This script tampers the apk to inject Facebook Stetho library to inspect app sandbox data on non-rooted device
Inspired from m0bilesecurity RMS tool which dynamically injects Stetho library created a counterpart to perform static tampering. This script tampers the apk to inject Facebook Stetho library and Stetho initialization code to inspect app sandbox data via Chrome browser even on a non-rooted device
static{
try {
Class activityThreadCls = Class.forName("android.app.ActivityThread");
Method method = activityThreadCls.getMethod("currentApplication");
Application stethoApp = (Application) method.invoke(null, null);
Context stethocontext = stethoApp.getApplicationContext();
Stetho.initialize(
Stetho.newInitializerBuilder(stethocontext)
.enableDumpapp(Stetho.defaultDumperPluginsProvider(stethocontext))
.enableWebKitInspector(Stetho.defaultInspectorModulesProvider(stethocontext))
.build());
} catch (Exception e) {
e.printStackTrace();
}
}
sh StethoInjector.sh <xyz.apk> <Class file where Stetho needs to be injected >
Ex: sh StethoInjector.sh 123.apk MainActivity
Once the APK is successfully tampered to include Stetho
You can also modify the data inside databases or shared preferences. Stetho also provides dumpapp tool, which allows you to list the files in app’s sandbox or dump specific folder/file or the entire sandbox data on a non-rooted device.
./dumpapp -p <process name> files tree
./dumpapp -p <process name> files download files.zip files/<xxx>/<xyz.ext>
./dumpapp -p <process name> files download files.zip
For a demo used LastPass Authenticator and Duo Authenticator to inject Stetho library and initialize it. Once the tampered app is executed on a device, you can inspect the applications via Chrome browser.