Software hacking has a long history and it was shown in past that – in my opinion – the quality of software in general didn’t get better over decades. This is probably not true for specific projects such as e.g. the OpenBSD kernel which is continuously improved and reviewed because it is open source and it is the goal of the project. But in general I think that software today is as bad as it was 20 years ago. And the reason is because mature programmers retire at some time and rookies who believe to know everything about software start to release software.
This is an example of the “Client-side Security Doesn’t Work” which is defined as a law of security in Russell’s book “Hack Proofing Your Network”.1 Client-side in that sense means
- that the user (or the attacker) has full control over his computer system (or smartphone), and
- that the security mechanism is enforced solely on the client.
This will not provide security if time and resources are available to the attacker. Typical examples are some kind of offline copy protections or license key checks.
Today, we look at this2 Android app. It is a simple compass applications showing the direction. You can choose a theme some of them are for free and some of them do you have to purchase (see picture above). And that’s the point where it’s getting interesting. If you click on one of the themes with costs you will sea it in the background with a “Buy Now” button on top (see picture on the left). All networks are disabled an the phone and this lets my alarm bells ring 😈 The theme must already be included in the package!
Let’s start! First I have to locate to APK. All android apps are kept in APK files. It is simple a zip file containing the whole code and all addition stuff such as images, settings, buttons, and so on. Typically they are located in one of the directories /data/app or /system/app or probably somewhere in the /sdcard folder. Start the `adb shell`3 and find all APKs with the command `find / -name “*apk”`.
Copy the APK file to the /sdcard folder: `cp /data/app/com.apksoftware.compass-1.apk /sdcard`. Mount the sdcard on your computer and copy it somewhere. Create a working directory and unzip the file `unzip com.apksoftware.compass-1.apk`. You will find several files and directories. The most interesting things for this are found in res/. Use your favorite image viewer and browse through the folders in res. All compass images are there. I would like to have the sea compass instead of the antique one. Open it (res/drawable-nodpi/sea_body.png) in your favorite image manipulation program (which is gimp for me) and resize to the same size of res/drawable/antique_body.png. Simply save the image of the latter.
Now zip everything again. Unfortunately, the files have to be digitally signed and we destroyed the signature of the one image because we modified. Thus, we have to create a new signature. A simple solution is found here at xda-developers.4 Download the file AutoSign and unzip it. Copy your new apk (the zip file previously created) to the AutoSign folder and sign it:
`java -jar signapk.jar testkey.x509.pem testkey.pk8 compass.zip compass_signed.zip`
Rename the file compass_signed.zip to compass_signed.apk. Now deinstall the original compass app on your smartphone and then install your new APK. The latter can simple be done with adb: `adb install compass_signed.apk`.
This is a very trivial hack but it fulfills the requirements for now 🙂 The next time we start to mess with config files 😉
- Ryan Russell. Hack Proofing Your Network. 2002, p. 33. ISBN 1-928994-15-6. ↵
- https://play.google.com/store/apps/details?id=com.apksoftware.compass ↵
- Adb is part of the Android SDK. ↵
- http://forum.xda-developers.com/showthread.php?t=647744 ↵