Decompile and modify an Android application

Apr 5, 2020 by Alexandre | 222 views

Mobile Device Security Secure Software Development

https://cylab.be/blog/69/decompile-and-modify-an-android-application

Usually, Android applications are written in Java (or, now, in Javascript) and compiled in a Dalvik bytecode (DEX file). Then, the bytecode is interpreted and executed by the Dalvik Virtual Machine.

Dalvik VM

Just like Java bytecode, Dalvik bytecode is easy to decompiled to Java language. It is very convenient to analyze an application, to find security issues, to understand the behaviour of the application,... On the other hand, it is not possible to decompile an Android app to Java, modify it and re-compile it. The integrity of the application is not preserved during the decompilation (dependencies, external libraries,...).

However, it is possible to modify an Android application by decompiling it to an intermediate language. This language, called smali, looks like the ASM language. This language is not very convenient to read, but with some experience, it is not so difficult to understand and manipulate the application.

We illustrate the process with a simple example: application: helloworld.apk that only displays a screen with Hello, World!.

Example application

The first step is to decompile the application. One very simple tool used to decompile Android app to smali is apktool. To decompile an application, use the following command (replace helloworld.apk by your application name):

$ apktool d helloworld.apk

The decompiled app is stored in a folder helloworld/smali/com/example/helloworld/ (com/example/helloworld is the package name of the application). Usually, the main part of the app code is in the MainActivity.smali file.

In file MainActivity.smali, it is easy to identify the line with the string Hello, World!

const string v1, "Hello, World!"

We can replace the Hello, World! by another string and save the file.

Apktool is able to rebuild the application with:

$ apktool b helloworld/

The re-compiled app will be stored in helloworld/dist/helloworld.apk

Before installing the application on a smartphone, it is necessary to sign again the application. Of course, it is not possible to sign it with the developer private key. So, we need to self-sign the application.

First, the key generation. The keytool command-line tool can generate a key to sign the application.

$ keytool -genkey -v -keystore keys/helloworld.keystore 
    -alias HelloWorld -keyalg RSA - validity 1000

The last step is to sign the application with the jarsigner command-line tool:

$ jarsigner -verbose -keystore keys/helloworld.keystore 
    helloworld/dist/helloworld.apk HelloWorld

Now, it is possible to install the application and run it on an Android device.

This simple example describes the basic methodology to modify an application. It can be generalized for bigger modification. For example, integrate a malware, a Remote Access Trojan or anything else.