Android Beta 1.5.3 update & Twilight app

adam.williams · 24 March 2017 14:37

100% agreed on everything you’ve said here. This is pretty disappointing to see from Monzo and is almost as bad as the companies using SafetyNet to “improve security”. What’s next, the OAuth login system requiring a kernel module to be running to make sure you don’t log in to Monzo on a machine with f:lux/redshift running?

It’s my device, I should be able to decide whether or not I’m competent enough to be able to use an overlay app. This should be opt-out with an appropriate warning. Until it’s made opt-out I guess I’ll be patching each new version so I can continue to use the “Send Money” feature without having to temporarily disable the tool that I use all of the time on my device.

Absolutely, that would be completely my fault. Android already ensures that the user is very clearly asked before an app is given the ability to draw over the screen - and I’d be 100% responsible if I allowed this and then fell victim to a malicious tapjacking app. I would not try and blame my bank.

1.5.4+ Patching Instructions:

1.5.4 no longer uses the XML attributes I described in my original post. Instead, we now have a central "Secure"Button class in co.uk.getmondo.common.ui.

As before, grab the APK with an adb pull and run apktool d base.apk to extract/disassemble everything. Then, cd base/smali/co/uk/getmondo/common/ui and open SecureButton.smali with vim or another appropriate text editor. Look for the .method public onFilterTouchEventForSecurity(Landroid/view/MotionEvent;)Z virtual method.

Replace it with these contents (returns true always to allow use of the button):

# virtual methods
.method public onFilterTouchEventForSecurity(Landroid/view/MotionEvent;)Z
    .locals 1

    .prologue
    const/4 v1, 0x1
    return v1
.end method

Save the file and then run apktool b base to rebuild the APK. Uninstall the existing Monzo app.

Use jarsigner and then zipalign to sign the APK with your own key and then correct the archive alignment. Something along the lines of jarsigner -sigalg SHA1withRSA -digestalg SHA1 -keystore some-keystore-file.keystore base.apk alias_name. zipalign works like zipalign -f 4 base.apk new.apk.

Install the patched app, enjoy being able to use it properly again.

Edit: above procedure works fine with 1.6.1 too.