Shortcomings of Android DRM wrapper

Table of contents

Amazon Appstore
Another Wrapper Mistake
Conclusion

Android applications can be installed without using a marketplace easily if a paid app is accessed it can be mass distributed, to address that stores and application developers take some measures to safeguard the app. But most available wrappers are not sufficient for protecting the apk file. In one year that I have been designing and developing wrappers for DRM management and statics reports here are some problems that I saw.

Let's see how some stores enforce DRM.

Amazon Appstore

Amazon Appstore is one of the oldest android app store with about half a million different applications providing service for android phones, tablets, and fire-tablet. For pre-paid applications and free applications yet its protection method is very simple to crack.

I have purchased one app for testing, if AppStore is not installed the program will inform me with a dialog to install the AppStore.

First, we should extract the apk

you can use adb to find the location.

adb shell pm path com.example.someapp

then pull the apk

adb pull /data/app/com.example.someapp-2.apk path/to/desired/destination

or use many free app extractors that are available(which are doing something similar).

Secondly, decompile the apk using apktools

apktool d -f --use-aapt2 -v -o GAME_APK_FILE GAME_APK_EXTRACTED_DIST

The two common ways that the wrappers work on android are by changing the initial activity to provide the subscription check and etc. or by changing the activity or application class parent.

so let us look at the manifest

here is the application class.

<application android:name="androidx.multidex.MultiDexApplication">
<activity android:name="com.company.not.aws" >
            <intent-filter>
                <action android:name="android.intent.action.MAIN"/>
                <category android:name="android.intent.category.LAUNCHER"/>
            </intent-filter>
        </activity>
</application>

As you can see amazon has not changed the initial activity class or has added/swapped the from its own.

So lets see if any activity parent has changed or the code injected.

.class public Lcom/company/app/Activity;
.super Lcom/amazon/android/activity/AmazonActivity;

So here is the part the Amazon has injected the code and changed the activity class to inherit from its own activity.

removing the functionality of dialog and checking will make the app without protection which is at this point easy to do.

you only rebuild the app with apktool.

Another Wrapper Mistake

This is error come from other company Which I come across. This wrapper is used by millions of users all around the Europe.

<activity android:configChanges="keyboardHidden|orientation" 
    android:name="com.***.***.old_launcher" 
    android:screenOrientation="portrait" 
    android:exported="true"
/>

here after the original app launcher has been replaced the developer forgot to make its exported false so we can bypass this and bypass the activity even without rewrap(you can call activity if it’s exported from other apps).

Conclusion

Protecting the app is very important and the wrapper is a good way to do that but it should be done correctly. The wrapper should be able to protect the app from being cracked and should not be easy to bypass.

Contact me if you want to review your app security or provide a better soulution.