The Poor Mans Spotify Premium
I left this if you could call it vulnerability for a couple of months, I haven’t gone through every single piece of code in the new version, but I think Spotify have patched this in their latest versions. When I was studying in my local college, I didn’t have mounds of money and tasked myself with finding ways to defeat the Spotify limitations on my phone. A little overview on Spotify free on a phone, you basically can’t choose a specific track, can only skip a few times and playing tracks is done with shuffle.
If any of you have reversed apk’s before, you’ll know there’s one tool up for the task, apktool, a lot has changed since I last used it and that was only a few months ago. One interesting thing to note is that I didn’t decode the resources, this will break the decompilation process that apktool is running, you will be unable to correctly re-compile the apk if this done. The argument -r is therefore needed to ensure we don’t decode to resources. Like most things I tried looking into the ins and outs of the code from Spotify, but what it boils down to usually is finding a simple vulnerability.
Spotify released a web application around the same time I was looking into the apk and gave it a little look. I found Spotify’s URI format and thought this could be useful when trying to change values in the mobile app. It indeed was, as we’ll found out in a moment.
I’m using version 0.7.9.1170, there have been a vast amount of different versions since and haven’t checked where it had been patched. I’ve only tested 0.7 and the latest from 10/04/2015. In this vulnerability, we’re interested in the folder /assets after we have decompiled it successfully from apktool. You’re folders may look different, I have built from this folder before so there are many folders that may not be there in the screenshot.
In it is a file called licenses.xhtml. which is basically a file outputting all the different software it may of used to create the app. You can view it by going on Menu> Settings > Licenses. This allowed me to append some HTML into the app without doing too much with smali code. Sounds like a dream to me. Although, I believe in this version you are restricted with Javascript. So Javascript’s a no go, what can we use to defeat Spotify’s premium functionality. I chose links. My general thought process was that the app interprets spotify URI’s like it does in the web app and so I edited the HTML page and changed it like so.
I then compiled and signed my app and put it on dropbox to be downloaded to my phone. It’s self signed and so you will have to enable “Unknown Sources” and can just enable “just once”. Once installed I logged in to my free spotify account and it worked, I could play the tracks I wanted, when I wanted. Another glitch in system is that once you’ve played a track through this, you can’t select it again. What do we do to resolve this? We delete the cache, login again and we can replay the track again. Not the most efficient way of bypassing something. But, as a student, I thought it was good enough for my needs. I uploaded a demo, and the reason I uploaded to dailymotion is because I know YouTube would probably take it down.