I know you can decompile code using apktool and recompile it again, but my question is how would you be able to inject large amounts of code into an apk and execute it.
I see that amazon's appstore drm is doing this Im assuming, since they say they are wrapping the apk with their own code, and once you decompile that apk you see that they have added there own class com.amazon etc.
How are they acheving this?
Just for the fun of it, I downloaded an apk from the Amazon store (I never used it before tonight) and decompiled it. You won't find much in the manifest, but there's a whole folder of Amazon classes inside the smali tree. The mechanisms that Amazon uses largely exceed my very limited understanding, but I can point you to some data.
Update: the apps require the Amazon appstore apk to be installed in order to function, so the classes below uses some amazon activity to check for the drm.
Method:
$apktool d xxx.apk
$cd xxx/smali
$grep -RHin 'amazon' *
Findings:
First, you might want to take a look at
.class public Lcom/amazon/mas/kiwi/util/ApkHelpers;
with its methods:
.method public static getApkSignature(Ljava/lang/String;)[B
.method private static getCodeSigners(Ljava/util/jar/JarFile;)[Ljava/security/CodeSigner;
.method public static getContentID(Ljava/util/jar/JarFile;)Ljava/lang/String;
.method public static getContentIDFromName(Ljava/lang/String;)Ljava/lang/String;
.method private static getFirstSigningCert(Ljava/util/jar/JarFile;)Ljava/security/cert/Certificate;
.method public static isSigned(Ljava/util/jar/JarFile;)Z
.method private static scanJar(Ljava/util/jar/JarFile;)V
In the same com/amazon/mas/kiwi/util folder there are a few more classes, such as DeveloperInfo
(not that interesting), Base64
and BC1
(for checksums).
In the folder com/amazon/android/, you will find the class Kiwi
.class public final Lcom/amazon/android/Kiwi;
with a quite obvious field:
.field private final drmFull:Z
That class Kiwi is references in every original smali file in the app. Example:
.method public onCreate(Landroid/os/Bundle;)V
.locals 1
invoke-virtual {p0, p1}, Lxxx/xxxx/Xxxx;->xxxxXxxxx(Landroid/os/Bundle;)V
const/4 v0, 0x1
invoke-static {p0, v0}, Lcom/amazon/android/Kiwi;->onCreate(Landroid/app/Activity;Z)V
return-void
.end method
Conclusions:
The method involves injecting code in every class of the apk, probably through decompiling the apk, parsing each file, adding the necessary classes, and recompiling using the same key.