2

I am reverse-engineering an Android app as part of a security project. My first step is to discover the protocol exchanged between the app and server. I have found that the protocol being used is protocol buffers. Given the nature of protobuf, the original .proto file is needed to be able to unserialize the protobuf-encoded message. Since I don't have that, I used protod to disassemble the Android app and recover out any .proto files used.

I have the Android app in a form where it is a bunch of .smali and .so files. Running protod against the .so files yields only one .proto file -- google/protobuf/descriptor.proto.

I was under the impression that users of protocol buffers write their own .proto files, which might reference google/protobuf/descriptor.proto, but according to protod google/protobuf/descriptor.proto is the only protofile used by the app. Could this actually be possible and google/protobuf/descriptor.proto is enough for me to unserialize the messages between the app and server?

Joe
  • 2,500
  • 1
  • 14
  • 12
  • Did you try with that proto file? – psv Jun 22 '16 at 08:15
  • Had some trouble getting Charles proxy to use the .desc generated from that protofile to decode the protobuf messages and was wondering if it was even worth me figuring that out (hence the question above). Is there some command line tool I can pass a message and a protobuf .desc file and it will give me the decoded message? – Joe Jun 22 '16 at 08:20
  • Related: http://stackoverflow.com/questions/14627069/parse-google-protocol-buffers-datagram-without-proto-file – jpa Jun 23 '16 at 04:34
  • See this answer: https://stackoverflow.com/questions/7914034/how-to-decode-protobuf-binary-response/48868239#48868239 – AutomatedMike Sep 04 '19 at 11:58

1 Answers1

7

When you write a .proto file you can set an option optimize_for to LITE_RUNTIME (see here) and this will omit the descriptors from the generated code to reduce the size of the binary. I believe this is a common practice for mobile development since code size is a scarce resource in that environment. This may explain why you found only a single .proto file. It is unlikely that the app is actually transferring any data using descriptor.proto since that is mostly an implementation detail of the protocol buffers library.

If you cannot find any other descriptors, your best bet might be to try to interpret the protocol buffers without them. You can read about the protocol buffers wire format here. An easy way to get started would be to create a proto2 message type containing no fields and attempt to parse the data as that type. You can then use the reflection API to examine what are known as the "unknown fields" in the message and try to figure out what they represent.

Adam Cozzette
  • 1,396
  • 8
  • 9