Open in app

Sign in

Write

Sign in

The Journey of Debugging Hacked CarInfo App

Pratham Khurana
Carinfo App
Published in
6 min readJun 28, 2023

How at CarInfo we tried to stop the ads free version off the market.🚀

There are many apps and developers which are or their income is totally dependent on the ads revenue(by the google or any other ads provider). Developers invest their valuable time and effort into crafting user-friendly features, while Product Managers strategise to convert users into paying customers through targeted marketing initiatives.

However, when team discovers that there is an ad-free version of the app available, resulting in a significant loss of revenue, it can make them feel defeated, as if they are losing control over the game. So, lets start with some basics.

What does CarInfo do?

CarInfo is a one vehicle management platform. Vehicle owners can use this app to verify registration details, check challans, recharge FASTag , set reminders on insurance & pollution expiry dates, manage documents etc. Basically whatever is needed during the lifetime of owning a car/bike, CarInfo is the app that helps you do it smooth.

So, when team discovered the ad-free version, instead of allowing the hackers to claim victory, the team at CarInfo came together to investigate how they managed to disable the ads in the app.

Debugging begins from here

So, to clarify our objectives, we aim to determine how the individual was able to disable the ads and rebuild the APK. By doing so, we can take appropriate measures to prevent this from happening again and effectively address the issue.

So starting from start. What we have right now with us:

  1. Release APK of our app in which ads are not showing.
  2. Website/Source from which we have downloaded the apk.

Now we starting with how first, so we wanted to decompile the hacked app. We got a very nice tool for that, thanks to open source,

Jadx (https://github.com/skylot/jadx)

Overview of Jadx: Its provides Command line and GUI tools for decompiling release apk files

So we installed the jadx-gui into our system and provided the hacked apk to get the decompiled project.

Guess what we got the whole encrypted code of our own app. We saved the whole decompiled project as a gradle project and opened the same in the Android Studio

When we opened the project, it was literally a zombie project. Even we were not able to understand what we wrote 😅 in the fragment or the activity. To give you a hint of a decompiled project, it was looking something like this

Decompiled release project

There were a lot of unknown files which were present here and there. So for reference we opened our own project too.

Now there are many modules, folders to see and no mapping of character indicates which folder it is. So we started searching for the Fragments or the Activity in which we have added the ads, we were able to get some files.

Some tasks we made:

  1. Let’s thoroughly examine all the XML files, fragments, and activities where we have integrated the ads code. Our objective is to identify any potential modifications or removal of the ads-related code snippets.
  2. Let’s investigate the common flag that controls the enabling or disabling of ads throughout the entire app. By identifying this flag, we can determine how the ads were globally turned off or manipulated.
  3. Let’s examine our internal code architecture for loading and displaying ads to determine if the logic used in the compromised version of the app matches our intended implementation.

Task 1

We tried to search and open all the fragments or activities in which we are showing the ads and checked for the ads code if the ads code is present or not in the fragment or activity. Guess what, all the code/logic was same. So no difference was there in both projects.

Result so far: 0 Success✅ 1 Failed ❌

Task 2

We checked our common flags through which we load the ads for the app. Upon further investigation, keys present in both shared preferences and encrypted shared preferences. Remarkably, all the keys appeared to be completely normal. Their structure and content were consistent with what was expected, suggesting no signs of irregularity or suspicious activity.

Result so far: 0 Success✅ 2 Failed ❌

Task 3

Tip: It is very difficult to navigate into the code where everything is referred as alphabets so thanks to bookmark feature in Android Studio, we can add a bookmark on the line which is looking important or can play a important role in debugging the issue.

We tried to get to the module where whole ads loading and showing the ads code was written. We had to manually verify each and every line of those files with our own code. We are trying, trying, trying, trying, trying and trying. And guess what we failed here too. It was all same, from the logic to the variable types to the variable default values. Each and everything was same.

Result so far: 0 Success✅ 3 Failed ❌

After so many failure what we should do? What’s next?

Final Task

After these attempts we thought to compare our play store released app and the hacked apk.

Note: Previous versions of the jadx-gui used to generate same class name, variable name for different apk’s.

So we already had the decompiled project of hacked apk and we generated the decompiled project of our release app from the jadx-gui.

How do we compare 2 decompiled projects?

And here is the solution

Git

Steps we followed for comparing:

  1. We created a new local repository using git init command of the decompiled project of the hacked project.
  2. We did all the adds, commits but we didn’t pushed the repository.
  3. Now we replaced all the files from the decompiled project of the our project and with the hacked one

and waited for the git magic to happen. And guys, we got our first success 🎉🎉. We got all the files which are different in our and the hacked project. And you will not believe what we saw. Literally we were not expecting this,

So to help you understand the callback of Google Ads SDK in simpler terms. When using the Google Ads SDK, there is a callback function that is triggered when an ad is ready to be displayed on the screen. This callback function receives an “ads” object, which contains the necessary information and resources to show the ad effectively.

So we can use this ad object to show the ad on the screen and play around with this data.

The difference we saw in the git was….

Hacked app didn’t have the inside code of this whole callback function and nor for the onAdFailed function. So basically we were not getting any ad in the callback, this was not only in our app but in the google ads sdk too. There were some lines which were missing from the Google ads SDK too.

Conclusion

So we got our answer for how?

All the ads callback implementation was missing from the project, we were not able to get proceed once we get the ad, or we might not even getting the ad from google, who knows?

Now we were curious for how he was able to generate the apk by removing the code from the whole app. Will discuss this some other time.

If you learned something new from this post, don’t forget to hit the 👏 icon.

Always up for discussing anything cool, feel free to connect.
LinkedIn: Pratham Khurana
Twitter: Pratham Khurana

Android
Google
Ads
Hacking
Debugging

--

--

Pratham Khurana
Carinfo App

Written by Pratham Khurana

4 Followers
Writer for

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams