I cracked a $19M company’s app and reported it
15 Aug 2024

Disclaimer: This post is all about learning. Company names and any sensitive or personally identifiable data have been redacted to keep things professional. Any example code isn’t the actual Smali code—it’s just for illustration. Play nice, stay legal, and remember—this is for education only!

Click to view image in full screen

2 hours before sending this email...

The Beginning

It all started when I got a Pixel device. Having not used one for a few years, I immediately started installing the apps I used to have. I also used to install modded apps—because, let's be honest, who doesn't? Then curiosity hit me: what if I could mod the app myself?

As a Mobile App Developer, I understand that no piece of code is truly secure—unless it's written only on paper and locked in a safe. But I never thought I would be able to crack a $19M company's app and report it to them.

So, to start simple, I thought, let’s mod an app to remove ads.

The Plan

So, what was my game plan? Here's a simplified version:

Pretty standard, trail and error stuff.

The Execution

From here on, I'll refer to the app as "X" from "Company Y."

I found that X was using Google ads, so my initial plan was to remove the ads permissions from the AndroidManifest.xml.

By searching for all the necessary permissions needed to show ads, I knew what to remove. So, I decompiled the app and was greeted with around 20K files filled with mostly unreadable code.

Obfuscated code. Yay! More fun! 😑

After removing a bunch of permissions, I recompiled the app, signed it, and installed it, but boom—it didn’t work!

Looks like some other checks were in place. I’m not sure why removing the permissions didn’t work, but it meant I had to find another way.

I noticed there were a bunch of other ad SDKs being used, like Amazon ads. It was clear I couldn't just comment off all the ad SDKs one by one.

Maybe a more direct approach would work? What if I removed the initialization of the ad SDKs altogether? That might just do the trick.

Side Note: While writing this, a security personnel from "Company Y" reached out to me.

Click to view image in full screen

Now back to my story...

After combing through a lot of Smali code, I understood a few things:

- Most of the classes were implemented with dependency injection.

- Due to the obfuscation, it was hard to find the exact class that initializes the ads.

- The method names were obfuscated, so I had to rely on the method signature.

- The variable names were also obfuscated, so now it's all pointers.

So I started by searching for the method signatures of the ad SDKs, and while I didn’t find exactly what I was looking for, I hit the jackpot!

While combing through the code, I discovered something even better—a single state variable that the "X" app uses to check if the user has a valid subscription. If this variable indicated that the user was subscribed, the ads were not shown. This was a gold mine! With this discovery, I knew I was onto something big. Now it was time to see if I could manipulate this variable to bypass the subscription check.

If I could bypass the API call, and hard code the value of the subscription check to true, I could potentially remove the ads.

That's exactly what I did and it worked! I was able to remove the ads from the app.

The Aftermath

I reached out to them and submitted a VDP report, detailing the vulnerability and how I was able to exploit it. Now, I’m awaiting their response, hopeful that they’ll take the necessary steps to secure their app.

My two cents

- Obfuscation is not a security measure. It's just a way to make it harder for someone to reverse engineer your app.

While obfuscation can slow down reverse engineers, it shouldn't be relied upon as the only line of defense. Proper encryption and server-side validation are essential to secure your app’s logic.

- Implement App Signature Verification to prevent tampering.

By verifying the app's signature at runtime, you can ensure that only unaltered, officially signed versions of your app can be installed and run, preventing unauthorized modifications like the one I demonstrated.

- No Code is Ever Truly Safe.

Even with the best security practices, no code is entirely immune to exploitation. Regular security audits and routine checks are crucial to identifying and patching vulnerabilities before they can be exploited.

If someone with my level of experience can do this in under 2 hours, consider what someone with more expertise might achieve. Ensuring your app's security isn't a one-time task—it's an ongoing process.