Recently, a mobile application appeared on my Twitter timeline which looked really questionable. Naturally, I wanted to take a look under the hood, but there was just one snag – ALL of the assets were encrypted. After using JADX to decompile all the classes and extract resources, I found that the application was using something called Titanium SDK, which is another cross-platform type of framework for mobile development similar to React. Titanium SDK on top of its regular features, will encrypt all of its assets, so any asset the developers made to create the app all get turned into encrypted .bin files.
Titanium uses a Java Native Interface (JNI) “ti-cloak.so” which has a ti.cloak.Binding.getKey(salt) function that is used by the asset streamer to decrypt the assets on the fly.
In comes our friend FRIDA. Using Frida, we can quite easily hook this function and not only get the IV thats passed in Binding() but we can also recover the Key as well.
Now that we’ve recovered both the Key and the IV, I created a Python script that could take these keys, move through all the assets in the application and restore them to their original state.
Thats it! Now, every file in the asset directory is restored.