Background question: How does your whitelisting workaround work?

[corneliusroemer]

Great work, haven't had time to try it out myself. But I was wondering how the whitelisting workaround works. Would be grea if you could add a high-level description to the readme.

• How does GAEN restrict access to whitelisted apps?
• How do you manage to bypass this restriction?
• Why is root necessary?
• What exactly does your script do?
• [Where did you get the signature from, if it wasn't by way of leak, e.g. brute force?]

Thanks!

[kbobrowski]

@corneliusroemer thanks for the suggestion, perhaps I will add some more information in the readme, but just to give you quick overview:

• GAEN has hard-coded list of allowed apps together with hashed signature of each app
• bypassing this restriction is done by capturing this list while it's being parsed using methods from Java Class Library and substituting signature of one app for another one (our custom app)
• root is necessary because without it you cannot inject some custom code into another running process - frida server (a tool that is used) needs to be run as root
• the script is substituting implementation of methods from Java Class Library in order to alter the way GMS works in a desired way
• signature used is just a property of a custom app - it does not need to be broken on leaked, there is no hacking of external servers / institutions involved to get this working - everything happens locally on your phone