are stored in an encrypted database in on the smartphone and In the data of the app there are different databases and I had no idea in which databases are the fitness data and the health data are stored, but I Realized that there's one database which is much larger than the other databases So I had the idea. Maybe this is the interesting one. So the interesting one is the H.I. Health underline zero zero free database and What's what you should also check is is the Android application you want to test was you want to analyze only starting itself or does it starts other services and the health app also starts two services a demon service and a phone service and they run with a different process and the can see that here and When you work with reader you have to specify to which process it should attach So this is very important because in the begin I started with The who I have process and was wondering why this database never gets opened, but then I realized The database is opened in the demon service So I think it took me two or three days Searching for the problem why it's not working and the only problem was that I was tracing the wrong Process ID. Okay. So how does freedom works? in general freedom is a command line tool and And When you use it as command line tool you have to tip a lot and When you tip the wrong character everything is broken But luckily there's also a Python wrapper you can use and you can see it here I don't want to go into detail, but it's simply attaching to a process I can specify and then it loads A script You can see this here. It's loads a JavaScript code where I scripts or where you can script freedom and here you can see the freedom script I used to Get the date get the data out of the database so to decrypt it and I Think it's very interesting to see the capabilities of readers. So I want to explain the code to you in a nutshell That's the Java Java choose function Which you can use to say, okay for this class for the SQLite database Please search for all objects of this class on the heap find me all instances and call And call This call back if you find one and if you're finished call the on complete function so Each time A database was founded on the heap. I checked if it's the HR health database and if it was I I Created a non encrypted copy of the HR health database and this is really simple You only have to check the documentation how you can do that and since we got the instance of the database We got the open database object. So we can call For the instance the methods Which are available in your Android application? So you see it's Very easy to do so It's not much work But I was able to receive the whole database unencrypted with all my personal fitness data Hell yeah, so And now then the last couple of minutes I want to talk about the who will link protocol Parts of my research are already passed published in an issue on github And you can find it in the gadget bridge project the gadget bridge project is a project where Researches tries to leave the ecosystem for their fitness And I'm not the only one who is doing a research on the who away link protocol But perhaps the only one who is doing it for the who I watch gd So the other ones are doing it for the who away band 3 pro and for the honor band 4 and honor as a sub brand of who away And we compared our results and it seems that all the different who ever ever use the same protocol So what is the message structure of the who a link protocol? You remember our questions. What is this white command doing? well a Message can be transferred in a single package or in a multi package a single package can be sliced or not sliced and a multi package well, I found that they are multi package that Multi packages exists. I found it during the static code analysis But I never saw it in action. So I have not further investigated it so Let's look into the single package not sliced You have a constant here sorry You have a constant here and Each message has this constant then you have two bytes of the length field You have another constant You have the content we will come to this in a minute and we have a csc value two bytes of csc value Over the complete message So the structure of the content We have one byte service ID. We have a one byte command ID and We have tlfs So, please don't ask me why it's called tlfs We found it in the strings of the Android health app that the who ever a health developers Called it like that, but I have no idea why it's called like that if you know So please tell me after this talk And you can see that the protocol uses Services and commands to address the commands So here you can see the structure of the tlfs So as I said a command can have one multiple multiple tlfs and each tlfs has a tag a length and a data and The length specifies how long the data is and the length is a variable integer So if the most significant bit is set it uses one byte more for the length Otherwise, it's using one byte So I want to show you how the request link parameter or the request link command works We already saw that in the during the static code analysis that it has to do something with the requesting the link parameters and I already showed you the beginning of a message So in orange we have constants in blue. We have the message length In green we have the service ID in brown. We have the command ID and then we have the data Here or the tlfs and afterwards we have the csc or what the complete message And here you can see the tags. It's quite simple. It says the first one here with a length of null the second tag with a length of null and so on and To find out what exactly these tags are about you have to analyze the source code and here you can see the response from the Fitness variable So the beginning is the same and then it says for take one. It has a length of one and the data is two. So the Protocol version is two For two we have a length of two So the max frame size is this value and so on and so on and so on and it sends you some It sends you an authentication version and it sends you some random and The next step would be that the watch uses this link parameter to create some Authentification between the smartphone and the watch, but that's a topic for another talk So let's come to a conclusion In my opinion the reverse engineering Android application isn't that hard, but it requires some effort And if you're interested in a communication protocol Normally, it's easier to reverse engineer the corresponding app instead of the embedded device If you want to protect your Android application, you should remove logging strings in your release version because that makes reverse engineering much harder and Yeah, it's possible to use the Huawei worlds without the related Huawei ecosystem and the side note This is not possible for Fitbit At least without a firmware modification. There was a very interesting talk last year at Easter egg If you're interested, I wrote you down the link to that So in the end of my talk, I want to Frank my employer and also my colleagues who are sitting here somewhere because they helped me a lot in preparing the talk and My employer allowed me to do some reversing during my work time and Since my colleagues helped me a lot I want to help them and two of my colleagues Moment at the moment doing some research about the question why do people think that their hardware devices are genuine and trustworthy and they have some online survey and If you complete this online survey, you can take part in a river and you can win some Amazon vouchers The value of 50 euros or you can win some Austrian chocolate The survey only takes 15 to 20 minutes and if you Take the survey, please enter my email address. So I might also get some chocolate. Yeah So I saw one person scan this the QR code. Thank you Yeah, and at SB a research we are always looking for a bachelor and master students who wants to do their Teases with us. We also teaching some lectures at TV. So it's not a big deal to do this at SBA and We also offer some professional services to customers. So we are also always looking for Motivated people who want to work as security consultants At our office if you're interested in doing your thesis or if you are interested in a job offer, please write me an email Yeah, that's all thank you and it would be happy to answer your questions. Hi One question and one answer the question would be how long did the whole process you showed here to take you in real time? I Can't tell you really but I think 300 400 500 hours. So I received the watch Short before Christmas and they use the complete Christmas holidays But I've worked 60 and 70 hours each day on it. So it was really nearly a really nerdy time and I used some time during work, so Yeah, let's say 300 fun it hours and the TLV with which you asked for that just stands for tag length value That's the standard way data is encoded in ASN one according to the distinguished encoding rules Okay, so it's just value and not data as you had it on the other great straight to know. Thank you for the info I hope my question is not off topic, but The what I mean you showed in the end that you didn't interact with the protocol of the interaction But that you hacked kind of the database and my question is therefore What is the raw data of the measurement device in your case the watch? Is it an ECG signal? Is it an infrared signal because the pulse is always an interpretation of like different spikes in those signals? And the other question is what was then the data that you obtained from the database Which is already an interpretation and that's why the data that you showed in the beginning in the mudplot Look different from the data that the app Had showed in terms of little spikes where I wasn't sure like could you also get the raw data from the device? so I'm not sure that I got the first question, but the second question in the database you have Pulse values so 80 90 something like this and you have a timestamp when it was recorded So that's the data for the heart rate in the database You get the same values when you extract it over Bluetooth So I got the same values over Bluetooth If this is the question you can also ask it in German. Maybe this is easier When that is transferred then you can already in the transfer so you can already find an interpretation of this data on the level of the clock Yes, absolutely, but the data was both in the data bank as well as during the transfer of the same data So that was already the pulse data with a timestamp. So if there is an interpretation then they already happen on the clock In the microcontroller on the clock. That was the question, right? Okay So you mentioned that Android apps forbid you To be back up and to be debugged. I think yes on rooted devices Do that does it still apply and if the so is there some way around that now the problem is Normally on a rooted device. It's not a problem to change the debugable flag and To install it back, but I was not able to do so because of this Frascation tool which Where bug is an APK tool that you bring it back because you can only debug an application If this debug able flag is set to true but it's something that the apps manifest asks the Runtime the Android runtime to please not to write The Android runtime could in principle just not care about that flag Of course, if you if you overwrite it with read or something like this You can do it with a rooted device then it's not a big deal But in the simply Android workflow as far as I know, but I'm not an expert It's not that easy. So you have to overwrite it with read or some other instrument to I think so All right. Thanks Okay, I think then thank you much. Thank you very much for coming