,
23 tweets,
7 min read
Read on Twitter
Like yesterday, I will work on version 1.1.4 of the application 2/n
The first step is the same 3/n
Looking at AndroidManifest.xml, we can see that the "Launcher" activity is the activity called "SplashScreenActivity". We have our entry point. 4/n 
According to the official documentation, the 1st method called when an activity is launched is the "onCreate" method. Let's look at this 5/n
First observation: the finish() method is called at the end of the method. According to the documentation, the finish() is called "when your activity is done and should be closed".
So, if you go in the if or the else if conditions your app will close automatically 6/n
So, if you go in the if or the else if conditions your app will close automatically 6/n
This means that the "normal execution" of the app is when the code is going in the else if loop. Now, we want to understand when v4 = 0 and new b(((Context)this)).a() is equals to true 7/n
v4 is equals to 0 when f.a(((Context)this) or f.b(((Context)this) are false 8/n
As you can see these 2 methods are coming from the same f class. This class is clearly a homemade anti-tampering mechanism. By comparing the sha-256 signature of the app with a hardcoded sha-256, they want to prevent people from modifying and redistributing the app... 9/n
There is 2 ways to remove this anti-tampering mechanism. Updating the hardcoded sha-256 in the in . gov . uidai . mAadhaarPlus . h . a with the sha-256 of your signature or simply remove the check in the onCreate method 10/n
Time to understand, what is this "new b(((Context)this)).a()" 11/n
This method is coming from a package called "com.scottyab.rootbeer". The @uidai developers used the rootbeer library to detect if the device is rooted github.com/scottyab/rootb… 12/n
According to the doc, you just have to add these 4 lines to use the library. Look similar to something no? Yes, this is our "new b(((Context)this)).a()" 13/n
To bypass this check, we will remove this check in the smali code 14/n
Now we understood the whole thing, it's time to create our custom mAadhaar app! 15/n
Thanks to apktool, we can decompile the app to obtain the smali code ibotpeaches.github.io/Apktool/ 16/n
Open the file SplashScreenActivity.smali and remove the correct lines of code 17/n
When you open the app, you have the photo of a kid in the splash screen, let's replace that with the photo of my choice 😈 18/n
In the res/drawable folder, I replaced the photo splash_bg.jpg, I recompiled and resigned the app 19/n
And voila, we have our custom mAadhaar app!
I only change the background image in the splash screen because I'm a nice guy but imagine if I added malicious code inside?
A malicious actor can create a malware based on the mAadhaar app without any problems🤦♂️ 21/n
A malicious actor can create a malware based on the mAadhaar app without any problems🤦♂️ 21/n
It took me 5 minutes to bypass these limitations. @uidai if you want to secure your app and so the data of you fellow citizens, hire some real professionals 22/22
I should write a blog post on this 😄
