Android Log Injection

About Log Injection

Logging in Android is a way to record messages and events that occur during the execution of an application, which can help developers debug and monitor their apps. Developers typically use the Logcat tool to view these logs, which can include information about app performance, errors, and system events.

Log injection process in Android occurs when untrusted user input is written to log files, allowing attackers to create false log entries or inject malicious content. This can lead to confusion in log data, making it difficult for developers to identify genuine issues or security breaches. Despite of this official definition, this is a good method to debug or test your apps also.

Usually you hunt MainActivity.java to get the root of starting app, but not every time is the same name or location path. To be sure you got the correct class file you should check it before in AndroidManifest.xml file. Here you search after the next portion of code:

<intent-filter>
<action android:name=”android.intent.action.MAIN” />

<category android:name=”android.intent.category.LAUNCHER” />
</intent-filter>

This piece of code is inside of another <activity> xml tag. That one indicates the main activity you target.

The following tutorial is made in Linux, but is easy adaptable to Windows and macOS.

Warning: Doing this tutorial, it requires basic knowledge about Linux, terminal commands & Android ADB tool.

Start documentation references:

Target app: https://play.google.com/store/apps/details?id=com.ideashower.readitlater.pro
Downloader tool: https://apkcombo.com/downloader
Download the target APK from Google’s PlayStore: https://apkcombo.com/downloader/#package=com.ideashower.readitlater.pro
The main tool for compiling & decompiling the APKs: https://apktool.org/docs/install

Required tools:
– Android emulator
– ADB
– apktool

OBS: If you install Android Studio you will get the first two, for apktool use the link from the above.

Basic comands we need:
# apktool d app.apk
# apktool b app.apk

# adb shell log -t my_tag “About to …”
# jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my-release-key.keystore my_application.apk alias_name

Start process – open a Linux terminal
# Decompile
$ apktool d Pocket_+Save.+Read.+Grow._8.33.0.0_apkcombo.com.apk
# open an emulator
$ emulator -list-avds
$ emulator -avd Nexus_5X_API_23

# Create debug key for signing
$ keytool -genkey -v -keystore debug.keystore -alias android -keyalg RSA -keysize 2048 -validity 20000
# android – as alias
# passphrase: android

#BUG in apktool https://github.com/iBotPeaches/Apktool/issues/1626
# INSTALL_FAILED_INVALID_APK: Failed to extract native libraries https://github.com/scala-android/sbt-android/issues/252

# Fixing the bug; I used vi tool from linux, but you can use any text editor

$ vi AndroidManifest.xml
# change android:extractNativeLibs=”false” to “true”

$ vi Pocket_+Save.+Read.+Grow._8.33.0.0_apkcombo.com/smali_classes2/com/pocket/app/MainActivity.smali
# insert next 3 lines in main constructor -> .method static constructor <clinit>()V
const-string v0, “NTLogger”
const-string v1, “Hello Nostalgitech.com”
invoke-static {v0, v1}, Landroid/util/Log;->v(Ljava/lang/String;Ljava/lang/String;)I

# Build the apk back
$ apktool b Pocket_+Save.+Read.+Grow._8.33.0.0_apkcombo.com

# The output can be found in dist folder in the decompiled folder structure of the APK

# Sign the apk for testing
$ jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore debug.keystore Pocket_+Save.+Read.+Grow._8.33.0.0_apkcombo.com/dist/Pocket_+Save.+Read.+Grow._8.33.0.0_apkcombo.com.apk android

# Testing
$ adb install Pocket_+Save.+Read.+Grow._8.33.0.0_apkcombo.com/dist/Pocket_+Save.+Read.+Grow._8.33.0.0_apkcombo.com.apk
# skip SplashScreen on emulator, now you can run multiple times the app
$ adb logcat | grep NTLogger