Net PI Blog: Attacking Android Applications With Debuggers

Attacking Android Applications With Debuggers https://blog.netspi.com/attacking-android-applic...
NetPI Blog
Attacking Android Search …
Applications With
Debuggers
Eric Gruber
Januar 19th, 2015
In this blog, I am going to walk through how we can

attach a debugger to an Android application and Eric Gruber
step through method calls b using information 
gained from �rst decompiling it. The best part is,
root privilege is not required. This can come in
RELATED POT
hand during mobile application penetration tests
because we can step into an application while it’s Four Was to Bpass
Android L
running and potentiall obtain and write Veri�cation and
information that we normall wouldn’t have access Certi�cate Pinning
Cod Wass
to. ome examples include intercepting tra�c
before it is encrpted, obtaining encrption kes Top 10 Critical Findings
when the are being used, and obtaining of 2014 – Mobile
1 di 28 02/02/18, 14:56
passwords and other sensitive data when the Applications

Eric Gruber
don’t touch the disk. This blog should be
interesting to mobile penetration testers and Mobile Application
Threat Modeling
developers who are tring to gain a better
Yan Kravchenko
understanding of possible attacks on the Android
platform.
RECENT POT BY
ERIC
Requirements
etting up the Device Anonmous QL
Execution in Oracle
Determining Debuggabilit Advanced upport
Modifing the AndroidManifest.xml to Enable
Java Deserialization
Debugging
Attacks with Burp
etting up the IDE
Debugging Burp
Dumping the APK and Decompiling to ource
Extensions
Attaching the Debugger
Conclusion
HARE
Requirements 
Below is a list of requirements for performing the
attacks covered in this blog.
GET IN TOUCH
Windows/Mac O X/Linux First Name *

Java (1.7 Recommended)
IDE (Eclipse, IntelliJ IDEA, Android tudio)
Android DK (https://developer.android.com
Last Name *
/sdk/index.html?hl=i)
APKTool (https://code.google.com/p/android-
apktool/)/APK tudio
Phone *
(http://apkstudio.codeplex.com)
Android Device/Emulator
Dex2Jar (https://code.google.com/p/dex2jar/)
JD-GUI (http://jd.benow.ca/) Email *
2 di 28 02/02/18, 14:56
For this blog I will be using Windows 8, Android Compan *

tudio, and IntelliJ IDEA. The device I am using is a
stock Nexus 4 running Android 4.4.4. I recommend
that all the tools are added to our path Message
environment variable so the can be easil
accessed.
For those of ou who want to use the APK I am

using in this blog, ou can download it here:
Submit Form
com.netspi.egruber.test.apk
etting up the Device

The instruction below walks through how to get
our device read for testing.
Enable Developer Options
The �rst thing we need to do is make sure our

Android device has UB debugging enabled. This
is so we can communicate to it using the Android
DK tools. To do this we need to enable the
Developer options. If ou are running a stock
Android device then this can be done b
navigating to ettings > About Phone and tapping
on the Build Number multiple times. Eventuall it
should sa that the Developer options have been
enabled.
3 di 28 02/02/18, 14:56
Enable UB Debugging
Next we access the Developer options b going to

ettings > Developer options. Then we can enable
UB debugging.
4 di 28 02/02/18, 14:56
Plug-in Device via UB and tart ADB
After plugging the device into our computer, it

should sa, “UB debugging connected on the
device”. We also want to make sure that we can
connect to the device with the Android Debug
Bridge (ADB). This is software included within the
Android DK under platform-tools. B tping:
adb devices
in a shell our device should come up and look like

this:
5 di 28 02/02/18, 14:56
If our device does not come up, the most likel

reason is because the correct driver has not been
installed (on Windows). Depending on the
manufacturer, this can be obtained from the
Android DK or the manufacturer website.
Determining Debuggabilit
When debugging Android applications, we �rst
have to check whether or not the application is set
to be debugged. We can check this in a few
di�erent was.
The �rst wa is to open the Android Device

Monitor in the Android DK under the tools
director. On Windows it will be called monitor.bat.
When we open the Android Device Monitor, we can
see our device listed in the Devices section.
If an application on the device is set as

debuggable, then the application would show up
here. I created a test application and we can see
here that it is not set to be debuggable.
The second wa we can check for debuggabilit is

b looking at the AndroidManifest.xml �le from the
6 di 28 02/02/18, 14:56
APK of the application. An APK is essentiall a zip

�le of all the information our application needs to
run on an Android device.
If ou do not have the APK for our application,

then we have to pull it o� of the Android device.
Whenever an application is downloaded from the
Google Pla tore, it downloads the APK of the
application and stores it on the device. The
location of all the downloaded APK �les are usuall
stored in /data/app on the device. If our device is
not rooted, then ou will not be able to list the �les
in the director. However, if ou know the name of
the APK, then it can be pulled down using the adb
tool. To �nd the name of the APK we want to pull
down, open a shell and tpe:
adb shell
This will give us a shell on the device. Then tpe:
pm list packages -f
This will list all the packages on the device.
7 di 28 02/02/18, 14:56
Looking through the list we can �nd the application

we want.
Next, we need to pull down the APK. To do this,

open a shell and tpe the following command:
adb pull /data/app/[.apk file] [location]
Now that we have our APK, we want to open it and

look at the AndroidManifest.xml �le. Unfortunatel,
we can’t unzip the APK and view the xml �le. It is
binar encoded and must be decoded. The most
popular tool to do this is apktool. However, I have
been using the tool APK tudio recentl because it
has a nice GUI which is eas to navigate. For the
rest of the blog I will be using APK tudio.
8 di 28 02/02/18, 14:56
To begin using APK tudio, select the little green

android icon. Give our project a name and select
the APK for APK Path. Then, give a location that
everthing should be saved to.
After opening the APK, select the

AndroidManifest.xml �le and look at the application
node. If there is no �ag that sas
android:debuggable , then the APK is not
debuggable. If there is a �ag that sas
android:debuggable=”false” , then the APK is also
not debuggable.
Modifing the
9 di 28 02/02/18, 14:56
AndroidManifest.xml to
Enable Debugging
The nice thing about apktool and APK tudio is that
we can edit an of the decompiled Android �les
and recompile them. That’s what we’re going to do
here. We are going to make the application
debuggable b adding in the android:debuggable
�ag. Edit the AndroidManifest.xml so that the
application node contains
android:debuggable=”true”.
After we have added that �ag, rebuild the APK b

selecting the hammer icon in the menu. Our rebuilt
APK �le should be located in the
build/apk director.
10 di 28 02/02/18, 14:56
Rebuilding the application will also sign it so that it

can be installed back on the device. All Android
applications have to be signed. Most applications
don’t check if the were signed b the original
certi�cate. If our application does check, then this
ma not work unless the portion of code that
checks is edited as well.
Next we need to install our newl rebuilt APK. First,

uninstall the application on the device. This can be
done from the command line using adb:
adb pm uninstall[package name]
Then install using:
adb install [.apk file]
11 di 28 02/02/18, 14:56
You can also uninstall and reinstall the APK with the
following command:
adb install -r [.apk file]
Check and make sure that the reinstalled

application runs correctl on the Android device. If
everthing is working, go back to the Android
Device Monitor and our application should now
appear under the Devices section.
etting up the IDE

Now that our application is marked as debuggable,
we can attach a debugger to it. But before we do
that, we need to setup our IDE for the application
we want to debug. For this blog, I am using IntelliJ
IDEA. To begin, I am going to create a new Android
Project. The application name can be anthing, but
the package name has to be the same name as the
12 di 28 02/02/18, 14:56
APK package structure.
This can be as eas as the name of the APK.

However, if ou are still not sure, ou can look at
APK tudio and follow the package structure to
where the application �les are located. For m
application, the package structure is the name of
the APK, “com.netspi.egruber.test”. This can also
be seen in APK tudio.
13 di 28 02/02/18, 14:56
Uncheck the “Create Hello World Activit”

checkbox and �nish creating the project b
selecting the default values. After that is done, our
project laout should now look like this:
Now that we have our project created, we need to

populate it with the source code from the Android
APK. The reason we need to do this is so the
14 di 28 02/02/18, 14:56
debugger knows the name of the smbols,

methods, variables, etc… for the application. The
nice thing about Android applications is that the
can be decompiled rather easil back to mostl
correct java source code. We need to do this and
import all of it into our project in the IDE.
Dumping the APK and

Decompiling to ource
The �rst thing we need to do to get the source
code back from the Android application is to
convert the APK �le to a jar �le. We can then use a
java decompiler to retrieve the java source code.
To do this, we are going to use the tool dex2jar.
Dex2jar contains the bat �le d2j-dex2jar that can
be used to convert an APK to a jar �le. The sntax
is simple:
d2j-dex2jar.bat [.apk file]
You should now have a jar �le of the APK. Next we

are going to use the Java decompiler JD-GUI to
open the jar �le. impl open the jar �le or drag it
into the workspace of JD-GUI.
15 di 28 02/02/18, 14:56
You should now see the package structure of the

jar �le. Inside all of the packages should be java
�les complete with readable source code. What
we’re going to do now is save all of the source
code to a zip �le b selecting File > ave All
ources.
After the source has been saved, unzip it into its

own director.
16 di 28 02/02/18, 14:56
Now we need to import these two directories into

our Android project in our IDE. For IntelliJ, navigate
to the src folder of our project and paste the two
directories in there.
If we go back to the project in Intellij, the project

structure should update.
17 di 28 02/02/18, 14:56
Clicking on one of the imported activities should

show the source code. As ou can see from the
screenshot, the source code I imported is
obfuscated using ProGuard.
Attaching the Debugger

Now that we have our project populated with
source code of the application, we can then start
setting breakpoints on method calls and variables
to pause the execution of the process when those
are reached. In this example I am setting a
breakpoint on a method when someone enters a
value into a text box. This does work with
obfuscated code.
18 di 28 02/02/18, 14:56
After the breakpoint has been set, attach the

debugger to the application process on the
Android device b selecting the little screen icon in
the upper right hand corner. This ma be di�erent
depending on our IDE.
Next ou will be prompted to choose a process on

the device. Onl debuggable processes will
appear.
19 di 28 02/02/18, 14:56
After selecting the debuggable process, the

debugger will connect to the device.
In m test application, I will enter the number “42”

into the text box that we have a breakpoint set for.
20 di 28 02/02/18, 14:56
After selecting “Enter Code”, the process pauses

execution at the breakpoint. The reason wh this
works is because the debugger knows what is
being called on the device. The compiled Android
application contains debug information such as
variable names that are accessible to an
debugger that understands the Java Debug Wire
Protocol (JDWP). If an Android application allows
debugging, a JDWP compatible debugger, such as
most Java IDEs, will be able to connect to the
Virtual Machine of the Android application and
read and execute debug commands.
We can see that value that we entered into the

application under the variables section.
Conclusion
From here we can not onl read data from the
application, but also insert our own. This can be
useful if we wanted to interrupt the �ow of the
program and possibl bpass application logic. B
21 di 28 02/02/18, 14:56
debugging, we can get a better understanding of

how Android applications perform certain actions
that we would otherwise be unable to see. This can
come in hand especiall when we need to view
how encrption functions are being used and the
values of dnamic kes. It is also helpful when
debugging functions that interact with the
�lesstem or a database to see when and how
information is being saved. Without the need of
root privileges, we have the capabilit to perform
these tpes of tests on an Android device.
Leave a Repl
23 Comments on "Attacking Android Applications With

Debuggers"
Notif of new follow-up co Email ›
Join the discussion
ort b: newest|oldest
gdogg  
You can uninstall the package using PM as well:
Guest pm uninstall
 REPLY  3 ears 11 das ago 
Eric Gruber  
Thanks. You certainl can. I’ll update the
22 di 28 02/02/18, 14:56
Author post with that.
 REPLY  3 ears 10 das ago
Bill Maca  
Does the method work with apps that are

protected via Dexguard as opposed to Proguard?
Guest
Bill Maca  
Does the method work with apps that are

protected via Dexguard as opposed to Proguard?
Guest
I am seeing failed to decompile against a
dexguard app.
Eric Gruber  
Unfortunatel I don’t have a license to tr

it out. I’m guessing it doesn’t work
Author
because current decompilers don’t
understand dexguard obfuscation. The
same is with the Zelix classmaster. JD-
GUI can’t decompile that for Java
applications.
Otto  
Can ou provide our apk �le, it would be nice to

have the �le to follow along this great tutorial.
Guest
23 di 28 02/02/18, 14:56
Eric Gruber Hi Otto,  
I added the download link under the

Requirements section.
Author
Thanks,
Eric
Otto  
Thank ou ver much. Carr on the

great work!
Guest
Jack  
The article is reall nice. Thanks for sharing.

Cheers Eric.
Guest
Valdik  
Thanks! Ver lean and clean article.
Guest
MIlanG  
You can also tr tool that we wrote and

demonstrated around the world last ear. Its called
Guest
Vaccine.
You can write our own code on the �, that
interacts with the running application and
executes and ou have access to all variables
(public,private) …
Tool is available free from GitHub.
https://www.viris.si/2015/01/analsing-android-
24 di 28 02/02/18, 14:56
applications-or-just-cheating-in-games/
Eric Gruber  
Didn’t see the comment when it came in.
Author
Richard  
Ver good post,liked it
Guest
 REPLY  3 ears 1 da ago
vladimir gotman  
Hello and thanks for the guide

I have a problem that the app which im tring to
Guest
debug checks the sign.
You said that there is something to do
can ou please explain?
thanks
 REPLY  2 ears 9 months ago
mikel ravizza  
excellent explanation. I’ve been messing around

with this for about 4 das. and basicall came to
Guest
the same conclusion.. I had the feeling there was a
deliberate attempt b the “java people” to write
vague and incomplete explanations, but in the end
I imagine its just inexperience in how to explain
software techniques. Being a developer from the
land of C I vote for our method, this is how we do
it on our planet, clear with no attempt to (1) make
the reader feel like an imbecile, and (2) not just
simpl coping others explanations resulting in
thousands of… Read more »
25 di 28 02/02/18, 14:56
 REPLY  2 ears 8 months ago
KevMo  
Hi – great article. When I am tring to do this,

when I set the breakpoints in an Activit onCreate
Guest
method (after importing them to the project after
saving sources from jd-gui), IDEA tells me “No
executable found at line…” for the breakpoints I
set. It never hits them. An ideas? I have set
android:debuggable=”true” and I am able to see
the process under android monitor, and I am able
to see it in IDEAs remote debugging section.
 REPLY  1 ear 7 months ago
sugih liawan  
Thanks for the knowledge..

Great work ou had made
Guest
 REPLY  1 ear 5 months ago 
cott  
utherland
Glad ou found it useful
Editor
ouma Lahiri  
i have some java script �les in .apk asset folder, i

want to debug that, how to?
Guest
palm  
Hi, i’ve tred to follow this tutorial in order to
26 di 28 02/02/18, 14:56
Guest debug an apk and examine it. I’ve used android

studio, but it seems java code in android studio is
not linked to app on device attached.Breakpoints
don’t work. Can ou help me to understand wh?
Thanks
Benjamin  
Dawkins
Thank ou ver much, this
helped me alot to get The Zipcrpto password of
Guest
An APk’s data,
 REPLY  11 months 11 das ago 
Eric Gruber  
Glad it was helpful.
Guest
 REPLY  11 months 11 das ago
David Feinzeig  
uper helpful, thanks! One minor note, seems the

default project laout for IntelliJ IDEA has
Guest
changed.
 REPLY  8 months 29 das ago
27 di 28 02/02/18, 14:56
ecurit Platform Research Compan Contact

Testing NetPI Resolve Case tudies About NetPI Contact NetPI
Overview Whitepapers News & Events
Application Webinars Certi�cations &
Infrastructure Tools Recognitions
Attack imulation Blog Careers
ervices
Advisor ervices
© 2018 NetPI LLC. | Privac Polic
28 di 28 02/02/18, 14:56

Net PI Blog: Attacking Android Applications With Debuggers

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Net PI Blog: Attacking Android Applications With Debuggers

Uploaded by

Copyright:

Available Formats

Attacking Android Applications With Debuggers https://blog.netspi.com/attacking-android-applic...

Attacking Android Search …

In this blog, I am going to walk through how we can

passwords and other sensitive data when the Applications

Windows/Mac O X/Linux First Name *

For this blog I will be using Windows 8, Android Compan *

For those of ou who want to use the APK I am

etting up the Device

Enable Developer Options

The �rst thing we need to do is make sure our

Enable UB Debugging

Next we access the Developer options b going to

Plug-in Device via UB and tart ADB

After plugging the device into our computer, it

in a shell our device should come up and look like

If our device does not come up, the most likel

The �rst wa is to open the Android Device

If an application on the device is set as

The second wa we can check for debuggabilit is

APK of the application. An APK is essentiall a zip

If ou do not have the APK for our application,

This will give us a shell on the device. Then tpe:

This will list all the packages on the device.

Looking through the list we can �nd the application

Next, we need to pull down the APK. To do this,

adb pull /data/app/[.apk file] [location]

Now that we have our APK, we want to open it and

To begin using APK tudio, select the little green

After opening the APK, select the

After we have added that �ag, rebuild the APK b

Rebuilding the application will also sign it so that it

Next we need to install our newl rebuilt APK. First,

adb pm uninstall[package name]

Then install using:

adb install [.apk file]

adb install -r [.apk file]

Check and make sure that the reinstalled

etting up the IDE

APK package structure.

This can be as eas as the name of the APK.

Uncheck the “Create Hello World Activit”

Now that we have our project created, we need to

debugger knows the name of the smbols,

Dumping the APK and

d2j-dex2jar.bat [.apk file]

You should now have a jar �le of the APK. Next we

You should now see the package structure of the

After the source has been saved, unzip it into its

Now we need to import these two directories into

If we go back to the project in Intellij, the project

Clicking on one of the imported activities should

Attaching the Debugger

After the breakpoint has been set, attach the

Next ou will be prompted to choose a process on

After selecting the debuggable process, the

In m test application, I will enter the number “42”

After selecting “Enter Code”, the process pauses

We can see that value that we entered into the

debugging, we can get a better understanding of

23 Comments on "Attacking Android Applications With

Notif of new follow-up co Email ›

Join the discussion

ort b: newest|oldest