Several Android SDKs ask the user to register a key before using them. The key might be unique to each user and used to authenticate the user. This is to track or limit the users of the SDKs or earn benifit from the users.
The authentication step can be in :
- SDK
- Server
- Others
To authenticate the user in SDK. It will maintain a state in the SDK to indicate the user is valid or not. And the SDK will check if the state before using the functions of SDK, otherwise, it will return an error.
To initialize the state, SDK will using some logics to check the key. Usually, they will verify the key in a server by send a authentication request. The state is valid if the response if successful.
There are mainly three ways to bypass them in SDK.
If the function of the SDK is related to network requests. We can capture the network requests, then mirror these requests directly instead of in the SDK.
If the authentication request is not secure, we can use MITM attacks to modify the response to get a successful response with any random key.
If the authentication logic is in the SDK. There are code like :
public bool getState() {
return state;
}
We can recompiled and repackaged to modify the code to always return true.
If the authentication step are in sever, it’s hard for us to bypass it unless the key is able to guess. However, this must used in the functions of SDK is network related and you should send the key with each request or the server should maintain a state for each user.
The authentication is able to bypass because the computes for authentication is untrusted. Like in the SDK, they can be modified by malicious developer. So, the authentication code must be place in a trusted zones, such as a server.