Hacking Android APK Tutorial
Tutorial on hacking an Android APK file, which is an android app file, we decompile, hack it, and recompile. I will go through the setup and basic commands.
Introduction to APK format
Apps in Android have an extension of .apk format – which is basically a special .zip container that is signed with a certificate. The signer could be somebody like Google Apps Store. The idea is that modifying the .apk file means the signature is invalidated, to prevent installation of modified apps.
The main line of defence from installing malicious APK files is to make sure they are downloaded from the Google Apps Store. But once the APK (app) is in the users’ hands, it is unprotected. Most premium apps can be rooted, so ripping apps is easy.
Introduction to modifications
Modifying an APK file is somewhat difficult, depending on the quality of the app. The Dalvik (Android’s virtual machine), prevents code obfuscation – which is the deliberate act of creating hard to understand code. Since the Dalvik supports reflection, and the virtual machine has to be able to interpret the byte code, no obfuscation can ever hope to compete. Note, reflection is the ability of a computer program to examine and modify the structure and behavior – specifically the values, meta-data, properties and functions of an object at runtime. Obfuscation products like ProGuard may become more advanced with time but intense obfuscation will likely have a very negative impact on performance.
ProGuard is a free Java class file shrinker, optimizer, obfuscator, and preverifier. It detects and removes unused classes, fields, methods, and attributes. It optimizes bytecode and removes unused instructions. It renames the remaining classes, fields, and methods using short meaningless names. Finally, it preverifies the processed code for Java 6 or for Java Micro Edition.
High level overview:
- Suppose I have an APK file
- I want to decompile it into something like assembly language
- We can do that using the APK Tool, which turns decompiles it into a folder with smali files.
- You should know what a smali file is – basically assembly code.
- Then we dig through the smali code and make change to get our desired results.
- I will cover this lightly. Exactly what to change and how to find it is beyond my scope of knowledge, I only understand basic ideas. Also, there textbooks on how to analyse decompiled code.
- We recompile the smali file into APK file
- Install and test it on the emulator
To start playing with your own modifications, you need several tools.
- Eclipse, to code your own apps (optional again, but the package manager is nice to use)
- Java SDK, to do Java development (optional really – but get it anyways)
- Android SDK, for the Android emulator
- APK Tool, to reverse engineer APK files and create smali files
- Notepad++, a great program that has syntax highlighting addon pack for smali
- Addon syntax highlighting for Smali
- Amon_RA’s Testsign tool, for signing the recompiled APK file
This will be a walkthrough on how to start your hack.
There’s a nice guide on how to setup everything on the Android SDK website; http://developer.android.com/sdk/installing/index.html
To run the Android emulator, use their Android Virtual Devices Manager. Make a choice in what you want your device to be; just keep in mind the higher the resolution the slower it’ll be. Expect the emulator to run with heavy lag. My manager is located at:
C:\Program Files (x86)\Android\android-sdk\AVD Manager.exe
Open up a terminal, cmd. Most of the tools you require are in the ..\android-sdk\platform-tools folder. Some of them may be in ..\android-sdk\tools
In this terminal, there are some commands you want to be familiar with.
|abd install [..\location\someapp.apk]||Installs to emulator. Make sure emulator is on!|
|adb uninstall [com.someapp]||Exactly what to type requires a bit of work, it’s basically the path the android uses. I’ll describe it more later.|
|apktool.bat d someapp.apk dump- someapp||Decompiles your APK to smali files|
|apktool.bat b dump- someapp someapp-new.apk||Rebuild the edited smali files|
|java –classpath testsign.jar testsign someapp-new.apk||Fake sign the file with some certificate, so that when we install, emulator goes “oh ok here’s the signature, and it matches the file, we can proceed”|
Digging through the decompiled smali code
I’m going to cover this vaguely, because I myself am not that familiar with it. Basically you look at the smali files, the xml files, and find interesting stuff that you think is relevant to what you want to do.
Start at a point, such an error message, and work backwords. Say the message “Invalid serial key entered!” – trace that back to where the key gets checked.
When bypassing things like serial key checks, look for check conditions:
Since applications don’t have a console to print to, you could have it print to logs or print as a toast popup message. http://en.wikipedia.org/wiki/Toast_(computing) Also, logs can be viewed with the ..\tools\monitor.bat tool.
When digging through smali code, you definitely need to refer to Dalvik opcodes for syntax and usage: http://pallergabor.uw.hu/androidblog/dalvik_opcodes.html
Thanks for reading. That’s all folks. I’ll update this as I figure out more and more.