Apr 5, 2020 by Alexandre Croix | 4127 views
Just like Java bytecode, Dalvik bytecode is easy to decompiled to Java language. It is very convenient to analyze an application, to find security issues, to understand the behaviour of the application,... On the other hand, it is not possible to decompile an Android app to Java, modify it and re-compile it. The integrity of the application is not preserved during the decompilation (dependencies, external libraries,...).
However, it is possible to modify an Android application by decompiling it to an intermediate language. This language, called smali, looks like the ASM language. This language is not very convenient to read, but with some experience, it is not so difficult to understand and manipulate the application.
We illustrate the process with a simple example: application: helloworld.apk that only displays a screen with Hello, World!.
The first step is to decompile the application. One very simple tool used to decompile Android app to smali is apktool. To decompile an application, use the following command (replace helloworld.apk by your application name):
$ apktool d helloworld.apk
The decompiled app is stored in a folder helloworld/smali/com/example/helloworld/ (com/example/helloworld is the package name of the application). Usually, the main part of the app code is in the MainActivity.smali file.
In file MainActivity.smali, it is easy to identify the line with the string Hello, World!
const string v1, "Hello, World!"
We can replace the Hello, World! by another string and save the file.
Apktool is able to rebuild the application with:
$ apktool b helloworld/
The re-compiled app will be stored in helloworld/dist/helloworld.apk
Before installing the application on a smartphone, it is necessary to sign again the application. Of course, it is not possible to sign it with the developer private key. So, we need to self-sign the application.
First, the key generation. The keytool command-line tool can generate a key to sign the application.
$ keytool -genkey -v -keystore keys/helloworld.keystore -alias HelloWorld -keyalg RSA - validity 1000
The last step is to sign the application with the jarsigner command-line tool:
$ jarsigner -verbose -keystore keys/helloworld.keystore helloworld/dist/helloworld.apk HelloWorld
Now, it is possible to install the application and run it on an Android device.
This simple example describes the basic methodology to modify an application. It can be generalized for bigger modification. For example, integrate a malware, a Remote Access Trojan or anything else.