Reverse Engineering Android Apps — Part 2
This is only for informative purposes. It is not intended for piracy or other non-legal uses.
If you haven’t read part 1, here is the link. In this part, we are going to see how to edit an Android app and rebuild it.
We are going to decompile Aarogya Setu application developed by Government of India and bypass the root check feature. This is simply for the sake of showing how to edit an apk.
Getting an APK
You can use any apk backup tools. Here is my version.
- Install the app from Google Playstore.
- Enable developer mode in your device. And connect to your computer
- Use the below adb command to list your apps.
# Windows
adb shell pm list packages -f | find "aarogya"#Linux
adb shell pm list packages -f | grep aarogya
4. adb pull command will download that apk to your computer.
adb pull /data/app/nic.goi.aarogyasetu-2Pp6UC5P-7umaA7voXFilw==/base.apk .Environment Setup
Download APK Easy Tool from here. It uses APK Tools internally to decompile, recompile etc.,
You can change the version of APKTool to use in the Options → General Tab. Just place the jar in “Apktool” folder and select it from the dropdown.
In Options → General Tab you can set the default decompile and recompile folders.
Let’s get started
Now we have setup our tools. Head to the Main tab and select the button against File/folder option. Select your APK to decompile.
Click decompile. APK Easy tool will use the apk tool to decompile it to smali code. Once done you can check the decompiled folder we setup earlier to find the decompiled files as shown below.
Our goal is to remove the Root Check. If you install Aarogya setu application in a rooted phone, you won’t be able to get past the first page.
So we are going to bypass the root check. We will be using JADX we saw from my previous article to ease the process. JADX will show us Java code which can use against the Smali code for easier navigation in the code.
Try searching the text “You can’t use this application ..”, we will have luck if the developer didn’t use strings.xml. The strings are hardcoded in the application as we see in the below image.
Have a look at the above snippet from SplashActivity given by JADX. To enter the activity we need to bypass the if statement. So where the function call goes?
Yes. This is it. Our root check method 😋. I just used VSCode and Ctrl+Click. It tool me directly to the method. If you don’t have VSCode(install it) don’t worry, check the code and get to know where it was imported from. In this case it is
import l.a.a.a.o.b.i;It is due to code minify/obfuscation the names are scraped out and replaced with letters. So navigate to that package and search for method named “i”.
Now navigate to the same method in Smali code given by Easy APK Tool.
😂 Don't loose your hope seeing Smali code. Just read it carefully. Compare it with the decompiled Java code provided by JADX.
We need to return false from this method to avoid the root check. Let’s do it.
Retaining only the return statement will give you this. Extra return statement is due to the || (OR) condition on first if statement. We can see that all the return statements are returning 0x1 except last one(It’s in hexa-decimal).
0x1 — true
0x0 — false
(anything other than 0 is true)
As per the java code, this method will return true if device is rooted and false if not. Change the 0x1 to 0x0. Now the method will return false even if device is rooted.
Save the code and get back to Easy APK Tool. Hit Compile button. It will compile and sign our apk. Recompiled apk will be located on the folder we set earlier (2-Recompiled APKs). Install this apk and open in a rooted phone to check.
Voilà! We just bypassed the root check.
Here is the link to our previous article. Let us know in response if you want to know more.
Stay tuned and follow us for more.😉
Written by
Naveen Sakthivel, CTO
Dotworld Technologies
https://dotworld.in
