DEV Community

Brutal Strike (Friuns)
Brutal Strike (Friuns)

Posted on

SwiftKey APK Patching Guide: Privacy-First Reverse Engineering

#android #security #privacy #reverseengineering

SwiftKey APK Patching Guide

๐ŸŽฏ Objective

Patch SwiftKey APK to always send "hello world" instead of actual typed text to Microsoft's AI grammar correction endpoints.

๐Ÿ“‹ Tools Used

  • jadx - Java decompiler for reverse engineering
  • apktool - APK disassembly/assembly tool
  • adb - Android Debug Bridge
  • apksigner - Modern APK signing tool
  • zipalign - APK optimization tool

๐Ÿ” Phase 1: Reverse Engineering

Initial Analysis 

# Decompile APK for analysis
jadx -d jadx_output swiftkey.apk
apktool d swiftkey.apk -o apktool_output
Enter fullscreen mode Exit fullscreen mode

Key Findings

  • Target Class: tk/f.smali - Contains ImproveRequest constructor
  • Network Endpoint: https://www.bing.com/api/swiftkey/v1/sydney/improve
  • Request Structure: JSON with {"query": "text_to_improve"}

๏ฟฝ๏ฟฝ๏ธ Phase 2: Code Modification

Patch Applied

Modified apktool_output/smali_classes3/tk/f.smali:

# BEFORE
iput-object p1, p0, Ltk/f;->a:Ljava/lang/String;

# AFTER  
const-string p1, "hello world"
iput-object p1, p0, Ltk/f;->a:Ljava/lang/String;
Enter fullscreen mode Exit fullscreen mode

This ensures all text improvement requests send "hello world" regardless of actual input.

โŒ What Went Wrong

1. Native Library Architecture Mismatch

Problem:

dlopen failed: "libfluency-java-internal.so" is for EM_X86_64 (62) instead of EM_AARCH64 (183)
Enter fullscreen mode Exit fullscreen mode

Root Cause: APK contained libraries for multiple architectures (ARM64, x86, x86_64). Android selected the wrong architecture during installation.

2. Native Library Extraction Disabled

Problem:

android:extractNativeLibs="false"
Enter fullscreen mode Exit fullscreen mode

Impact: Android couldn't extract native libraries needed for Microsoft Fluency SDK.

3. App Crash on Launch

Error:

java.lang.NoClassDefFoundError: com.microsoft.fluency.Fluency
INSTALL_FAILED_INVALID_APK: Failed to extract native libraries, res=-2
Enter fullscreen mode Exit fullscreen mode

โœ… Solutions Applied

1. Architecture Cleanup 

# Remove incompatible architectures
rm -rf apktool_output/lib/armeabi-v7a
rm -rf apktool_output/lib/x86  
rm -rf apktool_output/lib/x86_64
# Keep only: apktool_output/lib/arm64-v8a
Enter fullscreen mode Exit fullscreen mode

2. Enable Native Library Extraction 

<!-- AndroidManifest.xml -->
<application 
    android:extractNativeLibs="true"
    ... >
Enter fullscreen mode Exit fullscreen mode

3. Modern APK Signing 

# Use APK Signature Scheme v2 instead of JAR signing
apksigner sign --ks debug.keystore \
    --ks-key-alias debugkey \
    --ks-pass pass:android \
    --key-pass pass:android \
    --out signed.apk unsigned.apk
Enter fullscreen mode Exit fullscreen mode

๐Ÿ”„ Build Process

Complete Workflow 

# 1. Extract APK
apktool d swiftkey.apk -o apktool_output

# 2. Apply patches
# - Modify tk/f.smali for text interception
# - Fix AndroidManifest.xml extractNativeLibs
# - Remove incompatible architectures

# 3. Rebuild APK
apktool b apktool_output -o patched.apk --use-aapt2

# 4. Sign APK
apksigner sign --ks debug.keystore \
    --ks-key-alias debugkey \
    --ks-pass pass:android \
    --key-pass pass:android \
    --out signed.apk patched.apk

# 5. Install
adb install -r -t signed.apk
Enter fullscreen mode Exit fullscreen mode

๐Ÿงช Testing & Verification

Success Indicators

  • โœ… App launches without crashes
  • โœ… No AndroidRuntime FATAL errors in logcat
  • โœ… Services start properly (SwiftKeyJobService, FluencyServiceImpl)
  • โœ… Text input intercepts and sends "hello world" to AI endpoints

Network Request Verification 

# Test the actual endpoint
curl -X POST "https://www.bing.com/api/swiftkey/v1/sydney/improve" \
  -H "Content-Type: application/json" \
  -H "X-SwiftKey-Source: swiftkey-android" \
  -d '{"query": "hello world"}'
Enter fullscreen mode Exit fullscreen mode

๐Ÿ“Š Key Learnings

Critical Insights

  1. Multi-architecture APKs require careful native library management
  2. Modern Android (API 24+) has stricter native library extraction policies
  3. APK Signature Scheme v2 is required for newer Android versions
  4. Obfuscated code can still be patched at the bytecode level

Best Practices

  • Always use --use-aapt2 for modern APK building
  • Remove unused architectures to avoid conflicts
  • Use apksigner instead of jarsigner for new apps
  • Test on actual device architecture (ARM64 vs x86)

๐Ÿ” Security Considerations

Privacy Impact

  • Original: User text sent to Microsoft AI for grammar correction
  • Patched: Only "hello world" sent, protecting user privacy
  • Trade-off: Grammar correction feature disabled

Detection Avoidance

  • Maintains original app structure and signatures
  • Only modifies specific constructor logic
  • Preserves all other functionality

๐ŸŽฏ Final Result

โœ… Successfully patched SwiftKey APK that:

  • Launches without crashes
  • Intercepts all text improvement requests
  • Sends "hello world" instead of actual user input
  • Maintains full keyboard functionality
  • Protects user privacy from AI text analysis

This guide demonstrates advanced APK modification techniques for educational and privacy protection purposes.

Top comments (0)