KEMBAR78
Hack The Mob: Modifying Closed-source Android Apps | PDF
Hack The Mob
Modifying closed-source apps
What is this talk about?
● Let’s talk about what is Android
● Let’s learn how to download APKs from Play Store
● Let’s modify those APKs
● Let’s push them back to our phone
`whoami`
Gil Megidish
CTO @ TestFairy
1337
Terminology 101
● What makes an Android app?
● Which languages can Android run?
Anatomy of an Android APK
$ unzip -v “FlappyFish.apk”
Length Method Size Ratio Date Time CRC-32 Name
-------- ------ ------- ----- ---- ---- ------ ----
18580 Defl:N 3812 80% 08-02-15 00:57 cf40f8ff AndroidManifest.xml
8518360 Defl:N 3391501 60% 08-02-15 00:57 0e1cd99f classes.dex
395404 Defl:N 122825 69% 08-02-15 00:57 7bffff87 META-INF/MANIFEST.MF
395433 Defl:N 123483 69% 08-02-15 00:57 a657bd16 META-INF/CERT.SF
1139 Defl:N 1039 9% 08-02-15 00:57 6744aa28 META-INF/CERT.RSA
Getting APK from Play Store
$ adb shell pm list packages -f
package:/system/app/Gallery.apk=com.android.gallery
package:/data/app/com.fiverr.fiverr-1.apk=com.fiverr.fiverr
package:/data/app/com.touchtype.swiftkey-1.apk=com.touchtype.swiftkey
package:/data/app/com.scoompa.facechanger-1.apk=com.scoompa.facechanger
$ adb pull /data/app/com.fiverr.fiverr-1.apk
6620 KB/s (11723728 bytes in 1.729s)
Introducing Smali & Baksmali
● Decompiles and compiles Dalvik (DEX) files
● Written and maintained by Ben Gruver (@JesusFreke)
● https://bitbucket.org/JesusFreke/smali/
Instructions include:
invoke-virtual if-eq new-instance
goto return-void add-int
Sample Java code
package com.testfairy.app;
public class SecretCookie
{
private String privateKey;
public SecretCookie(String privateKey) {
this.privateKey = privateKey;
}
public boolean verifyPrivateKey(String otherKey) {
return privateKey.equals(otherKey);
}
}
Same code in Smali
.class public Lcom/amazing/app/SecretCookie;
.super Ljava/lang/Object;
.
.
.
# virtual methods
.method public verifyPrivateKey(Ljava/lang/String;)Z
.registers 3
iget-object v0, p0, Lcom/testfairy/app/SecretCookie;->privateKey:Ljava/lang/String;
invoke-virtual {v0, p1}, Ljava/lang/String;->equals(Ljava/lang/Object;)Z
move-result v0
return v0
.end method
Let’s do this! =]
$ java -jar baksmali-2.0.6.jar FlappyBird.apk
# modify smali code #
$ java -jar smali-2.0.6.jar -o classes.dex out
$ zip FlappyBird.apk classes.dex
$ zip -d FlappyBird.apk META-INF/*
$ jarsigner -keystore ~/.android/debug.keystore
-storepass android -signedjar “patched.apk”
“FlappyBird.apk” “androiddebugkey”
Demo Time ™ !
Let’s shove an entire sdk!
Demo Time ™ !
(two apps, one dex)
What’s next?
● Changing resources
(images, texts)
● 3rd Party APIs (Google
Maps and Facebook)
● Modifying
AndroidManifest.xml
Linkz!
smali/baksmali
https://github.com/JesusFreke/smali
apktool
https://ibotpeaches.github.io/Apktool
Looking For Your Next Challenge?
https://www.testfairy.com/jobs/

Hack The Mob: Modifying Closed-source Android Apps

  • 1.
    Hack The Mob Modifyingclosed-source apps
  • 2.
    What is thistalk about? ● Let’s talk about what is Android ● Let’s learn how to download APKs from Play Store ● Let’s modify those APKs ● Let’s push them back to our phone
  • 3.
  • 4.
    Terminology 101 ● Whatmakes an Android app? ● Which languages can Android run?
  • 5.
    Anatomy of anAndroid APK $ unzip -v “FlappyFish.apk” Length Method Size Ratio Date Time CRC-32 Name -------- ------ ------- ----- ---- ---- ------ ---- 18580 Defl:N 3812 80% 08-02-15 00:57 cf40f8ff AndroidManifest.xml 8518360 Defl:N 3391501 60% 08-02-15 00:57 0e1cd99f classes.dex 395404 Defl:N 122825 69% 08-02-15 00:57 7bffff87 META-INF/MANIFEST.MF 395433 Defl:N 123483 69% 08-02-15 00:57 a657bd16 META-INF/CERT.SF 1139 Defl:N 1039 9% 08-02-15 00:57 6744aa28 META-INF/CERT.RSA
  • 6.
    Getting APK fromPlay Store $ adb shell pm list packages -f package:/system/app/Gallery.apk=com.android.gallery package:/data/app/com.fiverr.fiverr-1.apk=com.fiverr.fiverr package:/data/app/com.touchtype.swiftkey-1.apk=com.touchtype.swiftkey package:/data/app/com.scoompa.facechanger-1.apk=com.scoompa.facechanger $ adb pull /data/app/com.fiverr.fiverr-1.apk 6620 KB/s (11723728 bytes in 1.729s)
  • 7.
    Introducing Smali &Baksmali ● Decompiles and compiles Dalvik (DEX) files ● Written and maintained by Ben Gruver (@JesusFreke) ● https://bitbucket.org/JesusFreke/smali/ Instructions include: invoke-virtual if-eq new-instance goto return-void add-int
  • 8.
    Sample Java code packagecom.testfairy.app; public class SecretCookie { private String privateKey; public SecretCookie(String privateKey) { this.privateKey = privateKey; } public boolean verifyPrivateKey(String otherKey) { return privateKey.equals(otherKey); } }
  • 9.
    Same code inSmali .class public Lcom/amazing/app/SecretCookie; .super Ljava/lang/Object; . . . # virtual methods .method public verifyPrivateKey(Ljava/lang/String;)Z .registers 3 iget-object v0, p0, Lcom/testfairy/app/SecretCookie;->privateKey:Ljava/lang/String; invoke-virtual {v0, p1}, Ljava/lang/String;->equals(Ljava/lang/Object;)Z move-result v0 return v0 .end method
  • 10.
    Let’s do this!=] $ java -jar baksmali-2.0.6.jar FlappyBird.apk # modify smali code # $ java -jar smali-2.0.6.jar -o classes.dex out $ zip FlappyBird.apk classes.dex $ zip -d FlappyBird.apk META-INF/* $ jarsigner -keystore ~/.android/debug.keystore -storepass android -signedjar “patched.apk” “FlappyBird.apk” “androiddebugkey”
  • 11.
  • 13.
    Let’s shove anentire sdk!
  • 15.
    Demo Time ™! (two apps, one dex)
  • 16.
    What’s next? ● Changingresources (images, texts) ● 3rd Party APIs (Google Maps and Facebook) ● Modifying AndroidManifest.xml
  • 17.
  • 18.
    Looking For YourNext Challenge? https://www.testfairy.com/jobs/