SwiftKey APK Patching Guide: Privacy-First Reverse Engineering

Brutal Strike (Friuns)Brutal Strike (Friuns)
3 min read

SwiftKey APK Patching Guide

๐ŸŽฏ Objective

Patch SwiftKey APK to always send "hello world" instead of actual typed text to Microsoft's AI grammar correction endpoints.

๐Ÿ“‹ Tools Used

  • jadx - Java decompiler for reverse engineering
  • apktool - APK disassembly/assembly tool
  • adb - Android Debug Bridge
  • apksigner - Modern APK signing tool
  • zipalign - APK optimization tool

๐Ÿ” Phase 1: Reverse Engineering

Initial Analysis

# Decompile APK for analysis
jadx -d jadx_output swiftkey.apk
apktool d swiftkey.apk -o apktool_output

Key Findings

  • Target Class: tk/f.smali - Contains ImproveRequest constructor
  • Network Endpoint: https://www.bing.com/api/swiftkey/v1/sydney/improve
  • Request Structure: JSON with {"query": "text_to_improve"}

๐Ÿ› ๏ธ Phase 2: Code Modification

Patch Applied

Modified apktool_output/smali_classes3/tk/f.smali:

# BEFORE
iput-object p1, p0, Ltk/f;->a:Ljava/lang/String;

# AFTER  
const-string p1, "hello world"
iput-object p1, p0, Ltk/f;->a:Ljava/lang/String;

This ensures all text improvement requests send "hello world" regardless of actual input.

โŒ What Went Wrong

1. Native Library Architecture Mismatch

Problem: 

dlopen failed: "libfluency-java-internal.so" is for EM_X86_64 (62) instead of EM_AARCH64 (183)

Root Cause: APK contained libraries for multiple architectures (ARM64, x86, x86_64). Android selected the wrong architecture during installation.

2. Native Library Extraction Disabled

Problem:

android:extractNativeLibs="false"

Impact: Android couldn't extract native libraries needed for Microsoft Fluency SDK.

3. App Crash on Launch

Error:

java.lang.NoClassDefFoundError: com.microsoft.fluency.Fluency
INSTALL_FAILED_INVALID_APK: Failed to extract native libraries, res=-2

โœ… Solutions Applied

1. Architecture Cleanup

# Remove incompatible architectures
rm -rf apktool_output/lib/armeabi-v7a
rm -rf apktool_output/lib/x86  
rm -rf apktool_output/lib/x86_64
# Keep only: apktool_output/lib/arm64-v8a

2. Enable Native Library Extraction

<!-- AndroidManifest.xml -->
<application 
    android:extractNativeLibs="true"
    ... >

3. Modern APK Signing

# Use APK Signature Scheme v2 instead of JAR signing
apksigner sign --ks debug.keystore \
    --ks-key-alias debugkey \
    --ks-pass pass:android \
    --key-pass pass:android \
    --out signed.apk unsigned.apk

๐Ÿ”„ Build Process

Complete Workflow

# 1. Extract APK
apktool d swiftkey.apk -o apktool_output

# 2. Apply patches
# - Modify tk/f.smali for text interception
# - Fix AndroidManifest.xml extractNativeLibs
# - Remove incompatible architectures

# 3. Rebuild APK
apktool b apktool_output -o patched.apk --use-aapt2

# 4. Sign APK
apksigner sign --ks debug.keystore \
    --ks-key-alias debugkey \
    --ks-pass pass:android \
    --key-pass pass:android \
    --out signed.apk patched.apk

# 5. Install
adb install -r -t signed.apk

๐Ÿงช Testing & Verification

Success Indicators

  • โœ… App launches without crashes
  • โœ… No AndroidRuntime FATAL errors in logcat
  • โœ… Services start properly (SwiftKeyJobService, FluencyServiceImpl)
  • โœ… Text input intercepts and sends "hello world" to AI endpoints

Network Request Verification

# Test the actual endpoint
curl -X POST "https://www.bing.com/api/swiftkey/v1/sydney/improve" \
  -H "Content-Type: application/json" \
  -H "X-SwiftKey-Source: swiftkey-android" \
  -d '{"query": "hello world"}'

๐Ÿ“Š Key Learnings

Critical Insights

  1. Multi-architecture APKs require careful native library management
  2. Modern Android (API 24+) has stricter native library extraction policies
  3. APK Signature Scheme v2 is required for newer Android versions
  4. Obfuscated code can still be patched at the bytecode level

Best Practices

  • Always use --use-aapt2 for modern APK building
  • Remove unused architectures to avoid conflicts
  • Use apksigner instead of jarsigner for new apps
  • Test on actual device architecture (ARM64 vs x86)

๐Ÿ” Security Considerations

Privacy Impact

  • Original: User text sent to Microsoft AI for grammar correction
  • Patched: Only "hello world" sent, protecting user privacy
  • Trade-off: Grammar correction feature disabled

Detection Avoidance

  • Maintains original app structure and signatures
  • Only modifies specific constructor logic
  • Preserves all other functionality

๐ŸŽฏ Final Result

โœ… Successfully patched SwiftKey APK that:

  • Launches without crashes
  • Intercepts all text improvement requests
  • Sends "hello world" instead of actual user input
  • Maintains full keyboard functionality
  • Protects user privacy from AI text analysis

This guide demonstrates advanced APK modification techniques for educational and privacy protection purposes.

0
Subscribe to my newsletter

Read articles from Brutal Strike (Friuns) directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Androidprivacyreverse engineeringSecurity

Written by

Brutal Strike (Friuns)
Brutal Strike (Friuns)