Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Hack The Mob: Modifying Closed-source Android Apps

107 views

Published on

Talk given about modifying Android apps by reverse-engineering. How to download apps from Play Store (effective Feb 2016,) reverse engineering, re-sign and install on an Android device.

Published in: Engineering
  • Be the first to comment

  • Be the first to like this

Hack The Mob: Modifying Closed-source Android Apps

  1. 1. Hack The Mob Modifying closed-source apps
  2. 2. What is this talk about? ● Let’s talk about what is Android ● Let’s learn how to download APKs from Play Store ● Let’s modify those APKs ● Let’s push them back to our phone
  3. 3. `whoami` Gil Megidish CTO @ TestFairy 1337
  4. 4. Terminology 101 ● What makes an Android app? ● Which languages can Android run?
  5. 5. Anatomy of an Android APK $ unzip -v “FlappyFish.apk” Length Method Size Ratio Date Time CRC-32 Name -------- ------ ------- ----- ---- ---- ------ ---- 18580 Defl:N 3812 80% 08-02-15 00:57 cf40f8ff AndroidManifest.xml 8518360 Defl:N 3391501 60% 08-02-15 00:57 0e1cd99f classes.dex 395404 Defl:N 122825 69% 08-02-15 00:57 7bffff87 META-INF/MANIFEST.MF 395433 Defl:N 123483 69% 08-02-15 00:57 a657bd16 META-INF/CERT.SF 1139 Defl:N 1039 9% 08-02-15 00:57 6744aa28 META-INF/CERT.RSA
  6. 6. Getting APK from Play Store $ adb shell pm list packages -f package:/system/app/Gallery.apk=com.android.gallery package:/data/app/com.fiverr.fiverr-1.apk=com.fiverr.fiverr package:/data/app/com.touchtype.swiftkey-1.apk=com.touchtype.swiftkey package:/data/app/com.scoompa.facechanger-1.apk=com.scoompa.facechanger $ adb pull /data/app/com.fiverr.fiverr-1.apk 6620 KB/s (11723728 bytes in 1.729s)
  7. 7. Introducing Smali & Baksmali ● Decompiles and compiles Dalvik (DEX) files ● Written and maintained by Ben Gruver (@JesusFreke) ● https://bitbucket.org/JesusFreke/smali/ Instructions include: invoke-virtual if-eq new-instance goto return-void add-int
  8. 8. Sample Java code package com.testfairy.app; public class SecretCookie { private String privateKey; public SecretCookie(String privateKey) { this.privateKey = privateKey; } public boolean verifyPrivateKey(String otherKey) { return privateKey.equals(otherKey); } }
  9. 9. Same code in Smali .class public Lcom/amazing/app/SecretCookie; .super Ljava/lang/Object; . . . # virtual methods .method public verifyPrivateKey(Ljava/lang/String;)Z .registers 3 iget-object v0, p0, Lcom/testfairy/app/SecretCookie;->privateKey:Ljava/lang/String; invoke-virtual {v0, p1}, Ljava/lang/String;->equals(Ljava/lang/Object;)Z move-result v0 return v0 .end method
  10. 10. Let’s do this! =] $ java -jar baksmali-2.0.6.jar FlappyBird.apk # modify smali code # $ java -jar smali-2.0.6.jar -o classes.dex out $ zip FlappyBird.apk classes.dex $ zip -d FlappyBird.apk META-INF/* $ jarsigner -keystore ~/.android/debug.keystore -storepass android -signedjar “patched.apk” “FlappyBird.apk” “androiddebugkey”
  11. 11. Demo Time ™ !
  12. 12. Let’s shove an entire sdk!
  13. 13. Demo Time ™ ! (two apps, one dex)
  14. 14. What’s next? ● Changing resources (images, texts) ● 3rd Party APIs (Google Maps and Facebook) ● Modifying AndroidManifest.xml
  15. 15. Linkz! smali/baksmali https://github.com/JesusFreke/smali apktool https://ibotpeaches.github.io/Apktool
  16. 16. Looking For Your Next Challenge? https://www.testfairy.com/jobs/

×