Share this page!

Mishaal Rahman Profile picture
Twitter logo
11 Oct, 20 tweets, 8 min read
Last week, @Wander1236 and I teased "something incredible" we found in Android 12. We were being vague on purpose because it takes advantage of a flaw we found in an undocumented API. Now, we're ready to share details on this finding, as well as an app that takes advantage of it!
For some background, Android 8.0 Oreo introduced a command-line interface for Android's Overlay Manager Service (OMS). OMS is an API that lets specially-crafted APKs called "overlays" substitute the resource value of any given app with its own. xda-developers.com/android-oreo-c…
Google intended for overlays to only be used by OEMs for modifying system and framework values on-the-fly. Indeed, Razer's theme engine used OMS, and Google's own Pixel Themes also used overlays to change the accent color, point to a different font, and tweak the icon shape.
However, XDA did what XDA does best and found a loophole. Since Android didn't check if an overlay was installed by the system or the user, you could install custom overlays that did a number of things, like theme apps or tweak the system UI layout. xda-developers.com/andromeda-subs…
Google closed this loophole in Android 9 by requiring that overlays be signed with the platform cert, and there's no way around that requirement. Fortunately, when they added an API in Android 12 that makes overlays on-the-fly, they didn't properly check the perms of the caller.
In other words: Rootless theming is back in Android 12, kind of. With this discovery, you can generate overlays that tweak the colors of apps. You can also make overlays that tweak various system UI and framework properties, of which there are a lot to mess with.
This works due to Android 12's Fabricate Overlay API. This API generates a Fabricated Runtime Resource Overlay (FRRO), an overlay generated at runtime rather than being precompiled. This means you can generate an overlay on the device and install it without rebooting the device.
FRROs don't support every resource (like arrays or strings), but you can overlay things like ints, colors, dimens, and bools in any app, so there's still some fun things you can still do. The CLI for this API, called via 'cmd overlay fabricate', requires the caller to be root.
However, Zachary discovered that the actual Fabricate Overlay API doesn't require root - the caller only needs to be as privileged as the shell user. This is easily met through using the Shizuku library. This article explains the library in more detail: xda-developers.com/implementing-s…
Using this knowledge, Zachary created an app that directly calls this API to fabricate overlays. And thanks to Shizuku, which can be activated on-device through wireless ADB, you can use Zachary's app to fabricate overlays on-device without root access!
You can download Zachary's app from GitHub: github.com/zacharee/Fabri…. The app is pretty barebones - we just wanted to get this out quickly after I tested it. You're free to overlay whatever resource you want with whatever value you want, but be careful before you do!
We relayed one cool potential use of this discovery to @kdrag0n. He may be able to turn his custom 'monet' impl into an app, as he can fab overlays that target the color values exposed by the system to apps. Monet is only available on Pixels, so this would be exciting if true!
Oh, and just so we're clear: This isn't a major security flaw or anything. You have to jump through a few hoops to grant Zachary's app the privilege it needs to call the API. Though thanks to wireless ADB and Shizuku, that's pretty easy for users to do.
Given the nature of this loophole and Google's history of closing down overlay access, this will be fixed in a future release. We don't know if it's already fixed in Google's internal master, and we don't know if Google will backport the fix in an ASB for Android 12.
But we suspect it'll stay open until Android 13 or 12.1 at the earliest. Since it takes a long time for OS updates to propagate, we'll probably be able to enjoy this loophole for a few good months if not longer.
FRRO commit: android.googlesource.com/platform/frame…
Zachary's FabricateOverlay app: github.com/zacharee/Fabri…
Article on XDA: xda-developers.com/android-12-the…
I'm looking forward to seeing how the community takes advantage of this to tweak things.

android.googlesource.com/platform/frame…

android.googlesource.com/platform/frame…

Some of the values you can tweak are documented in AOSP, but not all. Zachary's app exposes all possible values you can overlay, but YMMV.
As an aside, what kickstarted the Andromeda/Substratum idea in Android 8.0 Oreo was me telling Nicholas Chum to look into the CLI and how Koush's Helium app elevated itself to shell privileges.

This new finding is thus pretty nostalgic for me!
Sorry, I don't know why the article link pointed to that, it should be this instead: xda-developers.com/android-12s-fa…
Kdrag0n works way faster than I thought lol:

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Mishaal Rahman

Mishaal Rahman Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @MishaalRahman

Mishaal Rahman Profile picture
9 Oct
The dude that's been posting those Pixel 6 assembly/disassembly videos just posted the repair manuals for both phones lmao: reddit.com/r/GooglePixel/…
I can't even. How much more can this phone leak?
I think @MKBHD put it best: "There's smartphone leaks... and then there's Google smartphone leaks."
Read 4 tweets
Mishaal Rahman Profile picture
14 Sep
It's iPhone day, so that obviously means it's time for Pixel 6 news. Some details I've learned/can corroborate once again:

-UWB supported
-More evidence of the "shannon" modem (Exynos modem 5123)
-Battery share is supported
-Quick Tap, but no Active Edge in Gestures
-Smooth Display "automatically raises the refresh rate from 60 up to 120 Hz for some content. Increases battery usage." Unsure if VRR is supported. Found a possible panel name, which seems to match the one used in the Find X3 Pro.
The build fingerprint from this Geekbench listing is real:

I can't say if the score/benchmark itself is real, but that's a legit fingerprint.
Read 14 tweets
Mishaal Rahman Profile picture
14 Jul
Android 12 Beta 3 is here with scrolling screenshots, smarter autorotate and more! xda-developers.com/android-12-bet…

As always, here's a thread of everything I'm finding in the Beta 3 release.
The Settings app no longer has colorful icons. They're a lot more muted now.
Gesture settings has a new toggle to disable "swipe to invoke assistant".
Read 32 tweets
Mishaal Rahman Profile picture
12 Jul
We first discovered that Google was working on a new "game dashboard" feature in Android 12, and today, Google made it official.

The press release doesn't have much details, but thanks to some digging, we've uncovered quite a bit of details.

More here: xda-developers.com/android-12-gam…
Games are automatically detected if the developer adds the category of their app to CATEGORY_GAME in the Manifest. Game devs need to opt-in to support Perf or Batt Saver modes with appropriate metadata in their manifest.
We don't have screenshots of the new Google Play Games widget in the game dashboard yet. Code for the feature is there, but even if you pass the app's API level 31 hard check (beta 2 is still marked as "S"), Play Games still won't show the widget in the dashboard.
Read 4 tweets
Mishaal Rahman Profile picture
12 Jul
Last year, we learned that Google was working on a new file system called Incremental, and we believed Google would use it to let you play games before they're done downloading. Today, Google made this official as "play as you download."

xda-developers.com/android-12-pla…

Tip @Techmeme
Google confirmed to us that "play as you download" uses the Incremental FS under-the-hood.

Here's our article on Incremental from last year: xda-developers.com/google-increme…
Launcher devs can add support for Incremental by showing a promise icon and download progress indicator on the home screen while the app is being incrementally downloaded. Use PackageInstaller.SessionCallback#onCreated and LauncherApps.Callback#onPackageLoadingProgressChanged
Read 4 tweets
Mishaal Rahman Profile picture
9 Jun
Android 12 Beta 2 is here! Read about the announced changes here: xda-developers.com/android-12-bet…

As always, here's a thread detailing the changes I've found while using the Beta:
Android 12 Beta 2 has redesigned the power menu.
The new notification panel design is here. There's a clear separation between the Quick Settings area and the notifications.
Read 54 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @MishaalRahman has new unrolls!

Check out other threads from @MishaalRahman!

Read all threads by @MishaalRahman

:(