[security_android] Exploit of Ad for Android app code analysis

######################################### #Hacking Android Apps for fun and profit################################### ####### #Author: g13#twitter: @g13net #email: [email protected]############################################### 0x0 ToC # #0x1 intro0x2 Dalvik primer0x3 case studies0x4 Additional notes0x5 resources##### 0x1 Intro # #Android is a  Mobile OS owned by Google.  Android allows developers to write applications ("apps") for the OS and distribute them throughthe Google Play Store.  These apps can be free or need to be purchased.  Free apps typically has ads in them to give the developer Additionalrevenue.  This paper would dive into patching disassembled Android apps for our benefit.##### 0x2 Dalvik Primer # # # #Android apps are  Generally written in Java.  When the app is compiled, the Java Byte-code are converted into Dalvik bytecode (. dex files).  This conversion allows the apps to being run in the Dalvik VMS environment that's used by Android. Once an app is disassembled, we aRe presented with Dalvik opcodes, see the below example## Code Snip # # Iput-object P3, P0, lb;->a:ljava/io/writer; . Line And-int/lit8 V0, p2, 0x4 if-eqz v0,: Cond_0 move V0, v2:goto_0 Iput-boolean v0, P0, Lb;->b:  Z. Line And-int/lit8 V0, p2, 0x1 if-eqz v0,: cond_1## End Snip # #The if-xxx opcodes is conditional opcodes.  THE:COND_1 specifies the ' jump ' in the ' code when ' the condition is matched.  ' Move ' moves the value of one register to another. For more details on opcode references, see sections 0x5 references for a link.##### 0x3 case studies ######### 0x3a Colorin  G Book for Kids # # #App name:coloring book for Kidsgoal:remove adsfor This App, we don ' t need to dive into Dalvik code.  We just has to inspect the contents of the layout files.  Once The app is disassembled and look in the Res/layout/main.xml file.  This XML file describes where different widgets'll be is placed on the screen. After review of the file we'll come across thissection:## Code Snip ##<relativelayout android:orientation= "vertical" android:id= "@id/colorslayout" Android: Layout_width= "Fill_parent" android:layout_height= "fill_parent" xmlns:android= "http://schemas.android.com/apk/res /android "xmlns:ads=" Http://schemas.android.com/apk/lib/com.google.ads "> <gridview android:gravity=" cent Er "android:id=" @id/colorview "android:layout_width=" fill_parent "android:layout_height=" Fill_parent "Android: horizontalspacing= "15.0dip" android:verticalspacing= "0.0dip" android:stretchmode= "ColumnWidth" Android: Columnwidth= "30.0dip" android:numcolumns= "Auto_fit" android:layout_above= "@id/colorsadmob" xmlns:android= "/http Schemas.android.com/apk/res/android "/> <com.google.ads.adview android:id=" @id/colorsadmob "Android:layout_w Idth= "Fill_parent" android:layout_height= "Fill_parent" android:layout_alignparentbottom= "true" ads:adUnitId= " a14d5ae1ff5b91c "ads:adsize=" BANNER "ads:testdevices=" Test_emulator, test_device_id "Ads:loadadoncreate= "true"/> </relativelayout>## End Snip # #If We change the Android:layout_width and Android:  Layout_height attributes to be "0px" the ad is not being viewable on the screen. The only downside-approach is the ad code would still run;  So the app would still send your information off to the provider for statistics. The changed code would look like this:## code Snip ##<relativelayout android:orientation= "vertical" android:id= "@id/col Orslayout "android:layout_width=" fill_parent "android:layout_height=" fill_parent "xmlns:android="/HTTP/ Schemas.android.com/apk/res/android "xmlns:ads=" Http://schemas.android.com/apk/lib/com.google.ads "> <gri DView android:gravity= "center" android:id= "@id/colorview" android:layout_width= "0px" android:layout_height= "0px" android:horizontalspacing= "15.0dip" android:verticalspacing= "0.0dip" android:stretchmode= "ColumnWidth" Android: Columnwidth= "30.0dip" android:numcolumns= "Auto_fit" Android:layout_abOve= "@id/colorsadmob" xmlns:android= "http://schemas.android.com/apk/res/android"/> <com.google.ads. AdView android:id= "@id/colorsadmob" android:layout_width= "0px" android:layout_height= "0px" android:layout_ Alignparentbottom= "true" ads:adunitid= "a14d5ae1ff5b91c" ads:adsize= "BANNER" ads:testdevices= "Test_emulator, TEST_ device_id "ads:loadadoncreate=" true "/> </relativelayout>## End Snip ###### 0x3b Solitaire # # # #App Name:solit  Aire by Mobilitywaregoal:remove Adsto Remove The ads from this app, we'll have to modify some Dalvik code.  Whenever a new round is dealt, an ad screen would pop up to the user. The user then have to "dismiss" the ad before they is returned to the game.  I first started greping through the Smali files looking for common Keywords:displayad, Viewad, GetAd. I came across the following line in the Com/mobilityware/solitaire/solitaire.smali file:## Code Snip # #02204: Invoke-virtu Al {V0}, Lcom/mobilityware/solitaire/adcontrol;->diSplayad () z## End Snip # #The ' invoke-virtual ' opcode calls a virtual method.  In this case it was calling the Displayad function in Com/mobilityware/solitaire/adcontrol. If We comment out this call, the ads would not be displayed:## Code Snip # #02204: #invoke-virtual {v0}, lcom/mobilityware/s Olitaire/adcontrol;->displayad () z## Code Snip ###### 0x3c Chess Free # # # #App name:chess free by Aifactorygoal:remove  Adsthe ads in Chess was displayed while a user is playing the game.  Chess free uses a different ad engine than the previous apps. For this app, I decided to take a different approach:prevent the ad system from receiving ads.  After running Logcat on the phone, noticed this there were calls to "Adrequestwebview" being made. After greping through the files, in Google/ads/c.smali I found the following lines of code:## code Snip # #01: Try_start _002 iget-object V0, P0 lcom/google/ads/c;->f:landroid/webkit/webview;03, If-eqz v0,: cond_00506 iget-obj ECT V0, P0, lcom/google/ads/c;->c:lcom/google/ads/b;0708 If-nez V0,: cond_10910:cond_011 const-string V0, "AdRequestWebView W As null while trying-to-load an ad. " 1213 invoke-static {V0}, Lcom/google/ads/util/a;->e (ljava/lang/string;) V1415 Sget-object V0, Lcom/google/ads/adre quest$errorcode;->internal_error:lcom/google/ads/adrequest$errorcode## End Snip # #In The above code, there is a test O  n V0 to the If it is zero and if it's to the jump to the:cond_0 statement. If:cond_0 is hit, the function throws a error that the ad could not load; This seems-a great place-to-introduce some of our own logic!  If we can set the value of V0 to is ' 0 ' before it hits the condition in line and the Cond_0 section is hit.  We can introduce this value by using the ' const ' statement.  We'll introduce "Const V0, 0x0" before the "If-eqz V0,: cond_0" statement to ensure that COND_0 would be hit. See in the below code:## code Snip # #01: try_start_002 iget-object v0, P0, lcom/google/ads/c;->f:landroid/webkit/webview;03 Const V0, 0x00506 IF-EQZ v0,: cond_00708 iget-object v0, P0, LCOM/GOOGL e/ads/c;->c:lcom/google/ads/b;0910 If-nez V0,: cond_11112:cond_013 const-string v0, "Adrequestwebview was nul L while trying-to-load an ad. " # # End Snip # #Now with the value introduced, the ads would not load during the game.##### 0x4 Additional Notes # # # # #This PA  Per did not discuss how to disassemble a Android application and reassemble it after the changes has been made.  There is numerous resources available that discuss how to reverse engineer Android applications. The resources section I had included a link to a tool which has made the job easier.##### 0x5 Resources # #http:/ /pallergabor.uw.hu/androidblog/dalvik_opcodes.html--Virtual machine Dalvik operation code detailed http://www.virtuousrom.com/p/ten-studio.html

[Go to]http://www.exploit-db.com/papers/21325/

[security_android] Exploit of Ad for Android app code analysis