M 402: mAadhaar Code Modification (20 pts)

What You Need for This Project

Windows Users

You need to use this exact emulator for the project:

Pixel 4 XL
API 30 (Android 11)

Thanks to Yuri for discovering this.

Purpose

To modify the Indian government app mAadhaar so it runs on a rooted device.

This will give us practice using apktool and Jadx.

This tutorial follows a tweetstream by @fs0c131y.


Task 1: Getting the App

Download the APK

The app doesn't appear in Google Play in the USA, so download the APK from this link:

in.gov.uidai.mAadhaarPlus_2018-09-26.apk

Installing the App

Drag the APK file onto your running Android emulator.

Running the App

On your Android device, launch the mAadhaar app.

A message appears on your phone telling you that you cannot use this app, as shown below.


Task 2: Using Jadx to Read the Code

You can use Windows or MacOS to run Jadx. Choose one of them and follow the instructions below.

Using 64-Bit Windows

Copy the in.gov.uidai.mAadhaarPlus_2018-09-26.apk file into your Windows machine.

Installing Java

First open Control Panal and uninstall all old Java versions.

Then open a Web browser and go here:

https://java.com/en/download/manual.jsp

Download "Windows Offline (64-bit)" version and install it. as shown below.

Installing Jadx on Windows

Go here:

https://github.com/skylot/jadx

On the right side of that page, click the latest release.

Under Assets, download the latest version.

When I looked on Oct 22, 2025, it was jadx-gui-1.5.3-win.zip

Launch Jadx.

Using a Mac

In a Terminal, execute these commands:
brew install jadx
jadx-gui

Using Ubuntu Linux 24.04

In a Terminal, execute these commands to install Java:
sudo apt update
sudo apt install default-jre -y
Then follow these instructions to install jadx.

Examining the Android Manifest

In Jadx, open the in.gov.uidai.mAadhaarPlus_2018-09-26.apk file.

In the left pane, at the bottom expand Resources.

Click AndroidManifest.xml.

The contents appear on the right side, as shown below.

Notice that the LAUNCHER activity, which runs when the app launches, is

in.gov.uidai.mAadhaarPlus.ui.activity.SplashScreenActivity

as outlined in green in the imager below.

According to the official Android documentation , the first method called when an activity is launched is the "onCreate" method, as shown at the top of the diagram below.

Reading the onCreate Method

In the left pane, in the top section, expand these items, as shown below. Click SplashScreenActivity, as shown below.

In the right pane, scroll down to the OnCreate() method.

Notice the two code sections outlined in green in the image below.

The first section is Integrity Verfication, using methods named f.a and f.b to detect app modification.

The second section uses a method named b to detect rooted devices.

We want to disable both these operations.

Finding the Integrity Verification Code

The routine to detect an altered app is "f.a". Scroll to the top of the SplashScreenActivity code, and you can see that this module imports

in.gov.uidai.mAadhaarPlus.ui.activity.b.f

as shown below.

In the left pane, scroll up and navigate to that module. Here you can find the a() method, as shown below.

This module compares a SHA-256 hash with a hard-coded value to see if the app has been modified.


Task 3: Modifying the App

Installing apktool

I got these instructions from here.

On Linux, execute these commands:

sudo rm /usr/bin/apktool*

wget https://raw.githubusercontent.com/iBotPeaches/Apktool/master/scripts/linux/apktool
wget https://bitbucket.org/iBotPeaches/apktool/downloads/apktool_2.12.1.jar
mv apktool_2.12.1.jar apktool.jar
sudo mv apktool* /usr/local/bin
sudo chmod +x /usr/local/bin/apktool*

sudo reboot
Log in again.

Execute this command:

apktool --version
You should see version 2.12.1, as shown below.

Troubleshooting

If you see a "java not found" message, execute these commands on your Linux machine:
sudo apt update
sudo apt install default-jre -y

Unpacking the APK

Copy the in.gov.uidai.mAadhaarPlus_2018-09-26.apk file into Linux.

On Linux, execute this command:

apktool d -f -r in.gov.uidai.mAadhaarPlus_2018-09-26.apk

Disabling Integrity Control

First we need to find the code to modify.

On Linux, execute this command:

grep SplashScreenActivity -r . | less -S
The main smali file path appears, highlighted in the image below.

Press Q to exit "less".

Execute this command to edit the file:

nano ./in.gov.uidai.mAadhaarPlus_2018-09-26/smali/in/gov/uidai/mAadhaarPlus/ui/activity/SplashScreenActivity.smali
Scroll down and find the code shown below.

This code calls the f->a and f->b methods, highlighted in yellow in the image below.

If the app is modified, the code sets the parameter "p1" to zero, as highlighted in light gray in the image below.

Change the 0x0 value to 0x1, outlined in green in the image below.

This modification allows us to change the app without being detected.

Disabling Root Detection

Scroll down a few lines and find the code shown below.

This code calls a scottyab RootBeer function to detect a rooted phone. If the phone is rooted, it kills the app.

To prevent that, add # characters to comment out the nine lines colored blue in the image below.

Save the file with Ctrl+x, y, Enter.

Now the app will run on a rooted phone.

Rebuilding the App

On Linux, execute this command:
apktool b in.gov.uidai.mAadhaarPlus_2018-09-26
The file builds without errors, as shown below.

Making a Code Signing Certificate

Android won't run unsigned apps, so we need a signing certificate.

Execute this command:

keytool -genkey -v -keystore my-release-key.keystore -alias alias_name -keyalg RSA -keysize 2048 -validity 10000
A prompt asks for a "keystore password". Enter password twice.

Then a series of question asks for your name, etc. You can press Enter for each question except the last one, which you must answer yes to, as shown below.

Signing the APK

On Linux, execute this command:
jarsigner -sigalg SHA1withRSA \
-digestalg SHA1 -keystore my-release-key.keystore \
in.gov.uidai.mAadhaarPlus_2018-09-26/dist/in.gov.uidai.mAadhaarPlus_2018-09-26.apk alias_name
Enter the password of password when you are prompted to.

The app is signed, as shown below.

Troubleshooting

If you see a "jarsigner: command not found" message, execute these commands on your Linux machine:
sudo apt update
sudo apt install default-jdk -y

Uninstalling the Old App

On your Android device, open Settings and tap these items.

Installing the Modified App

The modified app is in this directory on your Linux system:
in.gov.uidai.mAadhaarPlus_2018-09-26/dist
Drag the modified app onto your Android device.

Troubleshooting

If you are using a headless Linux machine, you can't drag the app, because your Linux machine has no graphical desktop.

Instead, execute these commands on your Linux machine:

sudo apt update
sudo apt install apache2 -y
sudo cp in.gov.uidai.mAadhaarPlus_2018-09-26/dist/*.apk /var/www/html/maad.apk
ip a
Find the public IP address of your Debian Linux system, which usually starts with 192. On your Android device, or the host system you are running Android Studio on, open a Web browser, and go to this URL, replacing the IP address with the correct IP address of your Debian Linux system:
http://192.168.3.110/maad.apk
Downkload and install the app.

M 402: Launching the App (20 pts)

On your Android device, launch the mAadhaar app.

You get past the root detection, and see a splash screen, as shown below.

Find the text covered by a green box in the image above. That's the flag.

Alternate Process

If the splash screen vanishes quickly, do these steps:

  • Allow the app to make phone calls
  • On the "mAadhaar Consent" page, scroll to the bottom.
  • The flag is covered by a green rectangle in the image below.


Converted to a CTF 2-28-19
Kali warning and Mac installation instructions added 2-5-2020
Updated in minor ways 3-24-2021
Flag changed 10-28-22
Linux install instructions added 9-16-25
Installing apktool, openjdk, openjre, and apache2 instructions added 10-22-25
Windows warning added 10-22-25
Jadx download link updated 10-22-25