Android App Hacking — Part 2

I’m pretty sure now that the quality of software does not increase over decades. You might also read this posting about hacking and cracking of software.

I was looking for an application which allows to synchronize my calendar with an ICS source and I found this Android app.1 It seems to provide all I need and it is offered for free by NightLabsConsulting. Although such “developers'” names arouse suspicion in my mind, I installed it nevertheless. The software basically works but of course I was not surprised as it said “20 days left for evaluation”.

How does it know that there are 20 days left even if the phone is offline? It must have stored it somewhere!

Yes, and this place was not really difficult to find. First, start `adb shell` we’d like to find out the app name. Intuitively we guess that the name might include “ics”: `ps | grep ics`. If the app is running we will find its name to be “” along with the PID. Simply kill it (`kill <pid>`). Now let’s have a look at its data files which are usually found in “/data/data”. We could search the full directory tree with `find / -name “*ics*”` and the directory “/data/data/” will be revealed. If we look into it we will find the file “databases/NLICSSync”. It is typical for Android apps to store data within SQLite database files. Thus simply try `sqlite3 databases/NLICSSync` and the `.tables` on the sqlite3 command line. It will show four different tables with intuitive names. The most intresting to me is “ICSSyncPrefs”. Look at its entries: `select * from ICSSyncPrefs;` and we will find a record which says “installationDate” and some long number. It looks like a UNIX timestamp but it is to large. Trying some simply math with it reveals that it is indeed a UNIX timestamp multiplied by 1000. Thus, it defines the miliseconds since 1st of January 1970.

Let’s guess what the software internally does for determining the evaluation period? Take the current time and subtract the value in the database and look if it is greater than the hardcoded amount of miliseconds for the evaluation period.

Let’s try to update the database with a different value and see what happens:

sqlite> update ICSSyncPrefs set value=”1800000000000″ where key=”installationDate”;