paint-brush
I Hacked My Action Camera Applicationby@hdani9307
2,040 reads
2,040 reads

I Hacked My Action Camera Application

by Dániel HoffmannApril 5th, 2019
Read on Terminal Reader
Read this story w/o Javascript
tldt arrow

Too Long; Didn't Read

I recently bought an action camera to shoot some cool underwater stuff. You can connect to it through WIFI and browse the content of the SD card or stream the current video to you phone. Pretty cool features, application is not the best but worked well with my phone. I wanted to try it on my tablet, that is where the trouble came. The app requires location to connect to the camera but my tablet haven’t got GPS so it wasn’t able to do so.

Company Mentioned

Mention Thumbnail
featured image - I Hacked My Action Camera Application
Dániel Hoffmann HackerNoon profile picture

Background story

I recently bought an action camera to shoot some cool underwater stuff. You can connect to it through WIFI and browse the content of the SD card or stream the current video to you phone. Pretty cool features, application is not the best but worked well with my phone. I wanted to try it on my tablet, that is where the trouble came. The app requires location to connect to the camera but my tablet haven’t got GPS so it wasn’t able to do so.

Why does location is so important to connect, and why does it need GPS anyways? I bet it can work without it, let’s figure it out.

Hacking time

Currently I do not have any rooted android devices around so I decided to simply download it from APKpure. Now I have the apk, what to do with that?Let’s decompile it!

To keep it simple I used an online apk decompiler. It worked like a charm but now I have a bunch of obfuscated code to mess with.

I searched for the error message and I found the open_wifi_Permission string resource name and it led me to the following code snippet.

<a href="https://medium.com/media/e5b3e949f166e0f35e7a4be4defb2f48/href">https://medium.com/media/e5b3e949f166e0f35e7a4be4defb2f48/href</a>

As you can see if the android api version of the device is greater or equals than 23 (Android 6.0) it will request permission to use the GPS. If I would just change the number 23 to a greater like Integer.MAX_VALUE, would be enough for a while. The program would skip the location permission request but as you can read in the official Android documentation the WifiManager needs the Manifest.permission.ACCESS_FINE_LOCATION permission, otherwise it will return an empty list. Going deeper in the logic, there is the

if(GlobalApp.m5984d(this.f5603e)) {
   //Checking permissions logic code
}

statement which implementation looks like this.

<a href="https://medium.com/media/36d9ea6f7b1b96825480261ba5c1831b/href">https://medium.com/media/36d9ea6f7b1b96825480261ba5c1831b/href</a>

It will always return false because, as I said, there is no GPS on my tablet. Just edit it to return constant true and the work is done.

Few weeks earlier I read a really cool article about android application reverse engineering where the author described how he decompiled and rebuilt an app, so I dug it up from my bookmarks

How I hacked modern Vending Machines

I used the same steps to generate the signed apk again but the device couldn’t install the application.

After a few more failed attempts I decided to decompile the apk with apktool locally instead of the online decompiler. The output was the smali sources without the Java source files.

smali/baksmali is an assembler/disassembler for the dex format used by dalvik, Android’s Java VM implementation

What if I edit these smali source files? Can I make the app run after rebuilding? Let’s give it a try! I rebuilt the apk, signed and executed zipalign and it worked! Now I have to find the “m5984d” java method in the smali files. As the comment says in the snippet, the method was renamed from “d “ smali method. With this information I was able to find this code in the GlobalApp.smali file

<a href="https://medium.com/media/3f36cd321fd45ef4ce2356019b91c52f/href">https://medium.com/media/3f36cd321fd45ef4ce2356019b91c52f/href</a>

It doesn’t look very developer friendly. After some googling how does the smali works I came up with this solution, just return true as in the java file.

<a href="https://medium.com/media/f7cfbe76628ad5ffdd0fab3b5a0e1b45/href">https://medium.com/media/f7cfbe76628ad5ffdd0fab3b5a0e1b45/href</a>

I repeated the apktool rebuild, jarsign and zipalign commands and it finally produced a runnable application, ready to use on my tablet. From now my tablet can connect to the action camera without any issue.