Hacking Android Application: Secret Diary
Introduction
Android applications these days have become part of our everyday life. We use app for literally everything from ordering food to playing Chess or PubG, but as a user, have you ever wondered if all these apps are really secure and how they are using the data and possibly how an attacker might be using the data?
In this blog, We’ll talk about how an attacker can hack into an app or hack the app itself and take advantage. We’ll be taking a very generic app and reverse it and see what we can do as an attacker.
First things first, time to explain the architecture of the android. Nothing deep, just some necessary basics.
Architecture of Android
1.Kernel is the core of android architecture. Android is built on the linux kernel which is the most important component of android architecture. It works as the abstraction between device hardware and upper components in the architecture. It manages all the device drivers which help in managing basic functionalities like camera, WiFi, flash memory, display, keypad, Bluetooth, audio that are needed at runtime.
2. Libraries: They include various C/C++ core libraries and java based libraries as many core android system components require them as support for android development. This layer handles the data specific to hardware.
- For example, Surface manager is used to manage access to the display subsystem
- SQLite provides database support
- Web-kit provides functionalities to display web content and to simplify page loading
- Media library for playing and recording audio and video formats
3. Android Runtime: It is the engine that powers our applications along with the libraries and forms the basis for the application framework. It contains core libraries and Dalvik VM which are responsible for running android applications.
- Core libraries help to implement android applications using standard JAVA programming language.
- Dalvik VM is just like JVM but specially designed and optimized for android which is faster, consumes less memory and can run multiple instances efficiently.
- Java source code is compiled using javac (part of the JDK) to create the .class files. Afterwards, the Java bytecode .class files are translated to the .dex files by DVM using dx tool as it has its own byte code.
4. Application Framework: It provides Application programming interface and higher-level services that can be used to build android applications. This also contains an another API layer which is called as HAL( Hardware Abstraction layer) which lets you use the device specific hardware like gyroscope, camera, IR blaster etc. These in-turn communicates to the kernel via the vendor specific device driver.
» The application framework consists of following key services:
- Activity Manager: The method in this class uses testing and debugging methods.
- Content provider: It provides data from application to other layers.
- Resource Manager: It provides access to non-code resources.
- Notification Manager: The users get notification about all the actions happening in the background.
- View System: It acts as a base class for widgets and is responsible for event handling.
5. Application: The top layer of the android architecture is Applications. These are the applications that you interact with. It could be anything from a GPS navigator which uses the inbuilt GPS receive or a game which will use the graphic rendering from the device. These are typically written on java and converted into java bytecode so that it can be run in Dalvik VM. Whichever apps we will build, they will be installed in this layer only.
Secret Diary:
This is an Android app which is a simple diary where user can enter data in form of text, picture, audio and save it. It also has an option to set password if someone tries to see your secret data. Like any other free android application, this application is filled with a lot of ads. If you want to opt out of the annoying ads you have to pay for the application to get a premium option which removes all the ads in the app.
So now we have few targets to think of:
- Bypass the Authentication functionality of diary app or steal the credentials.
- Steal the daily entries and other details from the diary.
- Crack the premium membership.
Structure of APK file:
An APK file is like a ZIP file that contains everything an Android application needs to operate: the application code in DEX file format, the application manifest file, resources, assets etc. To install an APK, it must be digitally signed with a certificate.
Here are the main components of an Android APK:
- AndroidManifest.xml: Application’s package name, version, access rights, referenced libraries and other metadata in binary XML format.
- classes.dex: Classes compiled in .dex file format understandable by Dalvik VM.
- resources.arsc: Precompiled resources.
- res/ folder: Resources that are not compiled into resources.arsc.
- lib/ folder: Compiled code for native implementation.
- assets/ folder: Application’s assets.
- META-INF/ folder: MANIFEST.MF file, which stores metadata about the application. It also contains the certificate and signature of the APK.
Main Components of an APK file:
App components are the essential building blocks of an Android app. Each component is a different point through which the system can enter your app.
✦ Activities: An activity is one screen of the app’s user interface with which the user can interact. There can be multiple activities with multiple screens. They can be exported allowing other processes on the device to launch the activity. By default, they aren’t exported but you can export them setting android:exported=”true”
✦ Services: They run in the background without any UI. Intents are the default way to start Services. They need to be exported manually by configuring in manifest to allow other processes to start the service as by default they are not exported.
✦ Broadcast Receivers: They respond to system wide broadcast announcements. They are like a “gateway” for other app components which perform minimal work like a battery low notifier by some app that can change device behaviour accordingly.
✦ Intents: Used to bind other components together so they can communicate efficiently.
✦ Intent filter: Specifies a type of intent a particular component can respond to.
✦ Content Providers: It stores and shares data from one application to others if required. The data is stored in database, web, file system or any other place. If the content provider allows, other apps can query or manipulate the data as well.
Installing the APK
Download Secret diary apk file and install using ADB or manually. Setup the app in phone and add few entries in the app to get started.
Extracting APK
We will use APKtool to extract and decompile the apk.
$ apktool d <apk file>
Once it’s decompiled, it will create the folder with the app name and it will have all the details needed to hack the app.
These are the decompiled files in the folder:
AndroidManifest.xml
First let’s look into AndroidManifest.xml. As discussed before, it contains information regarding the permissions and preferences of the app needed to interact with the underlying OS.
As we can see, the app needs so many permissions for a simple diary, few permissions like Access network state , accessing external storage which could be dangerous if the app decides to pack a malware in it.
Now, let’s talk about the activities listed in AndroidManifest.xml file and how we can use them to bypass the security mechanism of the application.
Following activities are being used in Secret Diary app:
If you notice there’s no attribute called as “android:exported” here, which means a user with higher privilege (root) can call any of these activities directly. For example, a malware with an active exploit can directly call the activity and bypass the security mechanism.
In our case, we will use rooted device, so you can call the activity directly by using ‘am’ command in the ADB of the device.
# am start com.ennesoft.secretdiary/.ChangePwdActivity
Similarly, You can also call the Activity “DisablePwdActivity” directly to disable the password and get access to the diary. 🤭
One more thing we can do is, enable the android:exported=true and patch the AndroidManifest.xml file so that any shell user can call this activity.
Insecure data storage
This is another common issue in almost all the apps. Even few famous applications don’t follow security guidelines for secure storage, because as an android OS, since all processes are sandboxed, other processes cannot read or write to a different process unless defined by the app. But if the underlying OS is vulnerable to publicly available exploit it is possible to access the data of individual applications.
Let’s see how we can exploit this now. Connect the device to ADB and start a root shell session using this command. Go to “/data/data/com.ennesoft.secretdiary/” path and you can access all the app related data.
Usually configuration files are located inside shared_prefs and any other data is saved under the databases folder.
Let’s see if we can find something in the shared_prefs folder.
Nothing specific to look here. Now let’s check inside the databases folder, there’s one database file. We can either use SQLite or any other SQLite database viewer to see the content. Using this tool we can open and see the tables.
First, let’s copy the databases folder and paste outside to give access to SQLite tool.
In SQLite, we can see that the content of the diary is being saved in the database file in plain text.
Similarly we can see the Password “yayy” is also saved in this file in the Settings table. We can now modify or tamper with the database to attack the user.
Code tampering:
Now comes the most interesting part of the blog, it’s time to reverse engineer the application and get the premium membership.
First, open the apk file in Jadx-gui as shown.
Usually the core functionality of any app is inside the app package name (in this case com.ennesoft.secretdiary). Go inside and look for class or functions which deals with Premium Membership. Inside the class called as InAppAdsActivity, there’s a function called as OnQueryInventoryFinished which seems like the first part of the code which verifies the purchase. Let’s see what exactly the code does.
In onQueryInventoryFinished function, in below line,
InAppAdsActivity.this.mIsPremium = premiumPurchase != null && InAppAdsActivity.this.verifyDeveloperPayload(premiumPurchase);
Application checks if premiumPurchase is not null and checks if purchase has been done successfully without any error. If both conditions are true then only mIsPremium is turned true and in any other cases, it will be false.
Now that we know what the code does, let’s try to modify and patch the code. As we need to do it in Smali code, we will open the same class in the decompiled folder of the APK:
Path:
“/Secret\ Diary_v6.7_apkpure.com/smali/com/ennesoft/secretdiary/”
Now this section looks like black magic. It is pretty simple if you have learnt assembly or BASIC.
★ These are the few Dalvik Opcodes along with their explanations and examples to understand below smali code (for more, visit here):
Now, open InAppAdsActivity$2.smali file and check out the logic for mIsPremium.
Here (line 118) is the first part of the logic, It checks for premiumPurchase function and goes to cond_2 if it returns 0.
Second part (line 126) verifies the purchase and if it is 0, it goes to cond_2.
If both the conditions are true, then it skips that instruction and loads the value v1 = 1 which is being set to mIsPremium. Now our objective is to modify it in such a way that even if the resulting two functions are False, it should return True. So no matter what, mIsPremium will always be True.
One more way to do it is to change the conditions(line 118 and 126) in such a way that if the result is not 0, then it should go to cond_2. So, what will happen is, things will get reversed, you will get premium access if you didn’t purchase the membership and if you did, you won’t get premium as it will go to cond_2 if it’s non zero.
Now, in cond_2(line 185), we will replace “move v1, v2” with “const/4 v1, 0x1” (refer the image below) which sets v1 value as 1.
Now that we have modified the class, let’s compile it back.
To compile, we will use same Apktool:
Apktool b <apk folder> -o apk_name.apk
Using the compiled apk, we can reopen the APK in Jadx-gui and see if the patched part is correct or not.
We can see the changed logic here:
We can’t install the compiled app directly because it’s already signed and then being patched. So we need to re-sign it before installing.
We can use d2j-apksign tool for this. Just pass this APK over that tool and we get the signed APK.
Now install the APK using ADB or directly from storage. Open the app and you can see the free premium version of the application with no annoying ads.
Mitigations:
These issues in the application can be avoided by taking precautions like:
- Remove unnecessary insecure android permissions.
- Never store credentials on the phone file system. Force the user to authenticate using a standard web or API login scheme (over HTTPS) to the application upon each opening.
- Use strong encryption algorithm if storing data is necessary. Force encryption to local file-stores using “setStorageEncryption”.
- For secure database, use SQLcipher for Sqlite data encryption.
- Obfuscate the code thoroughly using dexguard/proguard.
Hope you enjoyed it as much as I did. Adding few references here which I found useful.
Keep hacking and stay safe.
See you next time!! 👻 Until then,
