The document discusses modifying closed-source Android apps by decompiling their APK files using tools like Smali and Baksmali, allowing developers to edit the app's code and resources and recompile it. It provides instructions for downloading an APK from a device, decompiling it to Smali code, making modifications, and rebuilding the APK to sideload the changed app. The speaker demonstrates this process and suggests other aspects of apps that can be modified like resources, third party APIs, and the app manifest.

1. Hack The Mob
Modifying closed-source apps

2. What is this talk about?
● Let’s talk about what is Android
● Let’s learn how to download APKs from Play Store
● Let’s modify those APKs
● Let’s push them back to our phone

3. `whoami`
Gil Megidish
CTO @ TestFairy
1337

4. Terminology 101
● What makes an Android app?
● Which languages can Android run?

5. Anatomy of an Android APK
$ unzip -v “FlappyFish.apk”
Length Method Size Ratio Date Time CRC-32 Name
-------- ------ ------- ----- ---- ---- ------ ----
18580 Defl:N 3812 80% 08-02-15 00:57 cf40f8ff AndroidManifest.xml
8518360 Defl:N 3391501 60% 08-02-15 00:57 0e1cd99f classes.dex
395404 Defl:N 122825 69% 08-02-15 00:57 7bffff87 META-INF/MANIFEST.MF
395433 Defl:N 123483 69% 08-02-15 00:57 a657bd16 META-INF/CERT.SF
1139 Defl:N 1039 9% 08-02-15 00:57 6744aa28 META-INF/CERT.RSA

6. Getting APK from Play Store
$ adb shell pm list packages -f
package:/system/app/Gallery.apk=com.android.gallery
package:/data/app/com.fiverr.fiverr-1.apk=com.fiverr.fiverr
package:/data/app/com.touchtype.swiftkey-1.apk=com.touchtype.swiftkey
package:/data/app/com.scoompa.facechanger-1.apk=com.scoompa.facechanger
$ adb pull /data/app/com.fiverr.fiverr-1.apk
6620 KB/s (11723728 bytes in 1.729s)

7. Introducing Smali & Baksmali
● Decompiles and compiles Dalvik (DEX) files
● Written and maintained by Ben Gruver (@JesusFreke)
● https://bitbucket.org/JesusFreke/smali/
Instructions include:
invoke-virtual if-eq new-instance
goto return-void add-int

8. Sample Java code
package com.testfairy.app;
public class SecretCookie
{
private String privateKey;
public SecretCookie(String privateKey) {
this.privateKey = privateKey;
}
public boolean verifyPrivateKey(String otherKey) {
return privateKey.equals(otherKey);
}
}

9. Same code in Smali
.class public Lcom/amazing/app/SecretCookie;
.super Ljava/lang/Object;
.
.
.
# virtual methods
.method public verifyPrivateKey(Ljava/lang/String;)Z
.registers 3
iget-object v0, p0, Lcom/testfairy/app/SecretCookie;->privateKey:Ljava/lang/String;
invoke-virtual {v0, p1}, Ljava/lang/String;->equals(Ljava/lang/Object;)Z
move-result v0
return v0
.end method

10. Let’s do this! =]
$ java -jar baksmali-2.0.6.jar FlappyBird.apk
# modify smali code #
$ java -jar smali-2.0.6.jar -o classes.dex out
$ zip FlappyBird.apk classes.dex
$ zip -d FlappyBird.apk META-INF/*
$ jarsigner -keystore ~/.android/debug.keystore
-storepass android -signedjar “patched.apk”
“FlappyBird.apk” “androiddebugkey”

11. Demo Time ™ !

13. Let’s shove an entire sdk!

15. Demo Time ™ !
(two apps, one dex)

16. What’s next?
● Changing resources
(images, texts)
● 3rd Party APIs (Google
Maps and Facebook)
● Modifying
AndroidManifest.xml

17. Linkz!
smali/baksmali
https://github.com/JesusFreke/smali
apktool
https://ibotpeaches.github.io/Apktool

18. Looking For Your Next Challenge?
https://www.testfairy.com/jobs/