Blog: Android

New, easier ways to make My Friend Cayla swear

Tony Gee 20 Nov 2015

As you may know we have done a lot of research on My Friend Cayla in a puerile attempt to get her to swear.

We looked at her database of questions and “badwords”, we edited them and eventually got her to swear.

Then ToyQuest updated the app and added SQLcipher encryption to make it harder to access the database, but we managed to bypass that as they had to include the key for the encryption in plain text in the app!

Tim’s research

A couple of days ago I saw a tweet from a guy called @timmedin who has done some excellent research. His novel work was on iOS. We have applied and verified it on Android.

Our original research uncovered that the swearing filters weren’t applied from the local SQLlite db ‘talking’ content, and the filter words themselves could also be removed. Tim found a route to prevent the filters from being applied to talking content retrieved from Wikipedia.

He showed how you can filter the Wikipedia lookups to effectively block her badword filter and get her to read “inappropriate” content from Wikipedia. He mentioned how he could have rewritten one of Cayla’s stories on his jailbroken devices to make her say arbitrary things. It got me thinking, we use Cayla a lot in our live hack demos and sometimes struggle to get her to actually speak, let alone swear.

What if we could actually get her to speak a segment of our presentation, complete with expletives?

I started by looking at the name field. Sure you can set an arbitrary name in the text you want her to say, but the bad word filter still applies and there is a limit. No luck there, but useful for on the fly things.


Then I thought why don’t we try and edit her stories and upload that. The stories come bundled with the app and are preprepared so that Cayla will read them out for your child to listen to.


Here’s the how-to

This technique is trivially easy, even for a novice Android attacker.

I downloaded the latest app from the Play store and on my rooted tablet connected with ADB and pulled the APK from /data/app:

C:Androidsdkplatform-tools > adb pull /data/app/com.toyquest.Cayla.en_uk-1.apk

With this in hand I set about finding out how the stories are generated. You can open an APK with 7-zip. The stories are stored in assetslanguageen.lprojstory.strings:


Extract the file and open it with notepad++ and you can edit it to hearts content:


This will change the content of the story, but not the actual displayed text within the app!


Once you are happy save the file and add it back to the APK (using 7-zip).

Then you need to upload it back to your device using:

C:Androidsdkplatform-tools>adb push com.toyquest.Cayla.en_uk-1.apk

Note: You can’t copy directly to the /data/app folder. You need to copy it to the sdcard folder and then use adb shell as root to copy it to the app folder:

C: Androidsdkplatform-tools>adb shell
shell@ac79bu:/ $ su
root@ac79bu:/ # cp /sdcard/com.toyquest.Cayla.en_uk-1.apk /data/app/com.toyquest.Cayla.en_uk-1.apk

If you had the app open make sure you restart it.

Then when you go to the story Cayla will read exactly what you have written, including any swear words!

Next steps

Get two dolls to have a conversation, better still get Cayla to turn on a Samsung TV with “Hi TV” and then change the channel to the adult channel…