Investigating Huawei system app - your help needed

lozohcum

lozohcum

Senior Member
Jan 14, 2013
1,920
1,743
143
Internety
Nov 1, 2019 at 7:56 PM
Hi guys,
I was recently reverse engineering a package com.huawei.autoinstallapkfrommcc and trying to understand what it is doing.
From what I could see it looks like this service after system boots up, is checking what mobile carrier you are using and then loads a list of packages from file autoInstallAPK.xml and then installs/uninstalls them based on mcc and mnc codes.

I am wondering if this xml file can be used to bypass device security. However I can't find it on my device.

Could you please check if you have a file at
Code: 
[ROOT]/System/etc/xml/autoInstallAPK.xml
and share it if it exists there?
 
oslo83

oslo83

Senior Member
Jun 12, 2016
1,385
407
93
Nov 1, 2019 at 10:04 PM
Check your
/cust/vendor/country/xml/*.xml
&
/preload/model/vendor/country/xml/*.txt

Look also for :
APKInstallListEMUI5Release.txt
&
DelAPKInstallListEMUI5Release.txt

Share back your tweaks and findings :)
 
lozohcum

lozohcum

Senior Member
Jan 14, 2013
1,920
1,743
143
Internety
Nov 2, 2019 at 8:29 AM
oslo83 said:
Check your
/cust/vendor/country/xml/*.xml
&
/preload/model/vendor/country/xml/*.txt

Look also for :
APKInstallListEMUI5Release.txt
&
DelAPKInstallListEMUI5Release.txt

Share back your tweaks and findings :)
Click to expand...
I don't have such folders, did you mean main partition? I don't have root so I am quite limited.
Maybe this config file is included only in roms which come from mobile carriers like Verizon, T-Mobile etc.

So far what I think this package is reading from that xml is:
* package name
* apk path
* action type (install, uninstall, disable, maybe others)
* card info (probably sim card info/ carrier info)

Then this data is being processed (atm I don't fully understand the process flow but in general it goes through each element (app) described in the xml list and takes defined action depending on the carrier you have). Ofc whole process is not started untill system is booted and sim card present/installed.

I wonder why Huawei have implemented such service. Maybe to make it easier for carriers to install branding apps on EMUI? Maybe this is only used to install carrier config package to. Can't really tell at the moment.
However I see a potential use case where someone uses buffer overflow or other vunerability to alter/overwrite this xml file. This could allow someone to install malicious apps on the device.

I am now analyzing bytecode of the part that is parsing InputStream from xml to see if I have missed something.
 
Last edited:
You must log in or register to reply here.

New posts

Our Apps
Get our official app!
The best way to access XDA on your phone
Nav Gestures
Add swipe gestures to any Android
One Handed Mode
Eases uses one hand with your phone