android
command, which is found in the tools directory of the Android SDK:su
, which is used to change to another user account.press Control + D or typeexit
to quit
su
once in the remote shell:Only if you're working with an emulator you may alternatively restart adb with root permissions with the commandadb root
so next time you enteradb shell
you'll have root access already. This also allows to transfer data bidirectionally between your host computer and the Android file system, even with access to locations where only the root user has access to (viaadb push/pull
). See more about data transfer in section "Host-Device Data Transfer" below.
-s
flag followed by the device serial ID on all your adb
commands (e.g. adb -s emulator-5554 shell
or adb -s 00b604081540b7c6 shell
). You can get a list of all connected devices and their serial IDs by using the following command:adb tcpip 5555
.adb connect <device_ip_address>
. Check that the device is now available by running adb devices
.adb shell
.For example, on a Nexus device, you can find the IP address at Settings -> System -> About phone -> Status -> IP address or by going to the Wi-Fi menu and tapping once on the network you're connected to.
sshd
(starts by default on port 8022). In order to connect to the Termux via SSH you can simply run the command ssh -p 8022 <ip_address>
(where ip_address
is the actual remote device IP). This option has some additional benefits as it allows to access the file system via SFTP also on port 8022.ls
and cd
as you normally would on your terminal to explore the available files:file download <some_file>
. This will download that file to your working directory. The same way you can upload files using file upload
.adb pull <path_to_some_file>
from a separate terminal, you might just want to directly do file download <some_file>
.-d
) the selected APK by specifying its AppID (add -p
to show a progress bar and -v
for verbosity):com.google.android.keep.apk
file will be in your current directory. As you might imagine, this approach is a very convenient way to download APKs, especially with regards to automation.You may use your own Google Play credentials or token. By default, gplaycli will use an internally provided token.
adb pull
to retrieve the APK. If you don't know the package name, the first step is to list all the applications installed on the device:adb pull
to extract it.dist:module dist:instant="true"
is set for a given module (either the base or a specific module with dist:module
set). Next, check for the various entry points, which entry points are set (by means of <data android:path="</PATH/HERE>" />
).ia
executable to your $PATH
.path/to/android/sdk/extras/google/instantapps/ia
to your $PATH
.Deploy as instant app
checkbox in the Run/Configuration dialog) or deploy the app using the following command:try now
button in the App store from the testers account.adb install
to install an APK on an emulator or connected device.pm
(Android Package Manager) or by using frida-ps
:-3
) and the location of their APK file (-f
), which you can use afterwards to download it via adb pull
:adb shell pm path <app_package_id>
on an app package ID:frida-ps -Uai
to get all apps (-a
) currently installed (-i
) on the connected USB device (-U
):unzip
utility leaves some files such as the AndroidManifest.xml
unreadable, you better unpack the APK using apktool as described in "Recommended Tools - apktool". The unpacking results into:grep -i <keyword> AndroidManifest.xml
:permission
(see "Android Platform APIs")android:allowBackup
(see "Data Storage on Android")activity
, service
, provider
, receiver
(see "Android Platform APIs" and "Data Storage on Android")debuggable
(see "Code Quality and Build Settings of Android Apps")classes.dex
) can be found in the root directory of the app package. It is a so-called DEX (Dalvik Executable) file that contains compiled Java code. Due to its nature, after applying some conversions you'll be able to use a decompiler to produce Java code. We've also seen the folder smali
that was obtained after we run apktool. This contains the disassembled Dalvik bytecode in an intermediate language called smali, which is a human-readable representation of the Dalvik executable.lib
folder in the APK:env
will show you all the directory information of the app./data/data/[package-name]
or /data/user/0/[package-name]
/storage/emulated/0/Android/data/[package-name]
or /sdcard/Android/data/[package-name]
/data/app/
/data/data/[package-name]
).Logcat
. There are two ways to execute Logcat:ps
to be able to get its PID.adb root
returns the error adbd cannot run as root in production builds
, install tcpdump as follows:mount: '/system' not in /proc/mounts
.$ mount -o rw,remount /system;
with $ mount -o rw,remount /
, as described in this Stack Overflow post.Remember: To use tcpdump, you need root privileges on the phone!
tcpdump
once to see if it works. Once a few packets have come in, you can stop tcpdump by pressing CTRL+c.tcpdump
and pipe its output to netcat
(nc):-
, which will make tcpdump write to stdout.|
), we sent all output from tcpdump to netcat, which opens a listener on port 11111. You'll usually want to monitor the wlan0 interface. If you need another interface, list the available options with the command $ ip addr
.cacert.der
by clicking the "CA Certificate" button..der
to .cer
.cacert.cer
.NET::ERR_CERT_VALIDITY_TOO_LONG
errors, if the leaf certificate happens to have a validity extending a certain time (39 months in case of Chrome). This happens if the default Burp CA certificate is used, since the Burp Suite issues leaf certificates with the same validity as its CA certificate. You can circumvent this by creating your own CA certificate and import it to the Burp Suite, as explained in this blog post.network_security_config.xml
. This is explained in detail in the Android Network Security Configuration training.<certificates src="user" />
as explained abovedist
directory.Bear in mind that if the app you are testing has additional hardening measures, like verification of the app signature you might not be able to start the app anymore. As part of the repackaging you will sign the app with your own key and therefore the signature changes will result in triggering such checks that might lead to immediate termination of the app. You would need to identify and disable such checks either by patching them during repackaging of the app or dynamic instrumentation through Frida.
+
button. Finally, a restart is required by Magisk Manager to let changes take effect.mount -o rw,remount /system
. If this command fails, try running the following command mount -o rw,remount -t ext4 /system
der
format (this is the default format in Burp Suite) then run the following commands:<hash>.0
file into the directory /system/etc/security/cacerts and then run the following command:For both solutions you need to activate "Support invisible proxying" in Burp, in Proxy Tab/Options/Edit Interface.