Hacking Android APK Tutorial

Hacking Android APK Tutorial

Tutorial on hacking an Android APK file, which is an android app file, we decompile, hack it, and recompile. I will go through the setup and basic commands.

Introduction to APK format

Apps in Android have an extension of .apk format - which is basically a special .zip container that is signed with a certificate. The signer could be somebody like Google Apps Store. The idea is that modifying the .apk file means the signature is invalidated, to prevent installation of modified apps.

The main line of defence from installing malicious APK files is to make sure they are downloaded from the Google Apps Store. But once the APK (app) is in the users’ hands, it is unprotected. Most premium apps can be rooted, so ripping apps is easy.

Introduction to modifications

Modifying an APK file is somewhat difficult, depending on the quality of the app. The Dalvik (Android’s virtual machine), prevents code obfuscation - which is the deliberate act of creating hard to understand code. Since the Dalvik supports reflection, and the virtual machine has to be able to interpret the byte code, no obfuscation can ever hope to compete. Note, reflection is the ability of a computer program to examine and modify the structure and behavior - specifically the values, meta-data, properties and functions of an object at runtime. Obfuscation products like ProGuard may become more advanced with time but intense obfuscation will likely have a very negative impact on performance.

ProGuard is a free Java class file shrinker, optimizer, obfuscator, and preverifier. It detects and removes unused classes, fields, methods, and attributes. It optimizes bytecode and removes unused instructions. It renames the remaining classes, fields, and methods using short meaningless names. Finally, it preverifies the processed code for Java 6 or for Java Micro Edition.

High level overview:

  1. Suppose I have an APK file
  2. I want to decompile it into something like assembly language
  3. We can do that using the APK Tool, which turns decompiles it into a folder with smali files.
  4. You should know what a smali file is – basically assembly code.
    See https://code.google.com/p/smali/
  5. Then we dig through the smali code and make change to get our desired results.
  6. I will cover this lightly. Exactly what to change and how to find it is beyond my scope of knowledge, I only understand basic ideas. Also, there textbooks on how to analyse decompiled code.
  7. We recompile the smali file into APK file
  8. Install and test it on the emulator
  9. Done.

The Setup

To start playing with your own modifications, you need several tools.

  1. Eclipse, to code your own apps (optional again, but the package manager is nice to use)
  2. Java SDK, to do Java development (optional really – but get it anyways)
  3. Android SDK, for the Android emulator
  4. APK Tool, to reverse engineer APK files and create smali files
  5. Notepad++, a great program that has syntax highlighting addon pack for smali
  6. Addon syntax highlighting for Smali
  7. Amon_RA’s Testsign tool, for signing the recompiled APK file

The Usage

This will be a walkthrough on how to start your hack.

There’s a nice guide on how to setup everything on the Android SDK website; http://developer.android.com/sdk/installing/index.html

To run the Android emulator, use their Android Virtual Devices Manager. Make a choice in what you want your device to be; just keep in mind the higher the resolution the slower it’ll be. Expect the emulator to run with heavy lag. My manager is located at:

C:\Program Files (x86)\Android\android-sdk\AVD Manager.exe

Open up a terminal, cmd. Most of the tools you require are in the ..\android-sdk\platform-tools folder. Some of them may be in ..\android-sdk\tools

In this terminal, there are some commands you want to be familiar with.



abd install [..\location\someapp.apk] Installs to emulator. Make sure emulator is on!
adb uninstall [com.someapp] Exactly what to type requires a bit of work, it’s basically the path the android uses. I’ll describe it more later.
apktool.bat d someapp.apk dump- someapp Decompiles your APK to smali files
apktool.bat b dump- someapp someapp-new.apk Rebuild the edited smali files
java –classpath testsign.jar testsign someapp-new.apk Fake sign the file with some certificate, so that when we install, emulator goes “oh ok here’s the signature, and it matches the file, we can proceed”


Digging through the decompiled smali code

I’m going to cover this vaguely, because I myself am not that familiar with it. Basically you look at the smali files, the xml files, and find interesting stuff that you think is relevant to what you want to do.

Start at a point, such an error message, and work backwords. Say the message “Invalid serial key entered!” – trace that back to where the key gets checked.

When bypassing things like serial key checks, look for check conditions:

  • If-eq
  • If-ne
  • If-nez
  • If-eqz

Since applications don’t have a console to print to, you could have it print to logs or print as a toast popup message. http://en.wikipedia.org/wiki/Toast_(computing) Also, logs can be viewed with the ..\tools\monitor.bat tool.

When digging through smali code, you definitely need to refer to Dalvik opcodes for syntax and usage: http://pallergabor.uw.hu/androidblog/dalvik_opcodes.html

Terminate transmission

Thanks for reading. That’s all folks. I’ll update this as I figure out more and more.




5 thoughts on “Hacking Android APK Tutorial

  1. Ray

    Hey sunai, Thanks for the detailed article. This was a good read. Please provide more information about editing smali code if possible. Also, put light on recomping too as many apk shows errors on recompiling.

    Thanks again for your efforts.

  2. Alien

    Im trying to modify an Android APK to jump a key file verification.
    I want to do that in order to learn smali and Baksmali and to improve protection of future Apps or APK files.

    What i done so far:
    1-Decompile APK to smali files
    2-Look in to AndroidManifest.xml to locate Activity:

    So the main activity is AcercaDe.
    3- On AcercaDe.smali there is a call to a funtion with return boolean value:
    invoke-virtual {v2, v3}, Landroid/os/Bundle;->containsKey(Ljava/lang/StringZ
    I try to change conditional if-eqz or if-nez but i cant figure out how to skip or jump this check.
    I will attach the APK file just in case anyone want to try it.

    Any help or ligth will be apreciate.

    1. sunapi386 Post author

      Without taking a look at the code, I might try to negate the return value, or set the variable itself. Sorry can't be much more help. Perhaps I should turn my blog into a wiki style, so that others may improve the article. Good luck.


Leave a Reply

Your email address will not be published. Required fields are marked *