Yes, hacking your app is THAT easy! - Part 1 (Android File System Analysis)

Have you ever been playing a game on your phone and thought, 'I wish I had more lives in this game!' or 'I wish I could get unlimited coins!'?  Have you thought, 'There has to be a way to do this without paying for it!'?  Chances are, there is a way to "hack" your app to make it do what you want.  This post will begin a series of posts that will look at tips for hacking your apps.

(Legal Disclaimer:  I am not advocating you not paying for apps.  The developers work hard and should be paid.  This is for research purposes only and should not be used in malicious ways.  I am not responsible for you screwing up your phone or breaking things.  You do so at your own risk.)

We will start with looking at Android file system analysis.  In future posts we will look at the same from an iOS perspective as well as both Android and iOS network analysis & source code analysis.

To start, we need access to the Android file system.  There are multiple ways to do this, but I will attempt to cover the harder way.  If you have root access, chances are you know enough to get access to the file system and that makes things easy.  If you do not have root access, then this post will walk you through gaining access to application files.

Android has a set of options designed for people that develop apps and to get more information about their device.  This is called 'Developer Options' and by default is hidden.  There is one option that we would need to enable to gain access.  The option is 'Android debugging'.  This will allow us to perform the steps necessary to gain access to the file system.

Once Android debugging is enabled, we can plug our device into our computer.  There are a few prerequisites that we need before we can gain access.  We need the Android SDK, which includes a tool called ADB (Android Debug Bridge) and the drivers for our device.

First thing to do is check to make sure our device is being recognized by our computer.  Open a command prompt and type:
adb devices
 You should receive an output showing the device ID and device name, similar to below:

Once you have verified that your phone is connected/recognized, we will backup the application we want to analyze.

  1. Determine the name of the application you are analyzing
    1. type 'adb shell'
    2. 'pm list packages' (If you know the name of the package, or part of the name, type after packages like 'pm list packages king')
    3. Take note of the name of the application (com.king.candycrushsaga)
    4. type 'exit' to exit the adb shell
  2. Perform the backup
    1. Type 'adb backup -f cc.ab com.king.candycrushsaga' (The -f option allows you to specify the backup file name.  If not specified, the backup file name will be backup.ab)
    2. Unlock your phone and click 'Backup my data'
    3. When backup is complete, a brief message will show on your device screen (Backup completed)
  3. Install Android Backup Extractor (abe) and extract the backup.
    1. Download abe from (here
    2. Extract to a location of your choosing.  
    3. From that directory, use the command 'java -jar abe.jar unpack cc.ab cc.tar'.
  4. Use cygwin (on Windows) or a Linux command line to extract the contents of the .tar file and gather a list of files in archive (Used during the re-packing of the application)
    1. 'tar -xvf cc.tar' (Will extract the cc.tar file under an Apps folder) 
    2. 'tar -tf cc.tar > fileList.txt'  (Will compile a list of files in the archive into a file named fileList.txt)
  5. Review file system to look for vulnerabilities (I will not cover this specifically, but there are often files that, when modified, can unlock features that you did not have prior.  There are also times that passwords or other sensitive information may be found.  Take a look around and see what you find!)
  6. Re-compress (tar) the files 
    1. 'cat fileList.txt | pax -wd > new.tar' (This will grab any files from the fileList.txt file and re-compress them.
  7. Package the tar into a backup file so you can restore
    1. From the abe directory, use the command 'java -jar abe.jar pack new.tar new.ab'
  8. Restore the new backup file
    1. 'adb restore new.ab'
    2. Unlock your phone and click 'Restore my data'
From here, you can open your app and see what your changes did.  Maybe you got some lives in your game, or unlocked extra levels or vehicles.  

All it takes is a little analysis.  Performing these steps multiple times and checking what changes each time will help you figure out what to change to achieve your desired results.  Happy Hacking!

Popular Posts