offsecnotes
Star

Debug application code

Why would you want to debug an application?

Three scenario:

  1. As an attacker you want to analyze and modify the app behavior. In this case the way I prefer is by frida because it is much simpler and works in the most cases. But sometimes an app can has a detection of frida. Of course you can hook the method(s) that make(s) frida detection to bypass it, but it’s often not so simple. Moreover, debugging allow you to access to a local variable inside a method while frida doesn’t allow you to do.

  2. A user has an a debuggable application installed on own device. If the application is debuggable you can:

    • Analyze and modify the legitimate behavior
    • Extract, without root privileges, all files inside the app internal storage
Note: This scenario is often impossible because no release application on the Play Store can have android:debuggable="true" [🔗] [🔗]. It means that the user has installed the app from a third-party store.
  1. You might have the app Java source code. Again, this scenario is highly unlikely, but not impossible.

Prerequisites

You need to have an application debuggable. If the app is not debuggable you can [🔗]:

  • Repackage the app and set android:debuggable="true" in AndroidManifest.xml. You don’t need to be root.
  • Run the app in an emulator without Google services. Emulators have the ro.debuggable property set to 1. In some cases, this may not suffice as OS or app components may check the Manifest’s debuggable flag before or during execution.
  • Use a rooted phone so you can modify ro.debuggable.

Debugging levels

You can debug an application to a different levels:

  • Java
  • Smali
  • Native

Debug smali code

If you don’t have the original Java code, you can debug the smali code. To do this, you can use IntelliJ/Android Studio + smalidea plugin or jadx.

jadx-gui guide

  1. Open the apk inside jadx-gui
  2. Click on debug button
  3. If you have the app opened, select the process. Otherwise you can launch app.
  4. Now you can set breakpoint, read and modify register value etc.

For more info: [🔗].

Debug java code

You need to have the original java code. You can use tools like:

  • Android studio
  • jdb

Android studio

This is the simpler approach. You can follow the official guide: Debug pre-built APKs.

jdb

  1. (optional) Set app to wait
am set-debug-app -w app_package_name

If we open the app, we’re going to get waiting for debugger.

  1. Find app process id
adb shell ps | grep -i app_package_name
  1. Set Up Port Forwarding
adb forward tcp:8000 jdwp:<PROCESS_ID>
  1. Start JDB
jdb -attach localhost:8000 -sourcepath <source_file>

# If you set app to wait you also need to suspend all threads
{ echo "suspend" ; cat ; } | jdb -attach localhost:8000 -sourcepath <source_file>

Tips: Other useful commands

# List all forward socket connections
adb forward --list

# Remove specific/all forward socket connection
forward --remove LOCAL
forward --remove-all

jdb commands

# List loaded class
classes

# Show methods of a class
methods ClassName

# Set a breakpoint
# Even if the class NameClass has not yet been loaded,
# JDB will register the breakpoint and activate it 
# as soon as the class is loaded by the JVM.
stop in ClassName.NameMethod

# print source code
list

# Dumps the stack of the current thread
where

# list all commands
help