Saturday, August 7, 2010

Android App Ad Hiding - Android App Cracking Tutorial #1

Advanced Task Manager - Free Ad Removal Tutorial

Requisites:
apktool - contains baksmali/smali, generally awesome. (http://code.google.com/p/android-apktool/)
Android SDK installed. (http://developer.android.com/sdk/index.html)
ADB Access.
An Android Device

Advanced Task Manager allows you to quickly kill off large amounts of processes
It's a generally useful app, however, it has ads. You can pay like $2.99 or something
for it to remove ads, but I'm just going to hide them instead.

Then I pulled the apk off my device:
    adb pull /data/app/com.rechild.advancedtaskkiller.apk .

Then I use apktool to decompress and disassemble the package:
    apktool d com.rechild.advancedtaskkiller.apk atk_reversing

Then I go into the newly created directory:
    cd atk_reversing

Looking at the layouts, and smali directory layout, we can see that google ads are used.

Now here's where we split into 3 possible cracking scenarios.

1. Patch com.google.ads code: This would allow us to have a semi-generic patch
method for ALL apps using com.google.ads. The goal would be to patch the google
ads library so it gives hidden or ads too small to be seen.

2. Patch com.rechild.advancedtaskkiller code: This would allow us to find where Advanced Task Killer calls the
com.google.ads code, and rip it out so it's never actually used.

3. Patch the resources making the ads invisible: This allows us to hide and make the
ads no longer clickable, HOWEVER, they are still downloaded. I find this is an acceptable
trade off for the ease of doing.

We're going to explore #3 today.

The layouts are in astro_reversing/res/layout

There's 2 view XML attributes I want to point out that are immensely useful in ad blocking
    android:visibility
    android:clickable
    android:layout_width
    android:layout_height

These four XML attributes make a world of difference.

grep for com.google.ads in the res/layout directory, and you'll see a hit:
    main.xml:   

That's no good, we can then edit the layout_width and layout_height to be 0px, and it to be unclickable, and for it to be invisible.

I recommend editing the file, but I will demonstrate some sed magic.

for i in *.xml; do sed -i 's/^\(.*com.google.ads.GoogleAdView.*\)wrap_content\(.*\)wrap_content\(.*\)\/>\(.*\)$/\10px\20px\3 android:visibility="invisible" android:clickable="false" \/>\4/g' $i; done;

With this being done, we're ready to repackage up the apk file, we need to go outside where the original apk file is, and type the following to re-package it:
    apktool b atk_reversing newatk.apk

we need to sign this to put on most android devices, if you have the SDK installed, you should have a debug key
    jarsigner -keystore ~/.android/debug.keystore newatk.apk androiddebugkey

and enter "android" as the password.

NOTE: You won't be able to "upgrade" the app on the device, you MUST uninstall it either on the device, or by typing the following:
    adb uninstall com.rechild.advancedtaskkiller

You now have an installable cracked apk, which you can install by typing:
    adb install newatk.apk

1 comment:

  1. fascinating! I also find it fascinating to learn how it all works under the hood. Looking forward to #1 and #2 methods...

    ReplyDelete