There are many apps out there that are simply wrappers around web pages, or web content stored in the app. This has a few advantages, the main one being that, effectively, only one app needs to be written for iOS, Android and whatever other mobile OS that the developer wishes to target. However, this opens up an attack vector into the app, which I will share with you here.

I discovered this technique during my time in the ad tech industry to diagnose issues with broken ads. The ads in apps are shown in small components called WebViews, which are effectively mini, single tabbed, web browsers that the app controls. In Android these WebViews have a debugging feature, that allows you to use the ADB remote debugging extension for chrome to debug the contents of the WebView. Very often we would have a demo app from the publishers for testing our ads which had this feature enabled, but for apps we got off the app store, this is normally turned off. So this hack is to enable that feature on and Android app from the app store (Apple people, I'll talk about you later).

The basic idea is this: remove the app that has the WebView from your Android device, then decompile it and turn the WebView debugging on. Simple right? The majority of the instructions for the decompilation and compliation were taken from this blog post. The magic I added was in turning the debugging on as the code you get out of the process is not java, but another language called salmi. The process is as follows. It assumes you are on Linux or OsX, but I suspect the process is pretty similar if you are on Windows.