This is the first article in this series “What’s inside my app”, this series will focus on reverse-engineering and strip android apps down to their original base code -or at least try to get the original one. In each article i will be picking an android app from the play store, decompile it and lay for you all the things underneath it hood.
Feel free to suggest if you have any app and challenge me to reverse engineer it for you.
In today’s article, we will be talking about “Who touched my phone?” android app. The app has over 1 Million downloads and over 23K reviews most of them 5 stars reviews.
Who touched my phone? (WTMP) is an application with a focus on privacy, it will record for you those who are trying to snoop on your phone without you noticing, using your front camera in the background. The records on the app will allow you to see when, who and what apps did this person used while you are away.
Once you’ve installed the app, your open it, go through the different permissions dialog and then you start the app. You can dismiss the app as it’ll be running on the background, once your device went to sleep and the screen is off, it then start recording when who ever pick the phone and start using it, first by taking a picture of the person using it and also recording all the apps that person went through.
Summary of the App
Now this is the fun part where we’ll decompile and reverse engineer the app, for that i will be using a tool that i created Decompile My Apk , it’s an easy to use shell script which combines couple of other tools that helps in the process of retrieving the Java Classes from the Apk.
The repo structure, from first sight it looks well structured, lot of permissions-we’ll talk on that in a while, activities, fragments, Job scheduler, Services.
The app is developed under the MVVM (Model, View, ViewModel) architecture with Dagger for dependency injection, Data Binding (to bind UI components in your layouts to data sources) , Navigation and Lifecycle component (which is part of the Jetpack components that can manage complex navigation, transition animation and provides classes and interfaces that let you build lifecycle-aware components — which are components that can automatically adjust their behavior based on the current lifecycle state of an activity or fragment). The App also support multiple languages.
Let see which libraries and dependencies the app uses:
AndroidX : it is a major improvement to the original Android Support Library, which is no longer maintained. AndroidX packages fully replace the Support Library by providing feature parity and new libraries. it includes dependencies such as: WorkManager (API makes it easy to schedule deferrable, asynchronous tasks that must be run reliably), ViewPager(Layout manager that allows the user to flip left and right through pages of data), ViewBinding(Data Binding), Room DB, RecyclerView(A flexible view for providing a limited window into a large data set), Navigation, LocalBrodcastManager(Helper to register for and send broadcasts of Intents to local objects within your process), Lifecycle, Biometric(includes a biometric prompt UI out of the box).
BillingClient : It provides convenience methods for in-app billing. You can create one instance of this class for your application and use it to process in-app billing operations.
Glide : is a fast and efficient open source media management and image loading framework for Android that wraps media decoding, memory and disk caching, and resource pooling into a simple and easy to use interface.
Firebase Crashlytics : is a lightweight, realtime crash reporter that helps you track, prioritize, and fix stability issues that erode your app quality.
FasterXML Jackson : This project contains core low-level incremental (“streaming”) parser and generator abstractions used by Jackson Data Processor. It also includes the default implementation of handler types (parser, generator) that handle JSON format.
Gson : is a Java serialization/deserialization library to convert Java Objects into JSON and back.
Dagger : is a fast dependency injector for Java and Android. Dagger is a compile-time framework for dependency injection. It uses no reflection or runtime bytecode generation, does all its analysis at compile-time, and generates plain Java source code.
OpenCensus : is a toolkit for collecting application performance and behavior data. It currently includes 3 apis: stats, tracing and tags.
PACKAGE_USAGE_STATS : Android provides System services to access device usage history and statistics but accessing these System services are only supported from API level 21 and above, and to use it you’ll need to request this permission. Granting this permission will allow to use the API to access the app usage time as well as the network. In this case, the app uses it to keep track of the apps being launched.
FOREGROUND_SERVICE : Due to Android battery optimizations introduced in Android 8.0 (API level 26), background services have now some important limitations. Essentially, they are killed once the app is in background for a while making them worthless for our purpose of running an always-running service. One way to make your service running endlessly is by making a foreground service, which performs some operation that is noticeable to the user through a persistent notification. foreground services are use to monitor the device and keep track of what happening continuously even if the app is dismissed.
CAMERA : obviously to access the camera module and be able to take pictures using front camera, you need to ask the user to grant this permission.
USE_BIOMETRIC : to access the biometric module, you’ll need to declare this permission and use the Biometric Manager for different operation. In this case, the app uses it to keep track if someone is unlocking their device with the fingerprint sensor.
READ_EXTERNAL_STORAGE / WRITE_EXTERNAL_STORAGE : user should implicitly asked to grant this permission, to allow to perform read and write operation on the external storage of the device.
SYSTEM_ALERT_WINDOW : Allows an app to create windows using the type WindowManager.LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. User should implicitly be asked to allow the app to run overlay on top of other apps.
WAKE_LOCK : Allows using PowerManager WakeLocks to keep processor from sleeping or screen from dimming, and avoid the app (the process) to be killed by the system on sleep mode or when screen turns off.
com.android.vending.BILLING : for In-app billing services which relies on the Google Play application and handles all communication between your application and the Google Play server. To use the Google Play application, your application must request this permission.
REQUEST_DELETE_PACKAGES : The permission allows an application to request deleting packages.
ACCESS_NETWORK_STATE : Allows applications to access information about networks and check if the different status about the network you connected on.
RECEIVE_BOOT_COMPLETED : Allows an application to receive the Intent.ACTION_BOOT_COMPLETED that is broadcast after the system finishes booting. If you don't request this permission, you will not receive the broadcast at that time.
INTERNET : Allows applications to open network sockets.
General Overview of the code base
The app is packaged and structured as follow:
View : includes all the fragments that the app uses, such as AboutFragment, AuthFragment, RateAppFragment, SettingsFragment…
ViewModel : it has only one view model, which is the HomeViewModel, it observes over the new reports generated by the repository and add them to the Main View, also set enable/disable app.
Utils : it has different Utilities classes that are needed by the app such as: isServiceRunning(), isNetworkAvailable(), NotificationUtils….
Repo : it has an interface and an AppRepository class which implement it, the Class manages the reports data, it does operations on the DAO (data access object), creates new reports, fetch, update, delete…
Di : the repo includes the dagger app component and app modules needed by the app to provide dependency injection.
DataBinding : generated by the Data Binding Library, which is with purpose to bind UI components in thelayouts to data sources.
Database : the Room persistence library which is part of Jetpack, provides an abstraction layer over SQLite to allow for more robust database access while harnessing the full power of SQLite. this repo includes all the abstraction layers needed to create a Room SQLite DB. First, we have the Entity which is the model of the data saved in the DB some of the information which saved such as: beginTime, endTime, attemptsNum, photoPaths… The DAO (Data Access Object) includes all the operations done to the DB, fetch, update, add, delete…Finally, the converters, as the DB accept only primitive data type, you need to convert object data type such as Lists or Arrays to String using Gson.toJson().
Core: this includes all core services and all functionality and processing used by the app is implemented in this section. you’ll get the camera sub-repo with all operation and services needed by the app to access the camera module. screen sub-repo, to monitor when the screen is off and start listening in background. sync sub-repo , which manages and syncs the report over at Google drive (if you enable this feature), the service includes an alarm and worker to make sure your reports are synced with your google drive in specific intervals.
Adapters: these are the adapters for the RecyclerView, ViewPager… with the purpose to populate data inside whatever view is bounded to.
Veridct and Score
Final score, the app is very easy to reproduce and clone it functionality. from decompiling the APK file, you’ll get to understand all the logci and how it function and you can pretty easily reproduce any functionality you want.