The files needed to install programs and games on Android have the APK extension. Such applications can be downloaded both to the Play Market, where their installation takes place in a relatively invisible mode for the user, and to any third-party service, using their web or downloadable versions.
You can download outside of the Play Store. It is not necessary to abandon this platform, but if there is such a desire, nothing prevents you from downloading the software from anywhere. It is possible that your firmware does not provide Google services at all, which is important for EMUI running on Huawei and Honor. In addition, you can simply remove the built-in Google Play using third-party tools like Lucky Patcher. Here, attention is not focused on the process of removing system software - the text is devoted to downloading APKs available in the built-in directory using third-party services. In general, there are still situations when the Play Market on Android has disappeared or when you need to update the Play Market , and you can also read about this in our materials. Well, below we tell you how to download an APK file from the Play Store in different ways.
Getting ready
To perform the steps described in this article, you will need a number of tools, and the main tool is Linux. Yes, many of the programs mentioned below can work on Windows, but for any operations related to Android and its applications, it is better not to rely on Billy's brainchild. In Linux, almost everything is easier to do, the command line is much more convenient here (we will need it so much), and some tools are simply not available for other OSes.
After installing Linux in a virtual machine or a second system, we immediately install development tools for Java and the virtual machine. On Ubuntu this can be done with one command:
$ sudo apt-get install openjdk-7-jdk
We also need four tools for unpacking and decompiling applications:
- Apktool - a Swiss army knife for unpacking and packing applications;
- Jadx - decompiler of Dalvik bytecode into Java code;
- Backsmali is a disassembler for Dalvik code (don’t be alarmed, it has little in common with a real assembler);
- Sign is a utility for signing packages.
For convenience, let's create an Android subdirectory in our home directory and download these tools into it:
$ cd ~ $ mkdir ~/Android && cd ~/Android $ wget https://bitbucket.org/iBotPeaches/apktool/downloads/apktool_2.2.0.jar $ wget https://github.com/skylot/jadx/releases/ download/v0.6.0/jadx-0.6.0.zip $ wget https://github.com/appium/sign/raw/master/dist/sign.jar $ wget https://bitbucket.org/JesusFreke/smali/ downloads/baksmali-2.1.3.jar $ mkdir jadx && cd jadx $ unzip ../jadx-0.6.0.zip
Add the following lines to the end of the ~/.bashrc file:
alias apktool='java -jar ~/Android/apktool_2.2.0.jar' alias jadx-gui='~/Android/jadx/bin/jadx-gui' alias baksmali='java -jar ~/Android/baksmali-2.1. 3.jar' alias sign='java -jar ~/Android/sign.jar' alias javac='javac -classpath /home/j1m/Android/android-sdk-linux/platforms/android-23/android.jar' alias dx='/home/j1m/Android/android-sdk-linux/build-tools/23.0.3/dx'
They are needed so that instead of long and inconvenient commands like java -jar ~/Android/sign.jar you can simply type sign .
App discounts
Some apps, like AppSales, monitor apps and games on Google Play and notify the user about current discounts. You can add the app you want to your watch list and then get notified when it's on sale. Of course, it's not completely free, but you get a chance to purchase the content you're interested in at a pretty good price.
Opening up the test subject
Now we need to find an application that, firstly, is not difficult to pick out, and secondly, which provides some benefit and is well known. That is, we will not take the simplest software just so that it is not very difficult to understand its code, but instead we will direct our attention to the top Play Store. An almost ideal candidate for this role is ASAP Launcher, released two months ago, a convenient home screen with a lot of useful and extraordinary functions.
First, let's go through the APK without using special tools. To do this, download the package using the APKPure service: open the application page in the Play Store, copy the URL from the address bar and paste it into the search bar on APKPure. Next, click the Download APK button and wait for the download to complete.
ASAP Launcher page on APKPure.com
Other articles in the issue:
Xakep #212. Secrets of the darknet
- Contents of the issue
- Subscription to "Hacker" -70%
For convenience, let's rename the package to asap.apk:
# cd ~/Downloads # mv ASAP\ Launcher_v1.16_apkpure.com.apk asap.apk
Unzip using unzip:
# mkdir asap; cd asap # unzip asap.apk
Yes, the APK is a regular ZIP archive, but nevertheless it has a clear structure:
- META-INF is the directory containing the MANIFEST.MF, CERT.MF and CERT.RSA files. The first two are a list of all package files and their checksums, the latter contains the developer's public key and the digital signature of the CERT.MF file created using the private key. This data is needed so that when installing the package, the system can find out that the package has not been modified and was actually created by its author. This is important because, since there is no way to forge the digital signature of a package (this requires a private key), the modified package will have to be signed with a different key;
- res — application resources. Here you can find the icon (mipmap), line breaks (values), images (drawable), and descriptions of the application interface (layout). All of them can be modified to change the appearance of the application. However, XML files will have to be “compressed” first - to improve performance they are stored in a binary format;
- classes.dex - application code in the form of Dalvik virtual machine bytecode. Applications typically contain only one such file, but by using the multiDex directive, the developer can force the development environment to split it into many smaller ones to improve performance or overcome the limit of 65,536 methods in a single dex file;
- AndroidManifest.xml is an application manifest that describes its structure, including activities, services, intent handlers, and so on. Again in binary XML format.
The package may also contain other directories, such as assets (any files included by the developer, in this case fonts and a database) and lib (native libraries built using the Android NDK).
AppsFree 6.0
AppsFree - Provides you with an easy and fast way to discover and download paid apps, games, wallpapers and icon packs that are available for free for a limited time. Personalize your experience with advanced filter settings and you'll only see the types of apps that interest you.
Telegram channel of the creator of Trashbox about technology
Telegram channel of the creator of Trashbox about technology
It's fair: AppsFree provides you with a list of paid apps that are available for free only for a limited time. We are not trying to push applications that are initially free.
Features overview:
- Modern, intuitive design
- Constantly updated list of applications
- Notifications so you don't miss the latest updates
- Advanced filter options
- Keyword filter
- Blacklist of developers
- Dark theme/night mode
Application Features:
- Only the latest data. The list of applications is constantly updated, you do not need to wait for updates every day/week.
- Notifications. Notifications can be turned on for popular apps and specific categories according to your preferences.
- Filter options. Use filters to personalize your list of temporarily free apps by selecting minimum downloads and ratings, or filter out apps with ads and in-app purchases.
- Categories. Are you not interested in certain categories of apps (such as games or wallpapers)? No problem, just disable them and apps from those categories won't appear in your list.
- Keyword filter. Use the keyword filter to exclude apps with specific keywords (such as icon pack, wallpaper, or watch face).
- Blacklist of developers. Add developers to your personal blacklist and you won't be bothered by their apps anymore. A great solution to get rid of developers who are constantly running sales on icon packs or wallpapers if you are not interested in such content.
- Night mode. Turn on Night Mode to save battery power when using an OLED screen and to reduce eye strain in low-light conditions.
Offers? Reviews? Leave us a comment or rating on Google Play or contact us at
Please note: prices may vary depending on your location and currency.
Learning the code
It goes without saying that simply unzipping the package is not enough. To understand how the application works, you need to decompile the classes.dex .
For this we will use jadx-gui. We launch, select asap.apk and see on the left a list of Java packages included in the APK. In this case, these are the packages android.support - the official Google library that implements support for the functions of new versions of Android in old ones (for example, to get Material Design in Android 4.1), com.google.android.gms - Google Mobile Services, com.nispok.snakbar — implementation of the GUI element snakbar, as well as several others.
Java Packages
The main application code is contained in the com.citc.asap , which is the name of the application itself in the Google Store and on the device. We open it and see more than a dozen directories and many Java sources. Our task is to make the application “paid” without paying for it. But how to find the required file that implements payment verification? Most likely, it will contain the word billing in the name. We go through the sources in search of the file we need and come across the BaseBillingFragment source in the fragments subdirectory (package):
This is a very simple Java class that has an interesting method:
protected boolean hasPrime() { return this.mHasPrime; }
All it does is simply return the value of the mHasPrime field, but it is not interesting for this, but for its name. The fact is that the paid (more precisely, paid) version of ASAP is called Prime, and it is obvious that the hasPrime method is exactly what is needed to check the payment of the application. To confirm our guess, let’s save the decompiled sources (File -> Save all) into a directory and try to find hasPrime() calls in them:
There are few coincidences, the main “user” of hasPrime() is SettingsFragment, that is, the source responsible for generating the settings window. Considering that the Prime version differs from the free version precisely in that additional settings fields are unlocked, we can already be 90% sure that hasPrime() is the method we need. Most likely, it is with its help that the application finds out whether the Prime version has been purchased. All that remains is to verify this completely by replacing the method code with your own.
Amazon Underground
Amazon Underground is the second most popular mobile app store after Google Play. Install the application on your smartphone or tablet and receive paid programs and games for free every day. Amazon will also notify you about available discounts.
Of course, you'll need an account for this service, which you can quickly register in the Amazon Underground app itself.
Make sure you allow installation of apps from unknown sources on your Android device. This option is found in Security Settings. Download the Amazon app store from this link and install it. Then you need to register an account. It is in the “Underground” section that there are programs and games for your gadget.
Making changes
The hasPrime() method is very simple: it returns the value of the mHasPrime field, which is of type boolean. It is easy to assume that if the application is paid, hasPrime() will return true, otherwise it will return false. Our goal is to make sure that the method always returns true and the rest of the application thinks that the application is paid for and unlocks additional options in the settings window.
Unfortunately, this cannot be done by directly editing the source code: the application cannot be compiled back. However, no one forbids disassembling the code, making changes and reassembling it. And this is where we need apktool. Let's disassemble the APK:
$ apktool d -r asap.apk
An asap subdirectory will appear in the current directory. Open the file asap/smali/com/citc/asap/fragments/BaseBillingFragment.smali and find hasPrime(). The method declaration will look like this:
.method protected hasPrime()Z .locals 1 .prologue .line 167 iget-boolean v0, p0, Lcom/citc/asap/fragments/BaseBillingFragment;->mHasPrime:Z return v0 .end method
This is a disassembled listing, and, as you can see, it is an order of magnitude simpler than the disassembled code of native applications. In general, everything here is trivial:
- .method protected hasPrime()Z - declares a protected method that returns a value of type boolean (Z);
- .locals 1 - tells the virtual machine that the method uses one register in its operation (in this case it will contain the return value);
- .prologue and .line 167 - directives necessary for debugging do not affect the execution;
- iget-boolean v0, p0 ... - gets the value of a boolean field and writes it to the v0 register, the p0 register is a zero parameter, it is always equal to the class name (this);
- return v0 - returns the value of register v0;
- .end method - closes the body of the method.
Now we must change this method so that it returns true regardless of the value of the mHasPrime field. We could do this manually, but it's easier to write a new method in Java:
public class Test { public boolean hasPrime() { return true; } }
And run it through the compiler and disassembler:
$ javac Test.java $ dx —dex —output=Test.dex Test.class $ baksmali Test.dex
The output is the following assembly code:
.method protected hasPrime()Z .registers 1 const v0, 1 return v0 .end method
You should already have guessed that it declares the constant v0 with the value 1 and returns it (in Dalvik, the boolean type is int, which can have the value 1 - true or 0 - false). All that remains is to insert this code instead of the original one and assemble the package back:
$ apktool b asap
The package will appear in the asap/dist directory. Let's rename it so as not to get confused:
$ mv asap/dist/asap.apk asap-fake-hasPrime.apk
And sign with the test key:
$ sign asap-fake-hasPrime.apk
As a result, the file asap-fake-hasPrime.s.apk . All that remains is to put it on the memory card and install it, first deleting the original application.
|
|
conclusions
It's very, very easy to hack an Android app. Yes, I don’t argue, we came across a convenient and simple example for modification, but again, I repeat - this is a very popular application, which was talked about on most sites dedicated to Android.
Most other applications are just as easy to open, but there are a sufficient number of copies that have passed through obfuscators and various security systems. With them, everything is somewhat more complicated, and the third article in the series will be devoted to such applications. In the second article, we'll look at how to use the same modification method to inject your own code.
