The Android Debug Bridge (adb)

In a previous chapter, we looked at Android Studio. This is an IDE that developers use to write, build, and deploy Android apps. We now have to go back to Android Studio and install some platform tools. Platform tools give us some additional tools, one of which is the Android Debug Bridge (adb) as you will see; this tool is frequently used and is very useful when both developing and hacking Android apps. In Android Studio’s welcome screen, click Configure and then click SDK Manager, then click SDK Tools, and tick the box for Android SDK Platform-Tools as shown in Figure 5-2.

Then click the OK button, and after answering yes to the question whether you want to proceed with the installation, the platform tools should be installed. You can see the location to which Android Studio installs the platform tools in the installation progress window, part of which is shown in Figure 5-3.

Enter your password when prompted. Now type in or copy and paste your location into the file. When you’re done, press Ctrl + x to exit. You will be prompted whether you want to save the file, so press Y. Now if you list the contents of your /etc/paths.d/ directory, you will see the file that you newly created like in Figure 5-4.

Then close and reopen your terminal to start a new shell so that your new paths are in place and type in adb. You should see a response similar to Figure 5-5. The help and various parameters for adb go on for a few pages, but I have captured just the first few lines for brevity. If your adb doesn’t work or you get an adb: command not found response, then you haven’t set your path up correctly, or you haven’t installed the platform tools correctly. While I would take great joy in helping you figure those out to further fatten up my book, I shall not. Instead, be good little ones and go ask Google for some help. I’m here all week. I’ll wait.

Throughout this book, I keep looking for a glorious opportunity to write “Now here’s where the rubber really meets the road!” I thought this would be it, but didn’t want to squander an opportunity, so just hold that phrase in your head for now. First, let’s talk a little bit about the Android Debug Bridge and how it connects to your phone. The Android Debug Bridge allows you to debug apps and communicate with an Android device from the command line. It can provide you with a Unix shell on the device so that you can run further commands from the context of the device. The entire adb framework comprises of three parts:

1. 1.

   The adb client: This is what you will always use when you want to install an app onto a device, copy an apk from a device to your workstation, or invoke a remote shell on a device. This runs on your workstation.

    
2. 2.

   The adb server: This part is always running on your workstation. In some cases, you may also have to start the server manually by entering adb start-server. The first time you invoke the adb command, you may see a message that says * daemon not running; starting now at tcp:5037. This is the adb server starting up on your workstation. Figure 5-6 shows the output of the lsof command showing a listening adb server.

    
3. 3.

   The adb daemon: This part runs on every Android device. Also running in the background, the adb device daemon is always running and ready to connect with a server and execute client commands as necessary.

    

The client talks to the server which then makes a connection to the remote Android device’s adb daemon. It looks like Figure 5-7.

Developer Mode

You may be concerned that your Android device is always running around with a daemon or server listening for all manner of connections from either USB or the network, but it isn’t that simple. First, you have to put your phone into Developer Mode and then enable USB debugging. This is the stage when your phone will listen for commands coming from a remote adb server.

Yes, I know, exciting stuff! Figures 5-8 and 5-9 show what it looks like when you’re already a developer on two different phones.

By becoming a developer, you get access to a hidden menu under the System menu of the device Settings menu. Now go back to the System menu, and you will see Developer Options. Further, within the Developer Options menu, scroll down to where the title says Debugging, and look for the USB debugging switch and turn it on. You should get a confirmation dialog box asking you to confirm. Press OK and then USB debugging mode will be switched on!

Super! Now let’s connect our phone to our workstation, shall we? Grab a hold of your USB cable that came with your phone and plug the phone into your workstation. In my case, I will plug it into my MacBook. One useful and secure feature of the newer Android builds is that whenever you plug the phone into a computer, you get prompted whether to trust the device or not. This makes things a lot safer from folks who think they could just rock up to you at a Starbucks when your back is turned, plug their computer into your phone and instantly root your device, hack it, and walk away. If you don’t keep your phone locked, they can still do this because they can just allow access themselves. But this will never happen because we all protect our phones with a password or biometric access, right? Good. For now, go ahead and trust your own computer by clicking Allow (Figure 5-11).

That should result in an output similar to that in Figure 5-12.

The command itself is straightforward. We use adb pull to pull the apk from the device. We supply the adb pull command with our path. Then we leave a space and give it the name lylt.apk. In Android when apps are installed, they are named base.apk which gets a bit confusing when you have to work with many of them, so I rename it whenever I pull the apk to my computer – which is what we have done.

Our next step is to look inside the apk and figure out what is going on in there. There are a few different ways of doing this and also different tools that we can use. I will talk about how I analyze an apk and the tools that I use.

APKTool

APKTool is a command-line tool for reverse engineering Android apps. You can find APKTool at https://ibotpeaches.github.io/Apktool/. Getting APKTool is very easy, especially if you don’t want to build it from source. The instructions are quite simple, and I leave it to you as an exercise to follow from here: https://ibotpeaches.github.io/Apktool/install/.

If you’re a Mac user, you can easily install APKTool from Homebrew by executing

brew install apktool

What you generally want to look for is in the AndroidManifest.xml and the other “smali_classes” directories. The Android Manifest of course contains essential information about the app. You will find a lot of information ranging from package name, what components exist in the app, compatibility, permissions, and where the start points of the apps themselves are. This would be the app entry point with which you can begin your tracing. The entry point is the one that gets executed when a user taps the app icon. To find this, you have to look for the Activity name that has the MAIN action type and the LAUNCHER category. If we look through Lylt’s Manifest, we can see that com.lylt.customer.feature.onboarding.OnBoardingActivity is the entry point.

I use the command find . -type f |grep OnBoardingActivity which prints out every file name in this directory and does so recursively through every subdirectory but then only shows me the ones that have OnBoardingActivity in the name while being case sensitive. The one we’re after is this one: ./smali_classes2/com/lylt/customer/feature/onboarding/OnBoardingActivity.smali.

I use Sublime Text 3 as my text editor, and I love it. I paid for it, and it is fully worth it. Sublime can be extended through its built-in package manager. It also has syntax highlighting that you can download through this package manager, and I have downloaded and installed the smali syntax highlighter. I think it is invaluable. Otherwise, you will be staring at white text with little context if there’s no highlighting. Figure 5-13 has an image of the file opened in Sublime Text 3 with smali syntax highlighting. Another good option to consider is Visual Studio Code as it is another tool that has a large number of extensions available for use.

It is easy enough to start analyzing an app with APKTool and some Unix magic together with Sublime Text. You can still get the job done in terms of tracing program flow, figuring out which component does what, and so on. I think this would take a little longer though, because of a lack of a unified project management interface. I did an experiment with a Unix one-liner to generate a tree out of the directories we had generated. Had I used it in this book, even formatted for it to read like code, it would take up 20 pages in this chapter that I don’t think it would be worth anyone’s while in including – no matter how fat this book got.

Therefore, I must reluctantly bid goodbye to APKTool and its friends when I analyze apps. I want to reiterate that like a mechanic working on a high-performance car, in the absence of time to make them, the best thing to do would be to buy some high-quality tools. This is why I will now move on to JEB.

JEB

JEB, if I have not said before, is one of my favorite tools in my toolbag. Some may find it priced quite high, but I feel it is quite worth the payment – especially on the topic of getting good tools to get the job done. I consider JEB to be a self-contained reverse engineering toolkit. It has a user interface that puts a lot of very useful features at my fingertips and that I can view at a glance. Figure 5-14 shows the typical JEB interface. I will briefly describe the components here:

• Main window: This is where you see disassemblies, bytecode, and decompiled source code. It also shows you a graphical view of the various code components so you can easily visualize branching and jumps.

• Explorer: This is the project explorer. You can see and open files such as the Android Manifest, certificates, and resources such as strings and image.

• Hierarchy: This window shows the directory tree of the disassembled apk. The source files that were packaged into this apk will be visible for you to navigate. This includes third-party libraries and the app’s code.

• Logger: This window shows you JEB’s execution and what it is doing in the background. Errors, warnings, and others will show up here. You also get access to a terminal that you can use while debugging.

• Callgraph: From here, you can generate the callgraph for your apk. Essentially, a callgraph is a visual representation of all calls made by your app to other parts of your app, third-party libraries, or frameworks.

The actual process of conducting a static analysis varies greatly, but what is common is to understand what source code triggers a certain behavior in an app. One common use case of static analysis is to discover how data is encrypted within an application. If someone has rolled their own encryption or encoding mechanisms, we can easily uncover it in a session of static analysis. Another reason would be to see how or whether sensitive data was stored on a device – data such as an encryption key, a private key, or a shared secret that you can later use to decipher communications between the app and the server. Other things I look for when doing static analysis are source code that may generate or validate a specific code. For example, if the app requires you to enter a serial number or specific key code, then I take great joy in discovering how to defeat that check for a valid key entry. I will spend days if I have to tracking down the piece of code where the check is done to verify whether a specific code entered is correct. Usually, this is the gatekeeping function that will see if you have the correct code in order to unlock a specific feature. Two ways to go about defeating this would be (1) to learn how the algorithm works and write code using that algorithm to generate your own keys or codes – the older of you would know this as keygenning – and (2) to bypass the check altogether. Usually, the gatekeeper has at its core a very basic if-else function. If key is correct, allow access; if not, deny. So, one thing you can do is patch the apk or source code and rebuild the app so that your version allows access even if the code is incorrect.

If you don’t have JEB and are wondering what your options are, then there are a few. APKTool is one which will decompile your APKs into smali code, which is still easy enough to understand, but obviously not as great as having Java code. A really good tool combo to use is dex2jar and JD-GUI, which we covered briefly in the previous chapter. Essentially, it would involve converting your APK into a JAR file and then decompiling the JAR file through JD-GUI. You don’t get the cool debugger or the additional on-the-fly decryption of obfuscated strings and such, but it can still be pretty effective. In place of a debugger, you can consider using Frida which does runtime instrumentation. That means that you can locate and pause and alter bits of the app while it is running. Frida does require rooted devices for it to run well, however.

I’d like to highlight a few more screens from JEB and its features. Figure 5-15 shows the decompilation of the Lylt app’s OnBoardingActivity. Then Figure 5-16 shows the source code hierarchy and how easy it is to navigate. Lastly, Figure 5-17 shows the graphical representation of the code to visualize the program flow.

As an attacker, and a helpful one at that, what your aim should be is to find instances where the engineering team or developer has made less secure decisions when writing their code. These instances can be used as tools to further their learning. I find that taking the time to learn and understand the context of the code and then presenting the actual code to the developer, sitting with him, and working through the reasons are more powerful than taking the approach of “Oi I’m security, do what I tell you to do.” Of course, you may have to invest some time and energy in learning to communicate with less receptive people. This is because from the beginning, the sitting down of developer and security engineer is viewed as adversarial. It never is. The adversary is out there – the hacker that is trying to wreak havoc on your systems, not the guy working in the same company trying to figure out together with you how to solve a particular security concern. In practice, this is rarely the case. The us vs. them mentality is prevalent throughout startups and organizations. I was personally responsible for propagating such a message to my team, not explicitly but by cheering them on and acknowledging how good they were. My praise of them began to take on a note of pride in competence. We were so good that we could take apart any developer’s code. Praise is important; hubris is unforgivable. Learn to work well with your engineering team. It will pay dividends in the long run.