Testing whether the App is Debuggable
AndroidManifest.xml to determine whether the
android:debuggable attribute has been set and to find the attribute's value:
... <application android:allowBackup="true" android:debuggable="true" android:icon="@drawable/ic_launcher" android:label="@string/app_name" android:theme="@style/AppTheme"> ...
You can use
aapt tool from the Android SDK with the following command line to quickly check if the
android:debuggable="true" directive is present:
# If the command print 1 then the directive is present # The regex search for this line: android:debuggable(0x0101000f)=(type 0x12)0xffffffff $ aapt d xmltree sieve.apk AndroidManifest.xml | grep -Ec "android:debuggable\(0x[0-9a-f]+\)=\(type\s0x[0-9a-f]+\)0xffffffff" 1
For a release build, this attribute should always be set to
"false" (the default value).
adb can be used to determine whether an application is debuggable.
Use the following command:
# If the command print a number superior to zero then the application have the debug flag # The regex search for these lines: # flags=[ DEBUGGABLE HAS_CODE ALLOW_CLEAR_USER_DATA ALLOW_BACKUP ] # pkgFlags=[ DEBUGGABLE HAS_CODE ALLOW_CLEAR_USER_DATA ALLOW_BACKUP ] $ adb shell dumpsys package com.mwr.example.sieve | grep -c "DEBUGGABLE" 2 $ adb shell dumpsys package com.nondebuggableapp | grep -c "DEBUGGABLE" 0
If an application is debuggable, executing application commands is trivial. In the
adb shell, execute
run-as by appending the package name and application command to the binary name:
$ run-as com.vulnerable.app id uid=10084(u0_a84) gid=10084(u0_a84) groups=10083(u0_a83),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats) context=u:r:untrusted_app:s0:c512,c768
Android Studio can also be used to debug an application and verify debugging activation for an app.
Another method for determining whether an application is debuggable is attaching
jdb to the running process. If this is successful, debugging will be activated.
The following procedure can be used to start a debug session with
jdwp, identify the PID of the active application that you want to debug:
$ adb jdwp 2355 16346 <== last launched, corresponds to our application
Create a communication channel by using
adbbetween the application process (with the PID) and your host computer by using a specific local port:
# adb forward tcp:[LOCAL_PORT] jdwp:[APPLICATION_PID] $ adb forward tcp:55555 jdwp:16346
jdb, attach the debugger to the local communication channel port and start a debug session:
$ jdb -connect com.sun.jdi.SocketAttach:hostname=localhost,port=55555 Set uncaught java.lang.Throwable Set deferred uncaught java.lang.Throwable Initializing jdb ... > help
A few notes about debugging:
- The tool
JADXcan be used to identify interesting locations for breakpoint insertion.
- Usage of basic commands for jdb can be found at Tutorialspoint.
- If you get an error telling that "the connection to the debugger has been closed" while
jdbis being bound to the local communication channel port, kill all adb sessions and start a single new session.