Hacking

Hooking and patching android apps using Xposed framework

Srinivas
January 23, 2017 by
Srinivas

In part 22 of this series, we discussed the tools that control the flow of the application on the fly while the app is running. Writing Cydia Substrate extensions to control the application flow is what we discussed there. In this article, we are going to use Xposed Framework on the same target application we used in part 22.

Xposed is a framework for manipulating Android applications' flow at runtime. You can get more details about how the Xposed framework works from their website.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

To make things clear before you begin, the following is what is required to follow this article practically.

  • Rooted Android Device or Emulator with Xposed Framework installed.

Xposed Framework can be found here. Install it similar to any other application.

$ adb install de.robv.android.xposed.installer_v32_de4f0d.apk

[100%] /data/local/tmp/de.robv.android.xposed.installer_v32_de4f0d.apk

    pkg: /data/local/tmp/de.robv.android.xposed.installer_v32_de4f0d.apk

Success

$

If you open up your Xposed App you just installed, you should see the following window.

When you see the above window, tap on Framework button, and the following window opens.

As you can see in the above figure, app_process and XposedBridge.jar are currently not active. Click Install/Update button to activate them.

When you see the above alert, click OK, and your device reboots. Finally, you should see the following window, where you can notice that the error under the Framework button is gone.

Nice, we are all set with the Xposed Framework on our device.

  1. Create a new Android Application (This is the Xposed Module) using Android Studio IDE. Detailed instructions specific to Android Studio are discussed later in this article.
  2. Target application. You can download this from the download section.

Just to reiterate, we are using the same target application that we used in part 22. The following is our target app's first activity.

When the user enters invalid credentials, an error will be thrown as shown in the figure below.

Our goal is to bypass this login by writing an Xposed Module. Before proceeding with the Xposed Module, let us first understand the application's logic.

We can decompile the APK and get the Java version of the code to understand the logic. To keep the things simple, I am showing the original source as the idea here is to understand how to write an Xposed Module assuming that we have access to the application's logic.

Following is the code snippet for Login.java

Login.java

package com.androidpentesting.targetapp;

if(isValidLogin(username,password))

{

Intent in=new Intent(getApplicationContext(),Welcome.class);

startActivity(in);

}

else {

Toast.makeText(getApplicationContext(), "Invalid Username or password", Toast.LENGTH_LONG).show();

}

public boolean isValidLogin(String username, String password)

{

String uname=pref.getString("username",null);

String pass=pref.getString("password",null);

if(username.contentEquals(uname) && password.contentEquals(pass))

{

return true;

}

else{

return false;

}

}

 

As you can see in the above code snippet, the app gets the username and password from the user and then compares it against the values stored in SharedPreferences. If the user entered credentials are matching, the app is returning a Boolean value of true and then redirecting the user to a private activity. That is a perfect test bed for us to write our Xposed Module in a way that the app always returns true regardless of the user input.

Details we got from the above Snippet:

Class name: com.androidpentesting.targetapp.Login

Method name: isValidLogin

Writing Xposed module:

Let's begin.

Launch Android Studio and create a new project. In this case, XposedLoginBypass is the project name.

Next, choose your minimum SDK version as shown in the following figure.

Click Next, and you should see the following screen. Choose Add No Activity and click Finish.

This creates a new application with the following structure.

Now, let us add XposedBridgeAPI Library to our project. This is required to be able to invoke Xposed specific methods within our Xposed Module.

XposedBridgeAPI library can be downloaded here.

Create a folder called provided within the app directory and place this library inside

it.

Next, create a folder named assets inside app/src/main/ directory and create a new file called xposed_init inside it.

Now, add the following content to the file we just created.

com.androidpentesting.xposedloginbypass.MyClass

MyClass is the actual class that contains the code to bypass authentication. We will create it later.

Next, open up build.gradle file under app folder and add the following line under dependencies section.

provided files('provided/[XposedBridgeAPI library.jar]')

This looks as shown in the excerpt below.

dependencies {

compile fileTree(dir: 'libs', include: ['*.jar'])

compile 'com.android.support:appcompat-v7:25.1.0'

provided files('provided/XposedBridgeApi-54.jar')

}

Now, add the required metadata to the AndroidManifest.xml file as highlighted below.

<manifest xmlns_android="http://schemas.android.com/apk/res/android"

package="com.androidpentesting.xposedloginbypass">

<meta-data

android_name="xposedmodule"

android_value="true" />

<meta-data

android_name="xposeddescription"

android_value="xposed module to bypass authentication" />

<meta-data

android_name="xposedminversion"

android_value="54" />

<application android_allowBackup="true" android_label="@string/app_name"

android_icon="@drawable/ic_launcher" android_theme="@style/AppTheme">

</application>

</manifest>

We have completed all the prerequisites to write our Xposed Module. We can now create a new class named MyClass and write the code to bypass authentication in our target application.

So, lets create a new class and name it MyClass as shown in the figure below.

Open up MyClass.java file and write the following code.

package com.androidpentesting.XposedLoginBypass;

import de.robv.android.xposed.IXposedHookLoadPackage;

import de.robv.android.xposed.callbacks.XC_LoadPackage.LoadPackageParam;

public class MyClass implements IXposedHookLoadPackage {

public void handleLoadPackage(final LoadPackageParam lpparam) throws Throwable {

//our code goes here

}

}

First, our class is implementing the IXposedHookLoadPackage interface.

The handleloadpackage method has to be defined by us implement IXposedHookLoadPackage.

So, we need to write our own code inside the handleLoadPackage method.

When a package is loaded, this method will be executed. So, let us find out if the package loaded is of our interest. This can be done as shown in the following excerpt.

public void handleLoadPackage(final LoadPackageParam lpparam) throws Throwable {

if(lpparam.packageName.equals("com.androidpentesting.targetapp")) {

//remaining code goes here

}

}

If our target package is loaded, we will hook into the method of our interest. In this case, isValidLogin is the method that decides if the user is logged in or not. Returning true when the user enters valid credentials does this.

Place the following code in your MyClass.java file.

public void handleLoadPackage(final LoadPackageParam lpparam) throws Throwable {

String targetClass = "com.androidpentesting.targetapp.Login";

String targetMethod = "isValidLogin";

if(lpparam.packageName.equals("com.androidpentesting.targetapp")) {

findAndHookMethod(targetClass, lpparam.classLoader, targetMethod, String.class,String.class,

new XC_MethodHook() {

@Override

protected void afterHookedMethod(MethodHookParam param) throws Throwable {

param.setResult(true);

}

});

}

}

As you can notice, afterHookedMethod is setting boolean value true as the hooked method's return value. When this code gets executed, the target application's isValidLogin method receives a return value true, which bypasses the authentication process.

Run the above code on your Android device, which installs the Xposed Module.

Navigate to the Modules section to see the installed modules.

As shown in the above figure, mark the checkbox next to the module we just installed and do a soft reboot. Now, you should be able to see the welcome screen if you launch the target application and login even with invalid credentials.

Become a Certified Ethical Hacker, guaranteed!

Become a Certified Ethical Hacker, guaranteed!

Get training from anywhere to earn your Certified Ethical Hacker (CEH) Certification — backed with an Exam Pass Guarantee.

Please note that we just took a simple example to demonstrate how Xposed Modules can be written using Android Studio. The target application's logic decides your Xposed Module's code, and it is recommended to take a look at Xposed APIs to get the best of it.

Srinivas
Srinivas

Srinivas is an Information Security professional with 4 years of industry experience in Web, Mobile and Infrastructure Penetration Testing. He is currently a security researcher at Infosec Institute Inc. He holds Offensive Security Certified Professional(OSCP) Certification. He blogs atwww.androidpentesting.com. Email: srini0x00@gmail.com