Free Loader
EasyMobile Security
Overview
The app refuses to run unless it's installed from an official source. Your goal is to trick it into thinking it was. Investigate how the app checks its installer and find a way to bypass this restriction to reveal the hidden message.
Lab Details
Prerequisites & Requirements
- Android Package Management:
- Understanding how Android tracks where an application was installed from (
e.g., Google Play Store vs. ADB/Manual Install). - Familiarity with the PackageManager API , specifically how getInstallerPackageName is used by developers for piracy checks.
- Understanding how Android tracks where an application was installed from (
- Android Security Mechanisms:
- Knowledge of Sideloading detection and common anti-tampering techniques used to restrict app usage to specific distribution channels.
- Frida & JavaScript Interop:
- Proficiency in writing Frida scripts to interact with system classes (
android.app.ApplicationPackageManager). - Understanding how to instantiate Java objects (like
java.lang.String) from within JavaScript usingJava.useand $new.
- Proficiency in writing Frida scripts to interact with system classes (
What will you learn?
- Bypassing Sideloading Restrictions:
- Analyzing logic that attempts to validate the installation source (checking for
com.android.vending, which is the package name for the Google Play Store). - Learning how to trick the application into believing it was installed legitimately.
- Analyzing logic that attempts to validate the installation source (checking for
- Hooking System APIs:
- Unlike hooking a local function, you will learn to hook Android Framework APIs (ApplicationPackageManager).
- Understanding how to intercept calls made by the application to the Android OS.
- Return Value Spoofing:
- Mastering the technique of Return Value Modification . Instead of letting the OS return null (indicating a sideloaded app), you will force the function to return the specific string "
com.android.vending" to satisfy the condition and unlock the flag.
- Mastering the technique of Return Value Modification . Instead of letting the OS return null (indicating a sideloaded app), you will force the function to return the specific string "
Tools
- JADX (Dex to Java Decompiler):
- Used for Static Analysis . It allows you to examine the MainActivity source code to identify the specific if/else logic responsible for checking the installer package name. This reveals the target string (
com.android.vending) required to pass the check.
- Used for Static Analysis . It allows you to examine the MainActivity source code to identify the specific if/else logic responsible for checking the installer package name. This reveals the target string (
- Frida:
- Used for Dynamic Instrumentation .
- It allows you to inject a script that targets the
pm.getInstallerPackageNamemethod. - It facilitates the creation of a "Mock" or "Spoof" where the script overwrites the original implementation of the system call to return a fake verification string at runtime.
Job Positions
Mobile Security Engineer
Tags
Static AnalysisDynamic AnalysisDecompilerProcess InjectionHookingApi CallsFunction ProbesCode FlowStrings