Android Hacking Part 6: Debugging Android applications

Android Hacking Part 6: Debugging Android applications

In the future, we will learn how to use JDB to debug Android applications. If an Android Application can be debugged, we can inject and run our own code in the Process of the application.

Background

This article is not even more interesting. I developed a simple demo application with only one button and one input box.

Download:

Http://yunpan.cn/cf3RVN5fRRC73 (extract code: 8734)

Run the following command:

Click the button and the application prompts "Try Again ". Now our goal is to change the prompt result to "Hacked" without modifying the program ". Therefore, we need to change the content of the prompt when the program is running.

Tools used

L simulator

Ladb-Android debugging Bridge

Ljdb-Java Debugger

For the sake of simplicity, I will use Android Tamer, which includes the tools mentioned above

Related Topics:

U check Vulnerability

U-related settings

Code injection in the u runtime Era

 

Okay, start.

Vulnerability check

This is the simplest part of this article.

1. Use APKTOOL to decompile the AndroidManifest. xml file. The command is as follows:

# Apktool d <vulnerableapp>. apk

2. Check whether the AndroidManifest. xml file contains the following content:

Android: debuggable = "true"

If you find such content in it, the application can be debugged.

Tip: We only used APKTOOL to check whether the application can be debugged, but we did not modify the application code.

Preparation:

In this step, we will make some preparations for injecting code into the process. As mentioned above, we will use the remote debugging method.

1. Start the simulator

2. Install and test the application

3. Open the terminal and enter the following command to check which port of the Dalvik virtual machine monitors on the simulator.

# Adb jdwp

This command displays all the ports that can be connected and debugged, for example:

 

Tip: JDWP is Java Debug Wire Protocol (Java debugging line Protocol). If an application can be debugged, the virtual opportunity of the application opens a unique port for JDB connection debugging. The Dalvik Virtual Machine of Android also supports this protocol.

 

4. Now open the test application we just installed and run the same command to view the listening port of our application,

We compared the results of the two command executions and found that port 543 is exceeded after the test application is run. This is the port corresponding to the test application. We need to use JDB to connect to the port.

5. Before connecting, we need to use adb to forward the Port:

6. Now you can use JDB to connect and debug the android Application.

Remote code injection

We will use this method to modify the behavior of an application when it is running.

Therefore, we need to set breakpoints to control the program execution process. However, we do not know the classes and methods used by the application. Run the following command to view classes and methods.

View the class command "classes"

As there are too many printed classes, only a few classes are listed here, but you can continue to scroll down and you will find custom classes.

 

 

Run the following command to view the methods in MainActivity $1.

"Methods com. example. debug. MainActivity $1"

Set breakpoints in MainActivity $1. onClick

"Stop in com. example. debug. MainActivity $1. onClick (android. view. View )"

To trigger this breakpoint, You need to manually click the application button, for example, the breakpoint is triggered after clicking:

Here, we can use the various command to view some sensitive information about variables, parameters, and other commands.

To learn more, The onClick method code is as follows:

 

Run the "locals" command to view local variables:

 

There is nothing we need in the local variables.

Run the following code by running the "next" command:

Run the "locals" command to view the local variables. What does the Code do:

For example, TextView has been loaded and assigned to the TV parameter, and the code in the corresponding code and TextView has been executed.

"Next": Execute the next line and check the local variables:

So the local variables are listed. The secret string variables seem suspicious after all. The value "Try Again" is the information shown after we click the button.

As you can see in the source code, the setText method is used to set the value "Try Again ". Use the "step" command to enter the "setText" method to dynamically modify the displayed value.

Run the "locals" command to view the local variables in this method:

 

 

Use the "set" command to change the value of the "text" variable from "Try Again" to "Hacked ".

We cannot see any changes in the program, because we have not executed it yet.

Run the following command:

The running result of the simulator is as follows:

As you can see, we have successfully modified the output of application running. This is just an example of modifying the running behavior of an application using JDB. We can also perform other operations, such as "Getting a shell"

Summary

In this article, we demonstrate how to attack an application that can be debugged. In actual product tests, penetration testers should also pay attention to whether the tested application can be debugged.