SlideShare a Scribd company logo

Deep Inside Android Hacking Techniques

Keishin Yokomaku
Keishin Yokomaku

We should be aware of how well we can 'hack' Android.

MobileSoftwareTechnology
1 of 53
Download to read offline
Deep Inside Android Hacks Keishin Yokomaku (KeithYokoma) @ Drivemode, Inc. Android All Stars #dotsandroid
Profile • Keishin Yokomaku at Drivemode, Inc. • Social: @KeithYokoma • Publication: Android Training • Product: • Like: Bicycle, Photography, Tumblr • Nickname: Qiita Meister
Drivemode • Now available on Play Store! • http://bit.ly/1LYdxAg
E-book • AndroidTraining / iOS Training • http://amzn.to/1mZNydv
How to Hack Android
How to Hack Android • Using public APIs • Reflection to access hidden APIs • AIDL to communicate with System services
Using public APIs
Using public APIs • It’s official! • Less likely to crash coming from customizations
android.media.session • Lollipop API • Components • MediaSession and MediaSession.Token • MediaController • Notification.MediaStyle
MediaSession and MediaController • Permit transport control by session token Media Application MediaSession Other Application MediaController Token Transport Control
NotificationListenerService • Background service listening to status bar notification events NotificationManager Notification notify NotificationListenerService onNotificationPosted
Notification.MediaStyle • Pass MediaSession.Token to system notification • When you listen to notification event… • MediaSession.Token is in `extras` • Key for `extras` is defined on Notification • MediaSession.Token is valid even if the receiver is not intended to
–Someone “This is more like session hijacking”
Take control of music playback public class MusicNotificationWatcher extends NotificationListenerService { private Bus eventBus; @Override public void onNotificationPosted(StatusBarNotification sbn) { MediaSession.Token token = sbn.getNotification().extras.getParcelable(Notification.EXTRA_MEDIA_SESSION); eventBus.post(new NewMusicNotification(token)); } } public class MyActivity extends Activity { private MediaController controller; @Subscribe public void onNewMusicNotificationAdded(NewMusicNotification event) { controller = new MediaController(this, event.getToken()) } }
Take control of music playback public class MusicNotificationWatcher extends NotificationListenerService { private Bus eventBus; @Override public void onNotificationPosted(StatusBarNotification sbn) { MediaSession.Token token = sbn.getNotification().extras.getParcelable(Notification.EXTRA_MEDIA_SESSION); eventBus.post(new NewMusicNotification(token)); } } public class MyActivity extends Activity { private MediaController controller; @Subscribe public void onNewMusicNotificationAdded(NewMusicNotification event) { controller = new MediaController(this, event.getToken()) } }
Take control of music playback public class MusicNotificationWatcher extends NotificationListenerService { private Bus eventBus; @Override public void onNotificationPosted(StatusBarNotification sbn) { MediaSession.Token token = sbn.getNotification().extras.getParcelable(Notification.EXTRA_MEDIA_SESSION); eventBus.post(new NewMusicNotification(token)); } } public class MyActivity extends Activity { private MediaController controller; @Subscribe public void onNewMusicNotificationAdded(NewMusicNotification event) { controller = new MediaController(this, event.getToken()) } }
“Is it practical?”
Is it practical? • It depends • You cannot fully cover overall music experience • For keyguard apps, this is good enough
“Is it affordable?”
Is it affordable? • No • Because it works only on Lollipop and with Google Play Music
Reflection to access hidden APIs
Reflection to access hidden APIs • It’s unofficial, dirty, unpaved… • No IDE support for you • Be careful about ProGuard settings • Breaking changes might be happening under the hood • Performance issue
ProGuard • Do not obfuscate statements called via reflection
Reflection basics • Class • Object#getClass(), Class.forName(), Class literal • Method • Class#getDeclaredMethods(), Class#getDeclaredMethod() • Field • Class#getDeclaredFields(), Class#getDeclaredField()
Example package com.sample; public class Something { private void foo(String str) {} } public class ReflectionSample { public void reflect(Something something) throws Exception { Method foo = something.getDeclaredMethod(“foo”, String.class); foo.setAccessible(true); foo.invoke(something, “bar”); } }
Example package com.sample; public class Something { private void foo(String str) {} } public class ReflectionSample { public void reflect(Something something) throws Exception { Method foo = something.getDeclaredMethod(“foo”, String.class); foo.setAccessible(true); foo.invoke(something, “bar”); } }
Example package com.sample; public class Something { private void foo(String str) {} } public class ReflectionSample { public void reflect(Something something) throws Exception { Method foo = something.getDeclaredMethod(“foo”, String.class); foo.setAccessible(true); foo.invoke(something, “bar”); } }
Example package com.sample; public class Something { private void foo(String str) {} } public class ReflectionSample { public void reflect(Something something) throws Exception { Method foo = something.getDeclaredMethod(“foo”, String.class); foo.setAccessible(true); foo.invoke(something, “bar”); } }
Accessing hidden APIs • Methods / Fields • getDeclared** to get private (or hidden) one • setAccessible(true) to make it visible to us
“Why are you using wrecking reflection?” “Because it is practical”
Practicality of reflection • Aggressive usage • to get informations that is generally prohibited for normal apps • to use system functions • Reluctant usage • to avoid/patch bugs in framework
Aggressive reflection • You can do almost everything • Read `RemoteViews` operations • Read actual `Intent` on `PendingIntent` • Call hidden method to register object onto system service
Karma of aggressive reflection • Spoil encapsulation • Need to pay attention to the object state • It may not work • No guarantee that every phone has the same method or field • Google is watching you
Reluctant reflection • Avoid bugs in framework • Ex. http://bit.ly/1HkJvR4 • Fix wrong path for preferences files on G***** S • Ex. http://bit.ly/1E5kB7L • Backward compatibility
Benefits of reluctant reflection • Reduce a lot of pains on users who are using broken phone • Keep new API available on old phones
AIDL to communicate with System services
AIDL to communicate with System services • Yet another dirty work • Be careful about ProGuard settings
ProGuard • Do not obfuscate auto generated codes and implementation
AIDL basics • Implementing AIDL stub • Put .aidl in `src/main/aidl` • Compile it • Implement stub methods in Java code
A lot of AIDLs in framework • Intent, Bundle, Uri, Bitmap, Rect, Account… • Data container objects passed to each processes • MediaSession, ICameraService, ITelephonyService… • Abstraction of some operations
Media Controller on the Lock Screen • Android 4.0 and above (up to Android 4.2) • RemoteControlClient and IRemoteControlDisplay Media Application RemoteControl Client Lock Screen IRemoteControl Display Publish media state Transport Control AudioManager
Media Controller on the Lock Screen • Android 4.0 and above (up to Android 4.2) • RemoteControlClient and IRemoteControlDisplay Media Application RemoteControl Client Lock Screen IRemoteControl Display Publish media state Transport Control AudioManager
IRemoteControlDisplay // in IRemoteControlDisplay.aidl package android.media; oneway interface IRemoteControlDisplay { // various methods declared… } // in Java code public class RemoteControlDisplay extends IRemoteControlDisplay.Stub { // various implementations here… }
AudioManager private final AudioManager mAudioManager; private final IRemoteControlDisplay mDisplay; public void setUp() throws Exception { Method register = mAudioManager.getClass().getDeclaredMethod( “registerRemoteControlDisplay”, IRemoteControlDisplay.class); register.invoke(mAudioManager, mDisplay); } public void tearDown() throws Exception { Method unregister = mAudioManager.getClass().getDeclaredMethod( “unregisterRemoteControlDisplay”, IRemoteControlDisplay.class); unregister(mAudioManager, mDisplay); }
AIDL Versioning • IRemoteControlDisplay • IRemoteControlDisplay is available from ICS • New method is added on JB • But… • The method name is the same (overloaded) • AIDL does not support overloading
Workaround for method overload • AIDL definition • Keep the latest • Java implementation • Declare every version of overloaded methods
IRemoteControlDisplay // ICS version oneway interface IRemoteControlDisplay { setPlaybackState(int id, int state, long stateChangeTimeMs); } // JB version oneway interface IRemoteControlDisplay { setPlaybackState(int id, int state, long stateChangeTimeMs, long currentPosMs, float speed); }
IRemoteControlDisplay public class RemoteControlDisplay extends IRemoteControlDisplay.Stub { public void setPlaybackState(int id, int state, long stateChangeTimeMs) { } @Override public void setPlaybackState(int id, int state, long stateChangeTimeMs, long currentPosMs, float speed) { } }
Internal AIDL usage • Be aware of method declaration • If no method found, the app will crash • Keep compatible • Define the same signature method on implementation
“Don’t be afraid. Keep calm and happy hacking!”
Deep Inside Android Hacks Keishin Yokomaku (KeithYokoma) @ Drivemode, Inc. Android All Stars

Recommended

Convert Your Web App to Tizen
Convert Your Web App to TizenConvert Your Web App to Tizen
Convert Your Web App to TizenCheng Luo
 
Tizen application inside out
Tizen application inside outTizen application inside out
Tizen application inside outEun Young Lee
 
Android terminologies
Android terminologiesAndroid terminologies
Android terminologiesjerry vasoya
 
Extending Spring MVC with Spring Mobile and JavaScript
Extending Spring MVC with Spring Mobile and JavaScriptExtending Spring MVC with Spring Mobile and JavaScript
Extending Spring MVC with Spring Mobile and JavaScriptRoy Clarkson
 
Android studio
Android studioAndroid studio
Android studioAndri Yabu
 
From Containerization to Modularity
From Containerization to ModularityFrom Containerization to Modularity
From Containerization to Modularityoasisfeng
 
FTF2014 - Android Accessory Protocol
FTF2014 - Android Accessory ProtocolFTF2014 - Android Accessory Protocol
FTF2014 - Android Accessory ProtocolGary Bisson
 
Tizen 2.0 overview
Tizen 2.0 overviewTizen 2.0 overview
Tizen 2.0 overviewNaruto TAKAHASHI
 

Recommended

Convert Your Web App to Tizen
Convert Your Web App to TizenConvert Your Web App to Tizen
Convert Your Web App to TizenCheng Luo
 
Tizen application inside out
Tizen application inside outTizen application inside out
Tizen application inside outEun Young Lee
 
Android terminologies
Android terminologiesAndroid terminologies
Android terminologiesjerry vasoya
 
Extending Spring MVC with Spring Mobile and JavaScript
Extending Spring MVC with Spring Mobile and JavaScriptExtending Spring MVC with Spring Mobile and JavaScript
Extending Spring MVC with Spring Mobile and JavaScriptRoy Clarkson
 
Android studio
Android studioAndroid studio
Android studioAndri Yabu
 
From Containerization to Modularity
From Containerization to ModularityFrom Containerization to Modularity
From Containerization to Modularityoasisfeng
 
FTF2014 - Android Accessory Protocol
FTF2014 - Android Accessory ProtocolFTF2014 - Android Accessory Protocol
FTF2014 - Android Accessory ProtocolGary Bisson
 
Tizen 2.0 overview
Tizen 2.0 overviewTizen 2.0 overview
Tizen 2.0 overviewNaruto TAKAHASHI
 
Mobile Web Development with HTML5
Mobile Web Development with HTML5Mobile Web Development with HTML5
Mobile Web Development with HTML5Roy Clarkson
 
Android - From Zero to Hero @ DEVit 2017
Android - From Zero to Hero @ DEVit 2017Android - From Zero to Hero @ DEVit 2017
Android - From Zero to Hero @ DEVit 2017Ivo Neskovic
 
How to be a Tizen Committer
How to be a Tizen CommitterHow to be a Tizen Committer
How to be a Tizen CommitterEun Young Lee
 
Intel XDK in Brief
Intel XDK in BriefIntel XDK in Brief
Intel XDK in BriefCamilo Corea
 
Securing android applications
Securing android applicationsSecuring android applications
Securing android applicationsJose Manuel Ortega Candel
 
Android basics
Android basicsAndroid basics
Android basicsPandurangBiradar2
 
Tizen Micro Profile for IoT device
Tizen Micro Profile for IoT deviceTizen Micro Profile for IoT device
Tizen Micro Profile for IoT deviceRyo Jin
 
Development Playbook Application With Adobe AIR 2.5 and QNX SDK
Development Playbook Application With Adobe AIR 2.5 and QNX SDKDevelopment Playbook Application With Adobe AIR 2.5 and QNX SDK
Development Playbook Application With Adobe AIR 2.5 and QNX SDKTubagus Anwar
 
Android Application Development Using Java
Android Application Development Using JavaAndroid Application Development Using Java
Android Application Development Using Javaamaankhan
 
Fight back android fragmentation
Fight back android fragmentationFight back android fragmentation
Fight back android fragmentationBitbar
 
Android App Development Intro at ESC SV 2012
Android App Development Intro at ESC SV 2012Android App Development Intro at ESC SV 2012
Android App Development Intro at ESC SV 2012Opersys inc.
 
Apple Watch and WatchKit - A Technical Overview
Apple Watch and WatchKit - A Technical OverviewApple Watch and WatchKit - A Technical Overview
Apple Watch and WatchKit - A Technical OverviewSammy Sunny
 
Android Flash Development
Android Flash DevelopmentAndroid Flash Development
Android Flash DevelopmentStephen Chin
 
Testing Sucks, But It Doesn't Have To
Testing Sucks, But It Doesn't Have ToTesting Sucks, But It Doesn't Have To
Testing Sucks, But It Doesn't Have ToApkudo
 
Mobile Day - Intel XDK & Testing
Mobile Day - Intel XDK & TestingMobile Day - Intel XDK & Testing
Mobile Day - Intel XDK & TestingSoftware Guru
 
Android Development Workshop
Android Development WorkshopAndroid Development Workshop
Android Development WorkshopPeter Robinett
 
Overview of DroidCon UK 2015
Overview of DroidCon UK 2015 Overview of DroidCon UK 2015
Overview of DroidCon UK 2015 Elif Boncuk
 
Instrumentation 101
Instrumentation 101Instrumentation 101
Instrumentation 101Apkudo
 
March 2014 Meetup - Nokia X Tech Session
March 2014 Meetup - Nokia X Tech SessionMarch 2014 Meetup - Nokia X Tech Session
March 2014 Meetup - Nokia X Tech SessionBlrDroid
 
Information security - Paylogic TechTalk 2014
Information security - Paylogic TechTalk 2014Information security - Paylogic TechTalk 2014
Information security - Paylogic TechTalk 2014Dirk Zittersteyn
 
IPC: AIDL is not a curse
IPC: AIDL is not a curseIPC: AIDL is not a curse
IPC: AIDL is not a curseYonatan Levin
 
Android AIDL Concept
Android AIDL ConceptAndroid AIDL Concept
Android AIDL ConceptCharile Tsai
 

More Related Content

What's hot

Mobile Web Development with HTML5
Mobile Web Development with HTML5Mobile Web Development with HTML5
Mobile Web Development with HTML5Roy Clarkson
 
Android - From Zero to Hero @ DEVit 2017
Android - From Zero to Hero @ DEVit 2017Android - From Zero to Hero @ DEVit 2017
Android - From Zero to Hero @ DEVit 2017Ivo Neskovic
 
How to be a Tizen Committer
How to be a Tizen CommitterHow to be a Tizen Committer
How to be a Tizen CommitterEun Young Lee
 
Intel XDK in Brief
Intel XDK in BriefIntel XDK in Brief
Intel XDK in BriefCamilo Corea
 
Tizen Micro Profile for IoT device
Tizen Micro Profile for IoT deviceTizen Micro Profile for IoT device
Tizen Micro Profile for IoT deviceRyo Jin
 
Development Playbook Application With Adobe AIR 2.5 and QNX SDK
Development Playbook Application With Adobe AIR 2.5 and QNX SDKDevelopment Playbook Application With Adobe AIR 2.5 and QNX SDK
Development Playbook Application With Adobe AIR 2.5 and QNX SDKTubagus Anwar
 
Android Application Development Using Java
Android Application Development Using JavaAndroid Application Development Using Java
Android Application Development Using Javaamaankhan
 
Fight back android fragmentation
Fight back android fragmentationFight back android fragmentation
Fight back android fragmentationBitbar
 
Android App Development Intro at ESC SV 2012
Android App Development Intro at ESC SV 2012Android App Development Intro at ESC SV 2012
Android App Development Intro at ESC SV 2012Opersys inc.
 
Apple Watch and WatchKit - A Technical Overview
Apple Watch and WatchKit - A Technical OverviewApple Watch and WatchKit - A Technical Overview
Apple Watch and WatchKit - A Technical OverviewSammy Sunny
 
Android Flash Development
Android Flash DevelopmentAndroid Flash Development
Android Flash DevelopmentStephen Chin
 
Testing Sucks, But It Doesn't Have To
Testing Sucks, But It Doesn't Have ToTesting Sucks, But It Doesn't Have To
Testing Sucks, But It Doesn't Have ToApkudo
 
Mobile Day - Intel XDK & Testing
Mobile Day - Intel XDK & TestingMobile Day - Intel XDK & Testing
Mobile Day - Intel XDK & TestingSoftware Guru
 
Android Development Workshop
Android Development WorkshopAndroid Development Workshop
Android Development WorkshopPeter Robinett
 
Overview of DroidCon UK 2015
Overview of DroidCon UK 2015 Overview of DroidCon UK 2015
Overview of DroidCon UK 2015 Elif Boncuk
 
Instrumentation 101
Instrumentation 101Instrumentation 101
Instrumentation 101Apkudo
 
March 2014 Meetup - Nokia X Tech Session
March 2014 Meetup - Nokia X Tech SessionMarch 2014 Meetup - Nokia X Tech Session
March 2014 Meetup - Nokia X Tech SessionBlrDroid
 

What's hot (19)

Mobile Web Development with HTML5
Mobile Web Development with HTML5Mobile Web Development with HTML5
Mobile Web Development with HTML5
 
Android - From Zero to Hero @ DEVit 2017
Android - From Zero to Hero @ DEVit 2017Android - From Zero to Hero @ DEVit 2017
Android - From Zero to Hero @ DEVit 2017
 
How to be a Tizen Committer
How to be a Tizen CommitterHow to be a Tizen Committer
How to be a Tizen Committer
 
Intel XDK in Brief
Intel XDK in BriefIntel XDK in Brief
Intel XDK in Brief
 
Securing android applications
Securing android applicationsSecuring android applications
Securing android applications
 
Android basics
Android basicsAndroid basics
Android basics
 
Tizen Micro Profile for IoT device
Tizen Micro Profile for IoT deviceTizen Micro Profile for IoT device
Tizen Micro Profile for IoT device
 
Development Playbook Application With Adobe AIR 2.5 and QNX SDK
Development Playbook Application With Adobe AIR 2.5 and QNX SDKDevelopment Playbook Application With Adobe AIR 2.5 and QNX SDK
Development Playbook Application With Adobe AIR 2.5 and QNX SDK
 
Android Application Development Using Java
Android Application Development Using JavaAndroid Application Development Using Java
Android Application Development Using Java
 
Fight back android fragmentation
Fight back android fragmentationFight back android fragmentation
Fight back android fragmentation
 
Android App Development Intro at ESC SV 2012
Android App Development Intro at ESC SV 2012Android App Development Intro at ESC SV 2012
Android App Development Intro at ESC SV 2012
 
Apple Watch and WatchKit - A Technical Overview
Apple Watch and WatchKit - A Technical OverviewApple Watch and WatchKit - A Technical Overview
Apple Watch and WatchKit - A Technical Overview
 
Android Flash Development
Android Flash DevelopmentAndroid Flash Development
Android Flash Development
 
Testing Sucks, But It Doesn't Have To
Testing Sucks, But It Doesn't Have ToTesting Sucks, But It Doesn't Have To
Testing Sucks, But It Doesn't Have To
 
Mobile Day - Intel XDK & Testing
Mobile Day - Intel XDK & TestingMobile Day - Intel XDK & Testing
Mobile Day - Intel XDK & Testing
 
Android Development Workshop
Android Development WorkshopAndroid Development Workshop
Android Development Workshop
 
Overview of DroidCon UK 2015
Overview of DroidCon UK 2015 Overview of DroidCon UK 2015
Overview of DroidCon UK 2015
 
Instrumentation 101
Instrumentation 101Instrumentation 101
Instrumentation 101
 
March 2014 Meetup - Nokia X Tech Session
March 2014 Meetup - Nokia X Tech SessionMarch 2014 Meetup - Nokia X Tech Session
March 2014 Meetup - Nokia X Tech Session
 

Viewers also liked

Information security - Paylogic TechTalk 2014
Information security - Paylogic TechTalk 2014Information security - Paylogic TechTalk 2014
Information security - Paylogic TechTalk 2014Dirk Zittersteyn
 
IPC: AIDL is not a curse
IPC: AIDL is not a curseIPC: AIDL is not a curse
IPC: AIDL is not a curseYonatan Levin
 
Android AIDL Concept
Android AIDL ConceptAndroid AIDL Concept
Android AIDL ConceptCharile Tsai
 
HTTP/2 - The Web of Future
HTTP/2 - The Web of FutureHTTP/2 - The Web of Future
HTTP/2 - The Web of FutureVahè Èvoyan
 
AWS Security 솔루션 자세히 살펴보기 :: 신용녀 :: AWS Finance Seminar
AWS Security 솔루션 자세히 살펴보기 :: 신용녀 :: AWS Finance SeminarAWS Security 솔루션 자세히 살펴보기 :: 신용녀 :: AWS Finance Seminar
AWS Security 솔루션 자세히 살펴보기 :: 신용녀 :: AWS Finance SeminarAmazon Web Services Korea
 
Inter-process communication of Android
Inter-process communication of AndroidInter-process communication of Android
Inter-process communication of AndroidTetsuyuki Kobayashi
 
Code Your Agility - Tips for Boosting Technical Agility in Your Organization
Code Your Agility - Tips for Boosting Technical Agility in Your OrganizationCode Your Agility - Tips for Boosting Technical Agility in Your Organization
Code Your Agility - Tips for Boosting Technical Agility in Your OrganizationLemi Orhan Ergin
 
“Writing code that lasts” … or writing code you won’t hate tomorrow.
“Writing code that lasts” … or writing code you won’t hate tomorrow.“Writing code that lasts” … or writing code you won’t hate tomorrow.
“Writing code that lasts” … or writing code you won’t hate tomorrow.Rafael Dohms
 
정보보호최근이슈및패러다임의변화 임종인(고려대)
정보보호최근이슈및패러다임의변화 임종인(고려대)정보보호최근이슈및패러다임의변화 임종인(고려대)
정보보호최근이슈및패러다임의변화 임종인(고려대)Kyuhyung Cho
 

Viewers also liked (9)

Information security - Paylogic TechTalk 2014
Information security - Paylogic TechTalk 2014Information security - Paylogic TechTalk 2014
Information security - Paylogic TechTalk 2014
 
IPC: AIDL is not a curse
IPC: AIDL is not a curseIPC: AIDL is not a curse
IPC: AIDL is not a curse
 
Android AIDL Concept
Android AIDL ConceptAndroid AIDL Concept
Android AIDL Concept
 
HTTP/2 - The Web of Future
HTTP/2 - The Web of FutureHTTP/2 - The Web of Future
HTTP/2 - The Web of Future
 
AWS Security 솔루션 자세히 살펴보기 :: 신용녀 :: AWS Finance Seminar
AWS Security 솔루션 자세히 살펴보기 :: 신용녀 :: AWS Finance SeminarAWS Security 솔루션 자세히 살펴보기 :: 신용녀 :: AWS Finance Seminar
AWS Security 솔루션 자세히 살펴보기 :: 신용녀 :: AWS Finance Seminar
 
Inter-process communication of Android
Inter-process communication of AndroidInter-process communication of Android
Inter-process communication of Android
 
Code Your Agility - Tips for Boosting Technical Agility in Your Organization
Code Your Agility - Tips for Boosting Technical Agility in Your OrganizationCode Your Agility - Tips for Boosting Technical Agility in Your Organization
Code Your Agility - Tips for Boosting Technical Agility in Your Organization
 
“Writing code that lasts” … or writing code you won’t hate tomorrow.
“Writing code that lasts” … or writing code you won’t hate tomorrow.“Writing code that lasts” … or writing code you won’t hate tomorrow.
“Writing code that lasts” … or writing code you won’t hate tomorrow.
 
정보보호최근이슈및패러다임의변화 임종인(고려대)
정보보호최근이슈및패러다임의변화 임종인(고려대)정보보호최근이슈및패러다임의변화 임종인(고려대)
정보보호최근이슈및패러다임의변화 임종인(고려대)
 

Similar to Deep Inside Android Hacking Techniques

Being Epic: Best Practices for Android Development
Being Epic: Best Practices for Android DevelopmentBeing Epic: Best Practices for Android Development
Being Epic: Best Practices for Android DevelopmentReto Meier
 
DEFCON 18- These Aren't the Permissions You're Looking For
DEFCON 18- These Aren't the Permissions You're Looking ForDEFCON 18- These Aren't the Permissions You're Looking For
DEFCON 18- These Aren't the Permissions You're Looking ForMichael Scovetta
 
Android - Open Source Bridge 2011
Android - Open Source Bridge 2011Android - Open Source Bridge 2011
Android - Open Source Bridge 2011sullis
 
Quality in dev ops east 2017
Quality in dev ops east 2017Quality in dev ops east 2017
Quality in dev ops east 2017Amir Rozenberg
 
Mitigating data theft_in_android
Mitigating data theft_in_androidMitigating data theft_in_android
Mitigating data theft_in_androidRashmi Bhandari
 
Rockstar Android Testing (Mobile TechCon Munich 2014)
Rockstar Android Testing (Mobile TechCon Munich 2014)Rockstar Android Testing (Mobile TechCon Munich 2014)
Rockstar Android Testing (Mobile TechCon Munich 2014)Danny Preussler
 
Google Developer Group(GDG) DevFest Event 2012 Android talk
Google Developer Group(GDG) DevFest Event 2012 Android talkGoogle Developer Group(GDG) DevFest Event 2012 Android talk
Google Developer Group(GDG) DevFest Event 2012 Android talkImam Raza
 
Droidcon Spain 2016 - The Pragmatic Android Programmer: from hype to reality
Droidcon Spain 2016 - The Pragmatic Android Programmer: from hype to reality Droidcon Spain 2016 - The Pragmatic Android Programmer: from hype to reality
Droidcon Spain 2016 - The Pragmatic Android Programmer: from hype to realityDaniel Gallego Vico
 
Deep Dive Into Android Security
Deep Dive Into Android SecurityDeep Dive Into Android Security
Deep Dive Into Android SecurityMarakana Inc.
 
Appium meet up noida
Appium meet up noidaAppium meet up noida
Appium meet up noidaAmit Rawat
 
Mobile Test Automation
Mobile Test AutomationMobile Test Automation
Mobile Test AutomationLee Barnes
 
What's new in Android M
What's new in Android MWhat's new in Android M
What's new in Android MKirill Rozov
 
Android 3.1 - Portland Code Camp 2011
Android 3.1 - Portland Code Camp 2011Android 3.1 - Portland Code Camp 2011
Android 3.1 - Portland Code Camp 2011sullis
 
2012 java one-con3648
2012 java one-con36482012 java one-con3648
2012 java one-con3648Eing Ong
 
Rounds tips & tricks
Rounds tips & tricksRounds tips & tricks
Rounds tips & tricksAviv Laufer
 
The Rounds Project: Growing from thousands to millions - Berry Ventura & Yoah...
The Rounds Project: Growing from thousands to millions - Berry Ventura & Yoah...The Rounds Project: Growing from thousands to millions - Berry Ventura & Yoah...
The Rounds Project: Growing from thousands to millions - Berry Ventura & Yoah...DroidConTLV
 

Similar to Deep Inside Android Hacking Techniques (20)

Being Epic: Best Practices for Android Development
Being Epic: Best Practices for Android DevelopmentBeing Epic: Best Practices for Android Development
Being Epic: Best Practices for Android Development
 
DEFCON 18- These Aren't the Permissions You're Looking For
DEFCON 18- These Aren't the Permissions You're Looking ForDEFCON 18- These Aren't the Permissions You're Looking For
DEFCON 18- These Aren't the Permissions You're Looking For
 
Firefox OS Presentation
Firefox OS PresentationFirefox OS Presentation
Firefox OS Presentation
 
Android101
Android101Android101
Android101
 
Android - Open Source Bridge 2011
Android - Open Source Bridge 2011Android - Open Source Bridge 2011
Android - Open Source Bridge 2011
 
Quality in dev ops east 2017
Quality in dev ops east 2017Quality in dev ops east 2017
Quality in dev ops east 2017
 
Mitigating data theft_in_android
Mitigating data theft_in_androidMitigating data theft_in_android
Mitigating data theft_in_android
 
Rockstar Android Testing (Mobile TechCon Munich 2014)
Rockstar Android Testing (Mobile TechCon Munich 2014)Rockstar Android Testing (Mobile TechCon Munich 2014)
Rockstar Android Testing (Mobile TechCon Munich 2014)
 
Google Developer Group(GDG) DevFest Event 2012 Android talk
Google Developer Group(GDG) DevFest Event 2012 Android talkGoogle Developer Group(GDG) DevFest Event 2012 Android talk
Google Developer Group(GDG) DevFest Event 2012 Android talk
 
Android overview
Android overviewAndroid overview
Android overview
 
Droidcon Spain 2016 - The Pragmatic Android Programmer: from hype to reality
Droidcon Spain 2016 - The Pragmatic Android Programmer: from hype to reality Droidcon Spain 2016 - The Pragmatic Android Programmer: from hype to reality
Droidcon Spain 2016 - The Pragmatic Android Programmer: from hype to reality
 
Android class provider in mumbai
Android class provider in mumbaiAndroid class provider in mumbai
Android class provider in mumbai
 
Deep Dive Into Android Security
Deep Dive Into Android SecurityDeep Dive Into Android Security
Deep Dive Into Android Security
 
Appium meet up noida
Appium meet up noidaAppium meet up noida
Appium meet up noida
 
Mobile Test Automation
Mobile Test AutomationMobile Test Automation
Mobile Test Automation
 
What's new in Android M
What's new in Android MWhat's new in Android M
What's new in Android M
 
Android 3.1 - Portland Code Camp 2011
Android 3.1 - Portland Code Camp 2011Android 3.1 - Portland Code Camp 2011
Android 3.1 - Portland Code Camp 2011
 
2012 java one-con3648
2012 java one-con36482012 java one-con3648
2012 java one-con3648
 
Rounds tips & tricks
Rounds tips & tricksRounds tips & tricks
Rounds tips & tricks
 
The Rounds Project: Growing from thousands to millions - Berry Ventura & Yoah...
The Rounds Project: Growing from thousands to millions - Berry Ventura & Yoah...The Rounds Project: Growing from thousands to millions - Berry Ventura & Yoah...
The Rounds Project: Growing from thousands to millions - Berry Ventura & Yoah...
 

More from Keishin Yokomaku

Regexp in Android and Java
Regexp in Android and JavaRegexp in Android and Java
Regexp in Android and JavaKeishin Yokomaku
 
Building stable and flexible libraries
Building stable and flexible librariesBuilding stable and flexible libraries
Building stable and flexible librariesKeishin Yokomaku
 
イカしたライブラリを作った話
イカしたライブラリを作った話イカしたライブラリを作った話
イカしたライブラリを作った話Keishin Yokomaku
 
Google I/O 2013 報告会 Android Studio と Gradle
Google I/O 2013 報告会 Android Studio と GradleGoogle I/O 2013 報告会 Android Studio と Gradle
Google I/O 2013 報告会 Android Studio と GradleKeishin Yokomaku
 

More from Keishin Yokomaku (14)

UI optimization for night
UI optimization for nightUI optimization for night
UI optimization for night
 
Popup view on Mortar
Popup view on MortarPopup view on Mortar
Popup view on Mortar
 
Regexp in Android and Java
Regexp in Android and JavaRegexp in Android and Java
Regexp in Android and Java
 
Make it compatible
Make it compatibleMake it compatible
Make it compatible
 
Signature
SignatureSignature
Signature
 
Android Media Hacks
Android Media HacksAndroid Media Hacks
Android Media Hacks
 
Null, the Abyss
Null, the AbyssNull, the Abyss
Null, the Abyss
 
?
??
?
 
Building stable and flexible libraries
Building stable and flexible librariesBuilding stable and flexible libraries
Building stable and flexible libraries
 
Typeface
TypefaceTypeface
Typeface
 
Version Management
Version ManagementVersion Management
Version Management
 
イカしたライブラリを作った話
イカしたライブラリを作った話イカしたライブラリを作った話
イカしたライブラリを作った話
 
Google I/O 2013 報告会 Android Studio と Gradle
Google I/O 2013 報告会 Android Studio と GradleGoogle I/O 2013 報告会 Android Studio と Gradle
Google I/O 2013 報告会 Android Studio と Gradle
 
自己組織化
自己組織化自己組織化
自己組織化
 

Deep Inside Android Hacking Techniques

  • 1. Deep Inside Android Hacks Keishin Yokomaku (KeithYokoma) @ Drivemode, Inc. Android All Stars #dotsandroid
  • 2. Profile • Keishin Yokomaku at Drivemode, Inc. • Social: @KeithYokoma • Publication: Android Training • Product: • Like: Bicycle, Photography, Tumblr • Nickname: Qiita Meister
  • 3. Drivemode • Now available on Play Store! • http://bit.ly/1LYdxAg
  • 4. E-book • AndroidTraining / iOS Training • http://amzn.to/1mZNydv
  • 5. How to Hack Android
  • 6. How to Hack Android • Using public APIs • Reflection to access hidden APIs • AIDL to communicate with System services
  • 8. Using public APIs • It’s official! • Less likely to crash coming from customizations
  • 9. android.media.session • Lollipop API • Components • MediaSession and MediaSession.Token • MediaController • Notification.MediaStyle
  • 10. MediaSession and MediaController • Permit transport control by session token Media Application MediaSession Other Application MediaController Token Transport Control
  • 11. NotificationListenerService • Background service listening to status bar notification events NotificationManager Notification notify NotificationListenerService onNotificationPosted
  • 12. Notification.MediaStyle • Pass MediaSession.Token to system notification • When you listen to notification event… • MediaSession.Token is in `extras` • Key for `extras` is defined on Notification • MediaSession.Token is valid even if the receiver is not intended to
  • 13. –Someone “This is more like session hijacking”
  • 14. Take control of music playback public class MusicNotificationWatcher extends NotificationListenerService { private Bus eventBus; @Override public void onNotificationPosted(StatusBarNotification sbn) { MediaSession.Token token = sbn.getNotification().extras.getParcelable(Notification.EXTRA_MEDIA_SESSION); eventBus.post(new NewMusicNotification(token)); } } public class MyActivity extends Activity { private MediaController controller; @Subscribe public void onNewMusicNotificationAdded(NewMusicNotification event) { controller = new MediaController(this, event.getToken()) } }
  • 15. Take control of music playback public class MusicNotificationWatcher extends NotificationListenerService { private Bus eventBus; @Override public void onNotificationPosted(StatusBarNotification sbn) { MediaSession.Token token = sbn.getNotification().extras.getParcelable(Notification.EXTRA_MEDIA_SESSION); eventBus.post(new NewMusicNotification(token)); } } public class MyActivity extends Activity { private MediaController controller; @Subscribe public void onNewMusicNotificationAdded(NewMusicNotification event) { controller = new MediaController(this, event.getToken()) } }
  • 16. Take control of music playback public class MusicNotificationWatcher extends NotificationListenerService { private Bus eventBus; @Override public void onNotificationPosted(StatusBarNotification sbn) { MediaSession.Token token = sbn.getNotification().extras.getParcelable(Notification.EXTRA_MEDIA_SESSION); eventBus.post(new NewMusicNotification(token)); } } public class MyActivity extends Activity { private MediaController controller; @Subscribe public void onNewMusicNotificationAdded(NewMusicNotification event) { controller = new MediaController(this, event.getToken()) } }
  • 18. Is it practical? • It depends • You cannot fully cover overall music experience • For keyguard apps, this is good enough
  • 20. Is it affordable? • No • Because it works only on Lollipop and with Google Play Music
  • 21. Reflection to access hidden APIs
  • 22. Reflection to access hidden APIs • It’s unofficial, dirty, unpaved… • No IDE support for you • Be careful about ProGuard settings • Breaking changes might be happening under the hood • Performance issue
  • 23. ProGuard • Do not obfuscate statements called via reflection
  • 24. Reflection basics • Class • Object#getClass(), Class.forName(), Class literal • Method • Class#getDeclaredMethods(), Class#getDeclaredMethod() • Field • Class#getDeclaredFields(), Class#getDeclaredField()
  • 25. Example package com.sample; public class Something { private void foo(String str) {} } public class ReflectionSample { public void reflect(Something something) throws Exception { Method foo = something.getDeclaredMethod(“foo”, String.class); foo.setAccessible(true); foo.invoke(something, “bar”); } }
  • 26. Example package com.sample; public class Something { private void foo(String str) {} } public class ReflectionSample { public void reflect(Something something) throws Exception { Method foo = something.getDeclaredMethod(“foo”, String.class); foo.setAccessible(true); foo.invoke(something, “bar”); } }
  • 27. Example package com.sample; public class Something { private void foo(String str) {} } public class ReflectionSample { public void reflect(Something something) throws Exception { Method foo = something.getDeclaredMethod(“foo”, String.class); foo.setAccessible(true); foo.invoke(something, “bar”); } }
  • 28. Example package com.sample; public class Something { private void foo(String str) {} } public class ReflectionSample { public void reflect(Something something) throws Exception { Method foo = something.getDeclaredMethod(“foo”, String.class); foo.setAccessible(true); foo.invoke(something, “bar”); } }
  • 29. Accessing hidden APIs • Methods / Fields • getDeclared** to get private (or hidden) one • setAccessible(true) to make it visible to us
  • 30. “Why are you using wrecking reflection?” “Because it is practical”
  • 31. Practicality of reflection • Aggressive usage • to get informations that is generally prohibited for normal apps • to use system functions • Reluctant usage • to avoid/patch bugs in framework
  • 32. Aggressive reflection • You can do almost everything • Read `RemoteViews` operations • Read actual `Intent` on `PendingIntent` • Call hidden method to register object onto system service
  • 33. Karma of aggressive reflection • Spoil encapsulation • Need to pay attention to the object state • It may not work • No guarantee that every phone has the same method or field • Google is watching you
  • 34. Reluctant reflection • Avoid bugs in framework • Ex. http://bit.ly/1HkJvR4 • Fix wrong path for preferences files on G***** S • Ex. http://bit.ly/1E5kB7L • Backward compatibility
  • 35. Benefits of reluctant reflection • Reduce a lot of pains on users who are using broken phone • Keep new API available on old phones
  • 36. AIDL to communicate with System services
  • 37. AIDL to communicate with System services • Yet another dirty work • Be careful about ProGuard settings
  • 38. ProGuard • Do not obfuscate auto generated codes and implementation
  • 39. AIDL basics • Implementing AIDL stub • Put .aidl in `src/main/aidl` • Compile it • Implement stub methods in Java code
  • 40. A lot of AIDLs in framework • Intent, Bundle, Uri, Bitmap, Rect, Account… • Data container objects passed to each processes • MediaSession, ICameraService, ITelephonyService… • Abstraction of some operations
  • 41. Media Controller on the Lock Screen • Android 4.0 and above (up to Android 4.2) • RemoteControlClient and IRemoteControlDisplay Media Application RemoteControl Client Lock Screen IRemoteControl Display Publish media state Transport Control AudioManager
  • 42. Media Controller on the Lock Screen • Android 4.0 and above (up to Android 4.2) • RemoteControlClient and IRemoteControlDisplay Media Application RemoteControl Client Lock Screen IRemoteControl Display Publish media state Transport Control AudioManager
  • 43. IRemoteControlDisplay // in IRemoteControlDisplay.aidl package android.media; oneway interface IRemoteControlDisplay { // various methods declared… } // in Java code public class RemoteControlDisplay extends IRemoteControlDisplay.Stub { // various implementations here… }
  • 44. AudioManager private final AudioManager mAudioManager; private final IRemoteControlDisplay mDisplay; public void setUp() throws Exception { Method register = mAudioManager.getClass().getDeclaredMethod( “registerRemoteControlDisplay”, IRemoteControlDisplay.class); register.invoke(mAudioManager, mDisplay); } public void tearDown() throws Exception { Method unregister = mAudioManager.getClass().getDeclaredMethod( “unregisterRemoteControlDisplay”, IRemoteControlDisplay.class); unregister(mAudioManager, mDisplay); }
  • 45. AIDL Versioning • IRemoteControlDisplay • IRemoteControlDisplay is available from ICS • New method is added on JB • But… • The method name is the same (overloaded) • AIDL does not support overloading
  • 46. Workaround for method overload • AIDL definition • Keep the latest • Java implementation • Declare every version of overloaded methods
  • 47. IRemoteControlDisplay // ICS version oneway interface IRemoteControlDisplay { setPlaybackState(int id, int state, long stateChangeTimeMs); } // JB version oneway interface IRemoteControlDisplay { setPlaybackState(int id, int state, long stateChangeTimeMs, long currentPosMs, float speed); }
  • 48. IRemoteControlDisplay public class RemoteControlDisplay extends IRemoteControlDisplay.Stub { public void setPlaybackState(int id, int state, long stateChangeTimeMs) { } @Override public void setPlaybackState(int id, int state, long stateChangeTimeMs, long currentPosMs, float speed) { } }
  • 49.
  • 50. Internal AIDL usage • Be aware of method declaration • If no method found, the app will crash • Keep compatible • Define the same signature method on implementation
  • 51.
  • 52. “Don’t be afraid. Keep calm and happy hacking!”
  • 53. Deep Inside Android Hacks Keishin Yokomaku (KeithYokoma) @ Drivemode, Inc. Android All Stars