Blog Infos
Author
Published
Topics
, ,
Published

This blog is for EDUCATIONAL PURPOSES only as it exposes common vulnerabilities in Android applications. DO NOT try this on real applications.

TL;DR

Do not download APKs from random websites, as they might have injected bytecode and potentially steal the data from device.

Paid Features with Billing
Problem
Static Code Analysis

I am text block. Click edit button to change this text. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.

 

Premium feature as a flag in SharedPreferences

 

Smali

What is Smali Code Android

Here is the snippet of the beginning of the onCreate method from MainActivity in Smali:

 

 

Job Offers

Job Offers


    Kotlin Multiplatform Mobile Developer

    Touchlab
    Remote
    • Full Time
    apply now

    Senior Android Software Engineer (f/m/d)

    Paradox Cat GmbH
    Munich
    • Full Time
    apply now

    Android Software Engineer (f/m/d)

    Paradox Cat GmbH
    Munich
    • Full Time
    apply now
Load more listings

OUR VIDEO RECOMMENDATION

, ,

From Scoped Storage to Photo Picker: Everything to know about Storage

Persistence is a core element of every mobile app. Android provides different APIs to access or expose files with different tradeoffs.
Watch Video

From Scoped Storage to Photo Picker: Everything to know about Storage

Yacine Rezgui
Android developer advocate
Google

From Scoped Storage to Photo Picker: Everything to know about Storage

Yacine Rezgui
Android developer ad ...
Google

From Scoped Storage to Photo Picker: Everything to know about Storage

Yacine Rezgui
Android developer advocat ...
Google

Jobs

Code Injection
invoke-static {p0}, Landroidx/preference/e;->a(Landroid/content/Context;)Landroid/content/SharedPreferences;
move-result-object v0
const-string v1, "preferencePremium"
const/4 v2, 0x1
invoke-interface {v0}, Landroid/content/SharedPreferences;->edit()Landroid/content/SharedPreferences$Editor;
move-result-object v0
invoke-interface {v0, v1, v2}, Landroid/content/SharedPreferences$Editor;->putBoolean(Ljava/lang/String;Z)Landroid/content/SharedPreferences$Editor;
invoke-interface {v0}, Landroid/content/SharedPreferences$Editor;->apply()V
view raw gistfile1.smali hosted with ❤ by GitHub

This code snippet is the same as

SharedPreferences.Editor editor = sharedPref.edit();
edit.putBoolean("preferencePremium", true);
edit.apply();
How To Prevent?

YOU MAY BE INTERESTED IN

YOU MAY BE INTERESTED IN

blog
Let’s suppose that for some reason we are interested in doing some tests with…
READ MORE
blog
All I know is that losing items, when it happens, turns me into a…
READ MORE

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.

Menu