Wednesday, April 25, 2012

The useless PIN code "security" in Google Play Store

Now if you are in the same situation as me and have equipped your kids with Android devices then Google Play Store (a.k.a. Market) provides some "User Controls" options. You can setup content filtering and protect the settings with a PIN code. You can also choose that the PIN code must be used to be able to purchase apps. Very useful because after all it is your credit card that is tied to Google Checkout because they are kids and kids do not have credit cards, at least not where I live.

To be able to change the settings you've setup you need to push "Unlock settings"...

... and enter the PIN code that only you know.

All good so far. This is secure, right? In December last year I started to wonder just what would happen if I cleared the data for Market (it wasn't renamed to Google Play back then) and I gave it a try. Well what happened is that on the next start of Market it started up fresh as expected but what I did not expect was that also the "User Controls" options, including the PIN code, was reset.

So I decided to try to report this bug to Google and found that someone allready had done so and I added my comments to the bug report and starred the issue.

Now 4 and a half month later with several new versions of Market and later renamed to Google Play Store the bug is still present. I just tried with Google Play Store 3.5.16 and all you need to do is push a button...

...and all the protection is gone.

And no, this does not require a rooted device.

If you, like me, think that this bug needs to be fixed then "star" this issue in order to bring Googles attention to it:

Tuesday, April 24, 2012

How to save three dollars and at the same time compromise the security of your phone/tablet

I just google on the name of one of my apps and stumbled upon a "cracked" version of External Keyboard Helper Pro version 2.4. I downloaded the copy examined the contents, and yes, it looks like it's my app so I checked the signature and notices that it signed by someone else.

So I start to wonder, why resign an app that isn't protected in the first place? So I compare it against my current version (2.5) and notice that the first of all classed.dex is dated last Sunday, long after the release of version 2.4 but before the release of 2.5. Also classed.dex in the "cracked" version is almost 30kb larger than classed.dex in the real 2.5 version. Believe when I say that there is more code in version 2.5 than in version 2.4 so something has been added.

Personally, if someone cannot afford $3 and copy the app from a friend, I really could not care less. But when someone takes my app, add 30kb (probably even more because the real 2.4 should be smaller than 2.5) of unknown code, and put it up for download, then I do care.

This is an INPUT METHOD people!! That means whatever code they put in there can record EVERYTHING you write on your keyboard.

Now, some of you say "He's just making that up to scare us from using pirated versions of his apps". Well, just download the demo version of 2.5 from (they allow you to download the .apk directly to your PC) here:

Open the apk with your favorite unzip application and do the same with the pirated version of 2.4 that is floating around (I'm NOT going to post a link).

First of all, notice in the pirated version how the date of classes.dex (this is the executable) has a more recent date the rest of the files. Then compare the file size with the demo version of the real app.

I'd bet that you'll find the same thing with most of the "cracked" apps on those sites.

If you still do not believe me, well... then you're on your own...

Sunday, April 15, 2012

Part 5 - How to get the most out of the Hama Internet TV Box - Enabling Wifi positioning

IMPORTANT! In this part we will install a modified framework-res.apk based on the framework-res.apk from the 120328 firmware. Do NOT try this with any other firmware. Also we are modifying important parts of the system here so this part is potentially more dangerous than previous parts.

Our box has no GPS afaik and no GSM so we cannot position ourselves with GPS-satellites or cell tower positioning but we have Wifi and Google keeps a large database with positions of different Wifi accesspoints. If you have an Android phone then there is a good chance that your Wifi access point is already in their database.

So in order to be able to use weather widgets, Google maps and more that requires some sort of positioning we can hack or little box into using Wifi positioning.

To do this we need to make changes to the framework and also add NetworkLocation.apk. Doing changes to the framework of an already compiled system requires some apktool experience and I won't cover that in this guide. However I've made the necessary changes for the Hama 120328 firmware and made it available for you to download.

  1. Download and extract this file to your SD-card and then put the SD-card into the box.
  2. Start Terminal Emulator and become root.
  3. Remount /system as read-write with "busybox mount -o rw,remount /system"
  4. Remount /system/app as read-write with "busybox mount -o rw,remount /system/app"
  5. Copy NetworkLocation.apk into /system/app with "cp /sdcard/NetworkLocation.apk /system/app/"
  6. Copy framework-res.apk into /system/framework with "cp /sdcard/framework-res.apk /system/framework/"
  7. Dismiss som force close dialogs that may appear when you replace framwork-res.apk and reboot the box with the command "reboot".
  8. Wait for it to start again and start Google Maps. It will recommend you to enter settings and enable wifi positioning which you should do, as this settings menu is not available in the 120328 firmware.
  9. It may take some time to kick in but if your wifi access point (make sure wifi is enabled on the box) has a know location in Googles database then it should be able get your position now.
After this I repeated the second half of part 4 and after two reboots more apps became available in Google Play Store. One example that I could not find before doings this was "Blue Skies Wallpaper" by "Kittehface Software" but after doing this I could both find and install this app. I'm not 100% sure if this was a delayed effect of the changes in part 4 or if enabling positioning enables more apps in Google Play Store.

For the curious:
  • NetworkLocation.apk comes from which is the Google Apps package for CyanogenMod 6.x.
  • The modifcations in framwork-res.apk was done with apktool and what I've done is that I've changed to variables that where set as "@null" in the config.xml to this:
        <!-- Component name of the service providing network location support. -->
        <string name="config_networkLocationProvider"></string>
        <!-- Component name of the service providing geocoder API support. -->
        <string name="config_geocodeProvider"></string>
Disclaimer: This operation will most likely void your warranty and is done completely at your own risk.

Friday, April 13, 2012

Part 4 - How to get the most out of the Hama Internet TV Box - Adding permissions

For Google Play Store to decide on which apps are compatible with your device it uses a bunch of xml files stored in /system/etc/permissions. These "permissions" tell the system if you have an auto focus capable camera, multi touch screen, light sensor etc...

What we will do is that we are going to pretend we have all these and Google Play will allow us to see and install a lot of apps that would otherwise not be available. Some will not be very useful because we lack the hardware they require (camera apps, sensor based games etc) but many will work fine.

The permissions we are going to install is files I've "borrowed" from an Android 2.2 ROM meant for an Android Phone that has most of the common Android hardware.

Install new permission files
  1. Start Play Store and search for "cut the rope". You'll find walkthroughs, clones, etc... but not the real game.
  2. Download and unzip it to a folder called permissions on your SD-card.
  3. Start Terminal Emulator and request root access. (remember the "su" command?)
  4. Remount /system to read-write, this time using the busybox version of the "mount" command: "busybox mount -o rw,remount /system"
  5. Copy the new permission files overwriting the ones already present: "cp /sdcard/permissions/* /system/etc/permissions/"
 Make Google Play use the new permissions
  1. Enter Settings -> Applications -> Manage applications
  2. Select the tab "All"
  3. Scroll until you find "Google Play Store" and "Google Services Framwork"
  4. For both of these do a "Force stop" followed by "Clear data"
  5. Restart the box.
  6. Once again start Play Store and search for "cut the rope". You should now be able see and install the real game from Zeptolab. If not, repeat 1-5 above.

In the next part we will enable wifi positioning which makes weather widgets and other location based apps a lot more useful.

Disclaimer: This operation will most likely void your warranty and is done completely at your own risk.

Part 3 - How to get the most out of the Hama Internet TV Box - Installing Busybox

As you remember from Part 2 we had to use "cat" instead of "cp" to copy files because the default Android installation lacks a lot of useful command line tools. Now it's time to change that so that future modifications will be a bit easier to perform.

For this I used this Busybox installer.

(Busybox is single binary file that contains many other common linux/unix commands and it's often used in embedded systems instead of using a separate binary for each command.)

But first we need to prepare the file system because there are no /system/xbin folder on the Hama Internet TV Box.

  1. Start Terminal Emulator and make yourself root. ("su" command).
  2. Run the "mount" command without any parameters and check which partition is mounted on /system (on my device it is /dev/block/mmcblk0p2 and likely it is the same for you)
  3. Remount /system as read-write with "mount -o rw,remount /dev/block/mmcblk0p2 /system"
  4. Create the /system/xbin folder with "mkdir /system/xbin".
  5. Install and run the Busybox installer from Google Play using the default settings (just push "install").

What will happen is that the busybox installer will install busybox into /system/xbin and create lots of symlinks for common linux/unix commands. (type "ls -l /system/xbin" to see what the installer added to your system)

We will use "cp" command and the busybox version of the "mount" command in the next part when we will make Google Play "see more" apps as compatible with our box.

Disclaimer: This operation will most likely void your warranty and is done completely at your own risk.

Part 2 - How to get the most out of the Hama Internet TV Box - Adding Google Play

So, now that we're rooted it's time for some more action. While the box comes with AndroidPIT and SlideME markets most of the apps still are only available on Google Play so if we could get Google Play up and running we would have access to a lot more apps.

  1. First we need a copy of Vending.apk. I pulled the current version from my rooted Android 2.3 phone using "adb pull /data/app/" but for those who do not want to do it the hard way you can download it here. Save it to your SD-card.
  2. Download Term.apk and save it to your SD-card.
  3. Insert the SD-card into your Box and install Term.apk.
  4. Start Terminal Emulator (that you just installed) and make yourself root by issuing the "su" command. A dialog will show the first time asking you to Allow or Deny the Terminal Emulator requesting super user access (root). Push "Allow".
  5. Now we need to remount /system/app to read-write so we check which partition is mounted as /system/app by using the "mount" command without any parameters.
  6. In my case (and most likely your case) /dev/block/mmcblk0p3 is what it will list as being mounted to /system/app.
  7. To remount /system/app as read-write (default is read-only) you use this command: "mount -o rw,remount /dev/block/mmcblk0p3 /system/app" (change mmcblk0p3 if your firmware is using something else).
  8. Now we can write to /system/app so we want to copy Vending.apk into it. But since we have no "cp" command we will have to use "cat". So we use this command: "cat /sdcard/Vending.apk > /system/app/Vending.apk". (the cat command prints the contents of a file but we redirect the output to a file)
  9. Voila! Fire up Google Play and login.

(Don't worry about remounting /system/app to read-only. Just restart the box and it will be mounted as read-only during boot up.)

You will notice that a lot of apps will not be available or listed as "incompatible". We're going to change some of that in the upcoming articles. However, first we should add busybox to get a lot of usable commands like the "cp" command (cp is the copy command in Linux/Unix). Part 3 will cover installing busybox.

Disclaimer: This operation will most likely void your warranty and is done completely at your own risk.

Thursday, April 12, 2012

Part 1 - How to get the most out of the Hama Internet TV Box - Rooting

I've got my hands on yet another Android toy some weeks ago and it's a Hama Internet TV Box which runs Android 2.2 and connects to your TV with HDMI. I won't go into details on what it can do because this article is supposed to help you root it. So let's get started.

It's Android 2.2 (Froyo) which means z4root should be able to do the work for us. However as it turns out it only works halfway. The reason for this is that all Android devices I've worked with so far have had a single partition for /system. With this little fellow this is not the case and /system/app is using a separate partition. When trying to root the device, z4root will remount /system to read-write in order to write superuser.apk to /system/app. This will fail as /system/app is a different partition and still mounted as read-only.

This means z4root actually installs the su binary with the right permissions and we just miss the Superuser app that controls who are allowed to use the su binary.

So basically, to root the device all you need to do is run z4root and then install superuser.apk manually. Or install superuser.apk first and then run z4root. The order does not matter.

You probably want to upgrade your firmware to the latest version before you do this because upgrading your firmware will cancel all this out.

I'm currently using this firmware on my box:

Step by step instructions

  1. Download superuser.apk that I've extracted from z4root.1.3.0.apk and save it to your SD-card.
  2. Download z4root.1.3.0.apk and save it to your SD-card.
  3. Put the SD-card into your Hama Internet TV Box
  4. Install superuser.apk and z4root.1.3.0.apk.
  5. Make sure "USB debugging" is enabled under Settings->Applications-Development
  6. Run z4root and select permanent root.
  7. Wait for z4root to do it's stuff and reboot
  8. Enjoy your rooted device.

In the next part I will show you how to install Google Play (formerly known as Market).

Disclaimer: This operation will most likely void your warranty and is done completely at your own risk.