androidcommand, which is found in the tools directory of the Android SDK:
su, which is used to change to another user account.
press Control + D or type
suonce in the remote shell:
Only if you're working with an emulator you may alternatively restart adb with root permissions with the command
adb rootso next time you enter
adb shellyou'll have root access already. This also allows to transfer data bidirectionally between your host computer and the Android file system, even with access to locations where only the root user has access to (via
adb push/pull). See more about data transfer in section "Host-Device Data Transfer" below.
-sflag followed by the device serial ID on all your
adb -s emulator-5554 shellor
adb -s 00b604081540b7c6 shell). You can get a list of all connected devices and their serial IDs by using the following command:
adb tcpip 5555.
adb connect <device_ip_address>. Check that the device is now available by running
For example, on a Nexus device, you can find the IP address at Settings -> System -> About phone -> Status -> IP address or by going to the Wi-Fi menu and tapping once on the network you're connected to.
sshd(starts by default on port 8022). In order to connect to the Termux via SSH you can simply run the command
ssh -p 8022 <ip_address>(where
ip_addressis the actual remote device IP). This option has some additional benefits as it allows to access the file system via SFTP also on port 8022.
cdas you normally would on your terminal to explore the available files:
file download <some_file>. This will download that file to your working directory. The same way you can upload files using
adb pull <path_to_some_file>from a separate terminal, you might just want to directly do
file download <some_file>.
com.google.android.keep.apkfile will be in your current directory. As you might imagine, this approach is a very convenient way to download APKs, especially with regards to automation.
adb pullto retrieve the APK. If you don't know the package name, the first step is to list all the applications installed on the device:
adb pullto extract it.
dist:module dist:instant="true"is set for a given module (either the base or a specific module with
dist:moduleset). Next, check for the various entry points, which entry points are set (by means of
<data android:path="</PATH/HERE>" />).
iaexecutable to your
Deploy as instant appcheckbox in the Run/Configuration dialog) or deploy the app using the following command:
try nowbutton in the App store from the testers account.
adb installto install an APK on an emulator or connected device.
pm(Android Package Manager) or by using
-3) and the location of their APK file (
-f), which you can use afterwards to download it via
adb shell pm path <app_package_id>on an app package ID:
frida-ps -Uaito get all apps (
-a) currently installed (
-i) on the connected USB device (
unziputility leaves some files such as the
AndroidManifest.xmlunreadable, you better unpack the APK using apktool as described in "Recommended Tools - apktool". The unpacking results into:
grep -i <keyword> AndroidManifest.xml:
permission(see "Android Platform APIs")
android:allowBackup(see "Data Storage on Android")
receiver(see "Android Platform APIs" and "Data Storage on Android")
debuggable(see "Code Quality and Build Settings of Android Apps")
classes.dex) can be found in the root directory of the app package. It is a so-called DEX (Dalvik Executable) file that contains compiled Java code. Due to its nature, after applying some conversions you'll be able to use a decompiler to produce Java code. We've also seen the folder
smalithat was obtained after we run apktool. This contains the disassembled Dalvik bytecode in an intermediate language called smali, which is a human-readable representation of the Dalvik executable.
libfolder in the APK:
envwill show you all the directory information of the app.
psto be able to get its PID.
adb rootreturns the error
adbd cannot run as root in production builds, install tcpdump as follows:
mount: '/system' not in /proc/mounts.
Remember: To use tcpdump, you need root privileges on the phone!
tcpdumponce to see if it works. Once a few packets have come in, you can stop tcpdump by pressing CTRL+c.
tcpdumpand pipe its output to
-, which will make tcpdump write to stdout.
|), we sent all output from tcpdump to netcat, which opens a listener on port 11111. You'll usually want to monitor the wlan0 interface. If you need another interface, list the available options with the command
$ ip addr.
cacert.derby clicking the "CA Certificate" button.
NET::ERR_CERT_VALIDITY_TOO_LONGerrors, if the leaf certificate happens to have a validity extending a certain time (39 months in case of Chrome). This happens if the default Burp CA certificate is used, since the Burp Suite issues leaf certificates with the same validity as its CA certificate. You can circumvent this by creating your own CA certificate and import it to the Burp Suite, as explained in this blog post.
network_security_config.xml. This is explained in detail in the Android Network Security Configuration training.
<certificates src="user" />as explained above
Bear in mind that if the app you are testing has additional hardening measures, like verification of the app signature you might not be able to start the app anymore. As part of the repackaging you will sign the app with your own key and therefore the signature changes will result in triggering such checks that might lead to immediate termination of the app. You would need to identify and disable such checks either by patching them during repackaging of the app or dynamic instrumentation through Frida.
+button. Finally, a restart is required by Magisk Manager to let changes take effect.
mount -o rw,remount /system. If this command fails, try running the following command
mount -o rw,remount -t ext4 /system
derformat (this is the default format in Burp Suite) then run the following commands:
<hash>.0file into the directory /system/etc/security/cacerts and then run the following command:
For both solutions you need to activate "Support invisible proxying" in Burp, in Proxy Tab/Options/Edit Interface.
ProxyInfoclass and check the getHost() and getPort() methods. There might be various other methods to achieve the same task and you would need to decompile the APK in order to identify the actual class and method name.