Reversing MIUI's Weather app2018 Aug 04
I reversed MIUI's Weather app to know why it needed access to the filesystem and to make and manage phone calls. The first one is used to save screenshots and the second one seems to be used to control some audio ads that are only "shown" to Chinese users.
I own a Xiaomi Mi 5 phone which uses the MIUI ROM. Some days ago, I got an update to MIUI 126.96.36.199 and shortly after that I noticed that my weather widget was not showing me any information, instead, it just showed a link saying "Get weather info". I tapped on that link and the app asked me for these permissions:
- Allow Weather to make and manage phone calls?
- Allow Weather to access photos, media and files on your device?
Those permissions, which were not on a previous version, struck me as odd for an app to see my city's temperature so I denied them. Because of that, the app would not run. I asked myself, why are those permissions so important that I can't use the app without allowing them? I tried to find the answer on google and I found that I was not the only one with that question:
There are a ton more of posts asking this, but surprisingly all the answers I found were not helpful. They did not explain anything and basically said: "Just allow them and the app will work". That's not the answer I was looking for.
This was the perfect excuse to finally try something I was meaning to do for quite some time: Reversing Android apps. I started searching for information about how to do it and I stumbled upon a great post by @evilsocket: Android applications reversing 101. I highly recommend you check it out.
These are the tools I had to install to accomplish my task:
- Java JRE
- Android ADB which I installed using my package manager:
dnf install -y android-tools
With all the tools installed, I plugged my phone via USB and the first thing I had to do was getting the app's apk which I did whit these commands:
adb shell pm list packages | grep weatherto find the name of the package I wanted.
adb shell pm path com.miui.weather2to get the apk path.
adb pull /system/priv-app/Weather/Weather.apkto copy the apk to my computer.
After that, I tried to decompile the apk using apktool to check the AndroidManifest.xml:
apktool d Weather.apk and this gave me the following error:
Remember that this was my first time doing this so I had no clue why it was not working. Time to google again. I found on apktool's documentation that I needed to install some Framework Files: https://ibotpeaches.github.io/Apktool/documentation/#framework-files to get the job done.
I found these MIUI's framework files on my phone:
/system/framework/framework-ext/framework-ext-res.apk which I pull with
adb and I installed them on my computer by executing:
apktool if framework-res.apk -p miui_framework
apktool if framework-ext-res.apk -p miui_framework
With the framework installed, I run
apktool d Weather.apk -p miui_framework/ and I got the same error as before.
I googled a bit more and found that I needed another framework file which was at:
/system/app/miui/miui.apk. I installed it, run
apktool again to decompile the app and it worked this time (yay!):
I had a look at the
AndroidManifest.xml file to check the configured permissions and the app entry point.
The First part of the job was done. The next step was to read the app's Java code and for that, I used jadx. It couldn't have been easier, I opened the Weater.apk file with
jadx-gui and that was it, I was able to read the app's Java code. Time to finally answer my questions.
Why does the MIUI Weather app need access to the filesystem?
There's a feature in the app to share the current weather. To do that, the app takes a screenshot and sends it to whomever you want. That screenshot is saved on the phone's storage which is why this permission is required.
Why does the MIUI Weather app need to make and manage phone calls?
The app uses the listen method of the
TelephonyManager class to monitor the LISTEN_CALL_STATE event:
This is what is executed when that event is triggered:
Audio? Here's that function:
The name implies that the audio could not be running so I searched where the audio started being used and I found this:
As you can see, that function is only executed when the ROM build is not international and the user's locale is Chinese simplified. It has something to do with text to speech so I searched a bit more and found that the app has some kind of audio advertisements for Chinese users, for example:
After all of this, my conclusion is that the phone permissions are used to control these audio ads. I wanted to change my phone's region to China and see this feature working but that's not possible, I suppose because I've got an international build of the ROM.
As far as I have seen in the app's code, it doesn't do anything weird with those permissions. Although I think Xiaomi could do better by doing the following things:
- Explain why they need those permissions. Especially if they seem strange for the type of app the user is going to use. For instance, it's obvious that the camera app needs access, well, to the camera, but it's definitely not obvious why the Weather app wants permissions to make and manage phone calls.
- Do not ask for permissions until you need them. For instance, the external storage permission should have been asked when the user tried to use the share feature.
Last but not least, I really had a lot of fun doing my first reversing of an Android app :D. If you have any comment, suggestion or question you can reach me on Twitter (my DMs are open) @_camaya or you can send me an email to
<cam at camaya.co>.