Hi there!
I have always wondered how the apps like Thoptv, Pikashow give free content/channels which are not free from different providers like Netflix, Amazon Prime, Hotstar, etc to the users. So this time, I decided to reverse the Pikashow app with a beginner level of knowledge in android reversing and try to look into how it is exactly working and can we directly access the content without seeing the ads while streaming in the app.
I am using a physical rooted Samsung mobile.
ADB and BurpSuite CE
I downloaded the app from apkfile website and installed it using adb.
adb install Pikashow_v67.apk
I decided to intercept the traffic through burp to know the endpoints that the app is using but after setting up everything, I was getting the below error in the app cause of the unknown host error in Burp which was causing the app to not load the resources in the app.
JADX-GUI
I thought of looking into the source code of the app using jadx-gui. After loading the app in the jadx-gui and looking into the source code, It was very hard for me to understand the flow cause the code was obfuscated.
I started searching for some of the common keywords, there was one SQL table in which all the information of the movie/show watched movie/shows were getting stored.
Sqlite3 for looking into the db files.
So I started looking into the database and specially the watch table.
The default location for the database for all the installed app is: /data/data/<app package name>
Below are the commands used for looking into the db files
adb shell
su
cd /data/data/<app package name>
ls
cp * /storage/Documents/ (copying into the external location so that I can pull it)
adb pull /storage/Documents/ <location on the laptop> (Storing it in the laptop location)
cd <location on the laptop>
sqlite3 <db files>
I was able to see the content of it but the url field from which it was fetching the data was encrypted.
Making the app debuggable using apktool.
Since the url field was encrypted, thought of setting some breakpoint into the smali code and inspecting the actual value before its getting passed to the encryption function.
After decompiling the code, opened it in an android-studio and modified the Android manifest file to include
android:debuggable = "true" in the application tag.
After compiling the modified code, self signed the apk and installed it again on the mobile.
The app was able to detect the modification and was giving the below error while opening the app.
Let’s give it a final try with frida!
Frida to Rescue
After searching for keywords like “Firebase”,“https”,“Download”,“Stream” ,“URL” and looking into the logs using logcat. I hooked some of the classes and looked into some of the methods. In one of the methods, the connection was getting established. So though of hooking the java library to look into the argument which is getting passed as URL. Below is the frida snippet I used for the same.
import sys,frida
jscode = """
Java.perform(function(){
console.log("Starting debugging the app")
var kapchatUploadService = Java.use("com.offshore.pikashow.view.Movie$Wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww")
var url = Java.use("java.net.URL")
var uRLConnection = Java.use("java.net.URLConnection")
url.$init.overload('java.lang.String').implementation=function(arg1)
{
console.log("Inside url method")
console.log("arg1 value:"+arg1)
}
})"""
process = frida.get_usb_device().attach('Pikashow')
script = process.create_script(jscode)
print('[ * ] Running Frida Demo application')
script.load()
sys.stdin.read()
Finally, I got the actual URL from which the app is getting the data.
A moment of happiness!!!. It felt like I got the flag in the CTF challenge.
Some other info about the app
The app is using its own hosted CDN and third-party websites like streamtape to retrieve the content.
Its making use of ninjatech for monetizing the user’s idle bandwidth.
Feel free to drop any suggestions in the comments section.
Thanks for reading!!!.