[Discuss] modifying Android packages
Tom Metro
tmetro+blu at gmail.com
Sat Apr 13 16:30:17 EDT 2013
An article illustrating how the SwiftKey APK (package) could be hacked
to include a key logger:
http://www.android-app-development.ie/blog/2013/03/06/inserting-keylogger-code-in-android-swiftkey-using-apktool/
Android apps are coded in Java and compiled to byte code that is run
on the Dalvik VM and this byte code is not that hard to edit and
insert back into an APK.
...anyone who sideloads a dodgy copy of a Android keyboard is taking a
serious risk of a keylogger being inserted and people tracking all
their passwords, Google searches and Credit Card numbers. In this
post, I'll show you how to do exactly that with apktool and Swiftkey
from start to finish, all you need is a basic knowledge of Java and
Android.
It doesn't seem all that surprising that this can be done. It's akin to
modifying a Debian package and when you install it, acknowledging that
the package is ether unsigned or signed by an unknown key. Shouldn't be
surprising at all that if you get an APK from some untrusted source,
that it is technically possible for it to be a modified version.
-Tom
--
Tom Metro
Venture Logic, Newton, MA, USA
"Enterprise solutions through open source."
Professional Profile: http://tmetro.venturelogic.com/
More information about the Discuss
mailing list