Injecting code into APK

android code-injection apk
Faisal Abid picture Faisal Abid · Apr 29, 2011 · Viewed 15.6k times · Source

I know you can decompile code using apktool and recompile it again, but my question is how would you be able to inject large amounts of code into an apk and execute it.

I see that amazon's appstore drm is doing this Im assuming, since they say they are wrapping the apk with their own code, and once you decompile that apk you see that they have added there own class com.amazon etc.

How are they acheving this?

Answer

Aleadam picture Aleadam · May 15, 2011

Just for the fun of it, I downloaded an apk from the Amazon store (I never used it before tonight) and decompiled it. You won't find much in the manifest, but there's a whole folder of Amazon classes inside the smali tree. The mechanisms that Amazon uses largely exceed my very limited understanding, but I can point you to some data.

Update: the apps require the Amazon appstore apk to be installed in order to function, so the classes below uses some amazon activity to check for the drm.

Method:

$apktool d xxx.apk
$cd xxx/smali
$grep -RHin 'amazon' *

Findings:

First, you might want to take a look at 

.class public Lcom/amazon/mas/kiwi/util/ApkHelpers;

with its methods:

.method public static getApkSignature(Ljava/lang/String;)[B
.method private static getCodeSigners(Ljava/util/jar/JarFile;)[Ljava/security/CodeSigner;
.method public static getContentID(Ljava/util/jar/JarFile;)Ljava/lang/String;
.method public static getContentIDFromName(Ljava/lang/String;)Ljava/lang/String;
.method private static getFirstSigningCert(Ljava/util/jar/JarFile;)Ljava/security/cert/Certificate;
.method public static isSigned(Ljava/util/jar/JarFile;)Z
.method private static scanJar(Ljava/util/jar/JarFile;)V

In the same com/amazon/mas/kiwi/util folder there are a few more classes, such as DeveloperInfo (not that interesting), Base64 and BC1 (for checksums).

In the folder com/amazon/android/, you will find the class Kiwi

.class public final Lcom/amazon/android/Kiwi;

with a quite obvious field:

.field private final drmFull:Z

That class Kiwi is references in every original smali file in the app. Example:

.method public onCreate(Landroid/os/Bundle;)V
    .locals 1

    invoke-virtual {p0, p1}, Lxxx/xxxx/Xxxx;->xxxxXxxxx(Landroid/os/Bundle;)V

    const/4 v0, 0x1

    invoke-static {p0, v0}, Lcom/amazon/android/Kiwi;->onCreate(Landroid/app/Activity;Z)V

    return-void
.end method

Conclusions:

The method involves injecting code in every class of the apk, probably through decompiling the apk, parsing each file, adding the necessary classes, and recompiling using the same key.

Related questions

Is it possible to get data from HTML forms into android while using webView?

I'm making a very simple form in HTML which is viewed in android using the webview which takes in your name using a textbox and when you click on the button, it displays it into a paragraph and it's made …

Read More
Can't start Eclipse - Java was started but returned exit code=13

I am trying to get my first taste of Android development using Eclipse. I ran into this problem when trying to run Eclipse, having installed version 4.2 only minutes ago. After first trying to start Eclipse without any parameters to specify …

Read More
How do you close/hide the Android soft keyboard using Java?

I have an EditText and a Button in my layout. After writing in the edit field and clicking on the Button, I want to hide the virtual keyboard when touching outside the keyboard. I assume that this is a simple …

Read More