The first step is go get an APK package from the app to be changed.
If it is an app on the PlayStore, the following website can be used:
Or if open source solution a tool to download here:
Info taken from: https://stackoverflow.com/questions/12370326/decompile-an-apk-modify-it-and-then-recompile-it Info taken from: https://stackoverflow.com/questions/43111057/differences-between-apktool-and-baksmali
[!NOTE] When searching for APK decompilation and recompilation, you will stumble upon two different tools. One of them is baksmali, which is only for decompiling the DEX files inside the APK. DEX files contain only the code of the app. The other tool is called apktool. This tool is capable of unpacking and repacking APK files, including resource files, binary files, etc. apktool can also decompile and recompile the DEX files to and back from smali, by using baksmali under the hood. Although you can use baksmali directly, it is more work than apktoolt, so our tool of choice will be apktool.
Install apktool: https://apktool.org/docs/install
When you have your APK file ready, you can start to generate the editable smali code from the APK by executing:
apktool d some_app.apk
This will produce a folder with the same name as the APK, where all the app content and decompiled smali code resides in.
Note: If you get an out of memory error (Exception in thread "main" java.lang.OutOfMemoryError: Java heap space), you have to increase the JAVA_HEAP_SIZE.
Info taken from: https://stackoverflow.com/questions/880855/increase-the-java-heap-size-permanently
To tell Java it should use a maximum memory of 16GB, execute:
export _JAVA_OPTIONS="-Xmx16g"
Then execute apktool again and see if it works. The needed maximum memory apparently depends on the size of the APK to be decompiled.
To efficiently work with smali code, I recommend using Visual Studio Code or VSCodium with a few extensions installed. It is possible to use any other text editor, but it is generally harder to find relevant spots in the code because there is usually no smali syntax highlighting and advanced navigation support available.
Install either Visual Studio Code or VSCodium on your machine:
Install the following extensions:
Open the smali code folder and check if the extensions work correctly:
To be able to debug a running instance of the app using the smali code in Visual Studio Code, we have to set up the configuration for ASD first.
Inside Visual Studio Code, Go to Run -> Add configuration to create a new launch.json file. Fill the contents with the following template:
{
"version": "0.2.0",
"configurations": [
{
"type": "ASD",
"request": "launch",
"name": "Smali Launch",
"packageName": "com.company.someapp",
"mainActivity": "com.company.someapp.MainActivity",
"deviceId": "12345678",
"workDir": "${workspaceFolder}"
}
]
}
Now you have to fill some information about the app and the device.
For the device id you need to turn on and connect your device first. You also have to enable USB or Wireless debugging on the device itself in the developer settings, so your computer can access the device. Allow the connection to your computer if asked on the device.
Build number setting and repeatedly tap many times on it to unlock the developer options. On work devices, this setting could be disabled by your IT for security reasons.adb installed. If not, install it: https://developer.android.com/tools/adbadb devices to list all connected devices. You have to select to correct one if multiple devices are present.device and not as unauthorized. If it lists unauthorized you have to manually allow the debug connection on the device.adb devices command to the deviceId in the launchSettings.json in Visual Studio Codeadb shell to enter the device via a shell environment and then execute either pm list packages -f to list all installed packages or if your want to search for a specifiy string inside the package name: pm list packages -f | grep someapp. Use exit to close the shell environment to the device.packageName field in the launchSettings.json
AndroidManifest.xml of your app code you will find a node starting with <application.android:name attribute.<application android:name="com.company.someapp" ...> the app name would be com.company.someapp.packageName.mainActivity field in the launchSettings.json file needs to be filled with the name of the MainActivity of the app to be debugged. You can find this in the AndroidManifest.xml when you search for android:targetActivity and take the name from the attribute android:targetActivity of the <activity-alias node or if there is no such alias node and you have an <activity, take itsandroid:name. value. Which one you need depends on the app.[!NOTE] By pressing
F5while in Visual Studio Code, you should be able to launch an installed app and attach the debugger to it. Since we didn't create and install our repackaged app yet on the device, it is not going to work at the moment with the error codeFailed to continue: launch the application failed. Your setup itself should be complete now and you can continue this guide.
We are now ready to start analyzing, understanding and modifying our app.
But wait! Even though smali code is considered human readable, it is not as trivial to understand as high languages like Kotlin or Java. Smali is representation of the underlying bytecode, which is run by the Android Runtime (ART). This code uses system calls on a lower level and deals with some constructs that are not present in higher languages. This means that the smali code of an app is generally more verbose than its Kotlin or Java equivalent.
These few things are of help to understand the basics of smali code:
If you need to patch a specific thing in the app, several strategies can be useful to find what you need:
Although smali code can be understood by humans, it is a tedious process to understand the inner workings of an app using only the smali representation of the app. For this instance it is possible to get an even more human-readable version of the app code through further decompilation. The following tools can be used to generate a java representation of the source code. Keep in mind that this code CANNOT be converted back to smali code or even a working APK:
With the help of AI we can get a better understanding of the obfuscated smali code.
There are many different options for AI tools available. A few ones are presented here that are free and generally do a great job at searching and explaining a smali codebase.
These tools can be installed in Visual Studio Code or other IDEs.
Codeium is an AI assistant which can be configured to have the whole codebase in its context. This makes it a powerful tool to search for methods, strings, etc. in an obfuscated and complex codebase.
Search Max Workspace File Count to 0. This will unlock the "unlimited" contextEnable Search to true. This enables the model to access the whole codebaseEnable Config->Edit in settings.json to open the settings.json file. Verify that the configuration looks like the following:{
"codeium.searchMaxWorkspaceFileCount": 0,
"codeium.enableSearch": true,
"codeium.enableConfig": {
"*": true,
"smali": true
}
}
One possibility is to query a snippet of code:
Another possibility is to ask a question where to find or explain certain things in the codebase:
Give a summary over the AndroidManifest.xml present in the codebaseFrom which company is this app?What is the intent of this app?How is the app structured?Where is the entrypoint of the app?This app has the purpose of doing xy. Where in the code does xy happen?Where in the code is xy?Give a hypothetical call stack of how the xy method would be calledWhat purpose has xy.smali? What is a better name for it?What external dependencies does this code have? Provide a full listWhere in the code is the user login? And to which API does it authenticate against?What are the files for in smali/androidx/xy?CodiumAI is more specialized into exlaining snippets of code. It really shines when marking a method or a whole file and asking it to explain what is happening in there. It generally can give a more detailed explanation of which values are used and why.
Install CodiumAI in Visual Studio Code from: (https://www.codium.ai/)
No further setup is required.
One possibility is to query a snippet of code:
Continue this chat to ask further questions. Some useful prompts you can give it are:
What is a better name for this method?From where is this code called from?Explain all registers in this methodOn which line is variable xy defined?References and find the actual file or snippet used to find the given informationA good option to get output from an app is by planting additional debug logs into the app. We have to find a good location for that first, for example after a method returns a value.
The following snippet defines writes a String to the debug log, which then can be observed with logcat:
# Define a custom log tag
const-string v8, "some-tag"
# Convert an Integer type to String
invoke-static {v1}, Ljava/lang/String;->valueOf(I)Ljava/lang/String;
move-result-object v9
# Invoke Log.d(logTag, message) / Debug Log
invoke-static {v8, v9}, Landroid/util/Log;->d(Ljava/lang/String;Ljava/lang/String;)I
[!NOTE] Notice that
v8andv9have to be valid registers inside the current method. For example, if a method return should be logged, a value incremented by one from the method return value should work.
When you are done with your modifications or if you just want to be able to debug the application, you can generate the new (unsigned) APK using:
apktool b [folder name] -o some_app_modified.apk
This APK cannot be installed yet. You need to sign it first in the next step.
Info taken from: https://github.com/patrickfav/uber-apk-signer
To be able to install the APK on an actual Android device, it needs to be signed. We can use the default debug keys to do that using Uber Apk Signer. Download the Uber Apk Signer JAR file from https://github.com/patrickfav/uber-apk-signer/releases/latest and place it next to the unsigned APK file.
With the following command you can now automatically sign the APK with the default debug keys:
java -jar uber-apk-signer.jar --apks /path/to/apks
The output will be of the format some_app-aligned-debugSigned.apk and it can be installed on an Android device.
With the command adb install some_app-aligned-debugSigned.apk you can install the APK directly on the device without bringing the APK package to the Android device over detours.
To start an app on a device connected with adb:
adb shell am start -n <packageName>/<packageName>.<activityName>
The packageName and the activityName are needed to start an app through adb on Android. You can check the debugging setup instructions earlier how to get to these values.
Example for starting an app on a device though adb:
adb shell am start -n com.company.some/com.company.some.MainActivity
When an Android device is connected through USB or WiFi debugging, it is possible to get the log stream from the attached computer.
To get ALL logs (including system logs):
adb logcat
This will probably flood your screen with unnecessary messages, so we can filter this a little more.
To filter only for logs of exactly one level (in this example Debug):
adb logcat | grep " D "
To filter only for logs above a certain level (in this example Debug):
adb logcat *:D
The Log levels are:
VDIWETo filter for app logs (exclude system logs)
adb logcat | grep "app="
To filter for only a specific app, use:
adb logcat | grep "app=com.company.someapp"
Note, that com.company.someapp is the app name which is also defined in the AndroidManifest.xml file
As an example we can also combine these filters and get all Errors from our app:
adb logcat | grep "app=com.company.someapp" | grep " E "
Taken from: https://stackoverflow.com/questions/20879950/how-to-debug-smali-code-of-an-android-application
To be able to debug the app you first have to install the signed APK on the device. You also need to follow the instructions in Set up smali Debugger to setup the ASD extension.
When trying to use the F5 key to debug the app, there can be several issues. Make sure you followed the setup instructions earlier so you have your packageName, mainActivity and deviceId set correctly.
Issues with debuggable flag: In the AndroidManifest.xml, try to add android:debuggable="true" to the <application node. For example: <application android:debuggable="true" ...>. This will enable the debug mode for this app. Make sure to remove this flag again if you want to release a patched version of the app.
Some people reported that if the app defines a custom process name which is conflicting with another app on the device, the app cannot be debugged. In that case, open theAndroidManifest.xml and remove the the process name android:process=":SomeProcess" from the <application node and try if it works now. Make sure to also remove the process name from the startup script in Visual Studio Code. Be sure to re-add the process name again when you want to release a patched version of the app. Changing the process name to a non-conflicting one should also work.
For apps for which you are the owner of, you are allowed to do whatever you want with it. You can reverse engineer, make modifications, sell modified versions of the app, etc.
If you work for an organization, the organization must give you permission to reverse engineer their app to stay in legal area. Typically the following contacts can be asked:
More complex are the laws about apps from third parties.
[!WARN] The following list is incomplete and may be wrong. Consult a lawyer to be sure about the actual current laws in place.
EU and US laws are more or less the same, but nuances are different.
The US has more strict laws concerning circumvention of TPMs (Technological Protection Measures). Circumventing these is generally forbidden with a few exceptions.
TPMs include:
It is generally a good idea to check the app's terms of service and/or license agreement for a clause that says that reverse engineering is prohibited or not.
It is definitely a gray area to create a modified version of an app not owned by you without asking for permission. Always make sure to ask for an official written permission from the copyright holder, then it should be a safe situation.
Further references on the law topic: