Today we will be diving into a tool that is essential for Android mobile application testing, Android Debug Bridge, or as it is more often known ‘adb’. If you have done any testing of Android mobile applications, Android phones, or even Android-based IoT devices then you will almost certainly have used adb before. In this post, we will be detailing some installation details for anyone getting set up, the main functionality of adb, and some additional functionality that may be overlooked that may help on your next mobile assessment.
There are a few ways that you can install adb on your machine. The easiest way is to use Homebrew if you are on a Mac or Linux machine. With Homebrew, you can just paste “brew install android-platform-tools” into your terminal, and once the installation is complete you are ready to go.
If Homebrew isn’t something you would like to use, then you will have to follow a few more steps, but can still complete the installation. First, you will need to pull the most updated version from here. After you have downloaded the version for your Operating System, then extract the zip file to somewhere that won’t be deleted within your file system. At this point, you will need to add the path to where you extracted the files to your path in the way that is relevant for your Operating System. Once this is completed, you should be ready to use adb to connect to Android-based devices!
If you have used adb before, you can likely skip this section, but for anyone new to this tool this section will cover the most common and basic functionality that adb is used for.
Before getting started on any assessment, you need to make sure that your machine can see the device, and that they are ready to communicate. The way this is done is through the command “adb devices”. This will list out all the devices that adb can see connected to your machine. If no devices appear here then you will need to troubleshoot what is restricting the connection. We won’t go into all the possible issues here, but this is often related to settings on the device not being correct, so be sure to double-check that as well.
Once you have confirmed a connection to the device, if you have not already installed the application but have the .apk file, then you will want to run the command “adb install /path/to/file.apk”. At this point, the application should now be installed and ready to begin the assessment.
A Closer Look
Now that you have the app installed and going, you will likely want to take a closer look at the files on the device from normal usage. Luckily adb makes this process easy through the command “adb shell”. This will drop you into a terminal on the device itself allowing you to navigate and look closely at whatever files on the device you need to see.
Give and Take
Finally, through an assessment, you will likely want to save evidence or artifacts from the device to your machine or put files from your machine onto the device. The easiest way that I have found to do this is with the pair of commands “adb push” and “adb pull”. These commands are run on the machine connected to the device, and the syntax looks like this. If you are putting a file from your local machine onto the device, the command is “adb push <local file path> <remote location>”. The reverse of this for when you want to copy a file from the device onto your local machine is the command “adb pull <remote file path> <local location>”. With these commands, you should be able to move any files that you may need to and from the device.
While the previously mentioned commands maybe most of what you will use adb for, there are many more things that it can do that you may be interested in during an assessment. This is a great cheat sheet of specific commands if you don’t quite remember the syntax. As well, this reference for all the basic functionality, but I would like to highlight a few here that have come in handy for me in the past.
Recording & Screenshots
Most devices have a way to take a screenshot, but in cases where it’s not as easy, adb has functionality for that built-in. The command “adb shell screencap -p /path/to/screenshot.png” will take and save a screenshot to the location provided. You can then pull this off the device and include it in a report as evidence of issues you may have found. If a picture isn’t enough, you can also use adb to record the device screen for a period of time. This can be done through the command “adb shell screenrecord /path/to/file.mp4”. This will record the screen until you cancel the recording or the time limit is reached.
All The Data
If you are assessing a mobile application, it is likely on a device that you already know the details of. However, if the assessment is for an Android phone itself, or an Android-based IoT device, then you may want more information related to the device itself. Here are just a few of the adb commands that can help with this:
- “adb get-state” will print the current device state
- “adb shell netstat” lists the TCP connectivity for the device
- “adb shell pm list features” will list the features of the phone or device
- “adb shell list packages” will list all the package names on the device. If you include the “-r” flag, it will also add the path to the individual apk files for each.
ADB Guide Summary
While some people may think of adb as only a small connection tool for mobile apps, hopefully, we have shown in this post that it can do much more beyond that. So the next time you have an opportunity to utilize adb during an assessment, try out some of the things you may have learned like getting started on your own and some of the functionality we talked about here. As always, be smart about files, links, and downloadables and be sure to also check out some of the other resources we’ve mentioned to keep up to date on functionality and other cool features that may not have been mentioned here.
If you have found any other helpful or cool uses for adb, be sure to let us know! Thank you for taking the time to read this, and keep up the good work in securing mobile applications and devices!
MORE FROM WHITE OAK SECURITY
White Oak Security is a highly skilled and knowledgeable cyber security testing company that works hard to get into the minds of opponents to help protect those we serve from malicious threats through expertise, integrity, and passion.