User Scripting on Android
using BladeDroid

Ravi Bhoraskar, Dominic Langenegger, Pingyang He,
Raymond Cheng, Will Scott, Michael D. Ernst

University of Washington

APSYS 2014
Beijing, China


User Scripting today

  • User scripts and browser extensions very useful on the web
  • Mobile apps remain opaque to user-side programmability

Blades: User-scripts for apps

  • Ad Blocker
  • Quiz Cheater
  • Socialify
  • Record and Replay

Context: Related Work

  • Web
    • Greasemonkey
    • Browser extensions
  • Mobile:
    • Code injection, API hooking, Instrumentation
    • Either requires recompiling the application for all changes or requires changes to the operating system

Key Ideas


  • No OS Support, for immediate deployability
  • Easy installation and removal of Blades


  • Bytecode rewriting to add hooks at install time
  • Dynamic class loading to load Blades at runtime


  • Blade API
    • General across multiple apps
    • Powerful enough to enable writing useful Blades
    • Usable, so that writing Blades is easy
  • Artifact: The BladeDroid tool
    • Implementation allows running Blades on existing apps
    • Gives the user control over what Blades are running



  • Open-source mobile Operating System
  • Android app structure
    • Written in Java, compiled to Dalvik
    • Each page is of the Activity class
    • Activities contain UI elements called Views

Android Activity

Design &

Blade-Enabling: Instrumention

  • Read existing app package (APK)
  • Re-package the app with:
    • BladeLoader - loads Blades into memory
    • BladeExecutor - Hook into Activity events and
      call Blade methods
  • Reinstall application

Blade Loading

Blade API

public interface Blade {
  void onCreate(Activity activity, Bundle savedInstanceState);
  void onStart(Activity activity);
  void onResume(Activity activity);
  void onPause(Activity activity);
  void onStop(Activity activity);
  void onDestroy(Activity activity);
  boolean onKeyDown(Activity activity, int keyCode, KeyEvent event);
  boolean onKeyLongPress(Activity activity, int keyCode, KeyEvent event);
  boolean onKeyUp(Activity activity, int keyCode, KeyEvent event);

Examples: Remove a UI Element

public class AdsBlocker extends AbstractBlade {
  public void onCreate(Activity activity, Bundle savedInstanceState) {
    View rootView = activity.findViewById(;
    /** Iterate over all children **/
    if (v.getType().equals("")) {
      ((ViewGroup) v.getParent()).removeView(v);

Examples: Add an Event Handler

public class AddEventHandler extends AbstractBlade {
  public void onCreate(Activity activity, Bundle savedInstanceState) {
    View rootView = activity.findViewById(;
    rootView.setOnClickListener(new OnClickListener() {
      public void onClick(View v) {
        /** DO SOMETHING **/

Blade Ecosystem


User Survey


    • Would people use user-scripting on mobile?
    • Is the Blade API sufficient?

Blade Ideas

  • Game Cheating
  • Repetitive Task Automation
  • Promotional Content Hiding
  • App UI Redesigning
  • Launch Screen Changing
  • HTTP Encryption

Blade Code Complexity

Ad Blocker52
Social Media Plugin30 + 90
Record & Replay292

Loading Time

APK Size Overhead


  • What are the security implications of BladeDroid?
  • What other use cases exist for BladeDroid?
  • How would we deploy a Blade Store?


  • User scripting is possible on mobile
  • Bytecode Rewriting + Dynamic Class Loading
    make feasible system
  • BladeDroid is a manifestation of these ideas