Skip to content

MASTG-TECH-0005: Installing Apps

Basic APK Installation

Use adb install ( adb) to install an APK on an emulator or connected device. The given path is the path of the APK on the host.

adb install ./myApp.apk

If multiple devices are connected, you can specify to install to a connected device (-d), emulator or TCP/IP device (-e), or specific serial number (-s).

# Install in a connected physical device
adb -d install ./myApp.apk

# Install in an emulator
adb -e install ./myApp.apk

# List all devices
adb devices
List of devices attached
37081JEHN05882  device
emulator-5554   device

# Connect to a specific device
adb -s 37081JEHN05882 install ./myApp.apk

When installing an app, it is also possible to automatically grant all runtime permissions using -g:

adb install -g ./myApp.apk

Installing a Repackaged App

In case there is already an application installed with the same package name, Android will compare the signatures. If the signatures match, the update will succeed. If the signature is different (for example, after repackaging an APK), the installation will fail.

adb install ./myRepackagedApp.apk
adb: failed to install myRepackagedApp.apk: Failure [INSTALL_FAILED_UPDATE_INCOMPATIBLE: Existing package org.owasp.mastestapp signatures do not match newer version; ignoring!]

To solve this issue, first remove the original application using adb uninstall:

# Uninstall based on package name
adb uninstall org.owasp.mastestapp

# Normal install via adb
adb install ./myRepackagedApp.apk

Installing to a Specific Profile

To install an APK into a specific profile, the APK first has to be pushed to the device, as it is not possible to do this directly using adb install. Note that pushing to /sdcard/ may result in permission issues, so use /data/local/tmp to be sure. After pushing the APK to the device, it can be installed using pm install with the --user XX option:

# Get an overview of available profiles
adb shell pm list users
Users:
    UserInfo{0:Owner:c13} running
    UserInfo{11:Sample Managed Profile:1030} running

# Push to /data/local/tmp/
adb push ./myApp.apk /data/local/tmp/

# Install with pm install and the --user option
adb shell pm install --user 11 /data/local/tmp/myRepackagedApp.apk

Installing Split APKs

In case you need to install split APKs, you can use the install-multiple command. Make sure the different split APKs match your device configuration:

# YouTube is a split APK
adb shell pm path com.google.android.youtube
package:/data/app/~~ZLX3UNTF7R2oebU_viP7mw==/com.google.android.youtube-Rhm4GURIQ4twNvR6wxqc6w==/base.apk
package:/data/app/~~ZLX3UNTF7R2oebU_viP7mw==/com.google.android.youtube-Rhm4GURIQ4twNvR6wxqc6w==/split_config.arm64_v8a.apk
package:/data/app/~~ZLX3UNTF7R2oebU_viP7mw==/com.google.android.youtube-Rhm4GURIQ4twNvR6wxqc6w==/split_config.en.apk
package:/data/app/~~ZLX3UNTF7R2oebU_viP7mw==/com.google.android.youtube-Rhm4GURIQ4twNvR6wxqc6w==/split_config.xxhdpi.apk

# Obtain the different parts
adb pull /data/app/~~ZLX3UNTF7R2oebU_viP7mw==/com.google.android.youtube-Rhm4GURIQ4twNvR6wxqc6w==/base.apk
adb pull /data/app/~~ZLX3UNTF7R2oebU_viP7mw==/com.google.android.youtube-Rhm4GURIQ4twNvR6wxqc6w==/split_config.arm64_v8a.apk
adb pull /data/app/~~ZLX3UNTF7R2oebU_viP7mw==/com.google.android.youtube-Rhm4GURIQ4twNvR6wxqc6w==/split_config.en.apk
adb pull /data/app/~~ZLX3UNTF7R2oebU_viP7mw==/com.google.android.youtube-Rhm4GURIQ4twNvR6wxqc6w==/split_config.xxhdpi.apk

# Uninstall YouTube as a test
adb uninstall com.google.android.youtube

# Install the split APK files
adb install-multiple base.apk split_config.arm64_v8a.apk split_config.en.apk split_config.xxhdpi.apk

Tests

MASTG-TEST-0263: Logging of StrictMode Violations MASTG-TEST-0353: Runtime Use of Debugging Detection APIs MASTG-TEST-0351: Runtime Use of Emulator Detection Techniques MASTG-TEST-0325: Runtime Use of Root Detection Techniques MASTG-TEST-0341: Runtime Use of Hook Detection Techniques MASTG-TEST-0264: Runtime Use of StrictMode APIs MASTG-TEST-0249: Runtime Use of Secure Screen Lock Detection APIs MASTG-TEST-0206: Undeclared PII in Network Traffic Capture MASTG-TEST-0319: Runtime Use of SDK APIs Known to Handle Sensitive User Data MASTG-TEST-0308: Runtime Use of Asymmetric Key Pairs Used For Multiple Purposes MASTG-TEST-0350: Runtime Use of Broken Symmetric Encryption Modes MASTG-TEST-0200: Files Written to External Storage MASTG-TEST-0201: Runtime Use of APIs to Access External Storage MASTG-TEST-0287: Runtime Storage of Unencrypted Data via the SharedPreferences API MASTG-TEST-0207: Runtime Storage of Unencrypted Data in the App Sandbox MASTG-TEST-0203: Runtime Use of Logging APIs MASTG-TEST-0216: Sensitive Data Not Excluded From Backup MASTG-TEST-0251: Runtime Use of Content Provider Access APIs in WebViews MASTG-TEST-0253: Runtime Use of Local File Access APIs in WebViews MASTG-TEST-0356: Runtime Verification of Unauthorized Database Access through Content Providers MASTG-TEST-0320: WebViews Not Cleaning Up Sensitive Data MASTG-TEST-0244: Missing Certificate Pinning in Network Traffic MASTG-TEST-0218: Insecure TLS Protocols in Network Traffic

Demos

MASTG-DEMO-0108: Bypassing Frida Detection in /proc/self/maps to Extract Sensitive Data MASTG-DEMO-0027: Runtime Use of KeyguardManager.isDeviceSecure and BiometricManager.canAuthenticate APIs with Frida MASTG-DEMO-0107: Detecting Frida hooks and terminating the application on response MASTG-DEMO-0114: Detecting Emulator Detection Checks with Frida MASTG-DEMO-0106: Extracting Sensitive Data from Cipher.doFinal via Frida Hooking MASTG-DEMO-0038: Detecting StrictMode Uses with Frida MASTG-DEMO-0081: Sensitive User Data Sent to Firebase Analytics with Frida MASTG-DEMO-0072: Runtime Use of Asymmetric Key Pairs Used For Multiple Purposes With Frida MASTG-DEMO-0058: Using KeyGenParameterSpec with a Broken ECB Block Mode MASTG-DEMO-0060: App Writing Sensitive Data to Sandbox using EncryptedSharedPreferences MASTG-DEMO-0059: Using SharedPreferences to Write Sensitive Data Unencrypted to the App Sandbox MASTG-DEMO-0002: External Storage APIs Tracing with Frida MASTG-DEMO-0082: WebView WebStorage Cleanup MASTG-DEMO-0123: Exfiltration of Private Files via FileProvider URI Grant Oversharing MASTG-DEMO-0121: Unauthorized Access to Database Records through Exported Content Provider MASTG-DEMO-0031: Uses of WebViews Allowing Local File Access with Frida MASTG-DEMO-0030: Uses of WebViews Allowing Content Access with Frida