Debugging 3rd Party Android Apps

While reverse engineer Android apps it’s relatively common to perform dynamic analysis in conjunction to static analysis in order to gain runtime information of the app.

There are many ways to get this information from 3rd party apps

  • Use Frida hooks to print function arguments
  • Patch the app to be debuggable
  • Patch the app to log the sensitive information

The above methods have several flaws, Frida is only able to hook a specific function either before or after the function, and poaching apps is relatively complex and almost always causes bugs in the app.
Also many packers / malwares detect modified APKs and crash to intentionally make analysis harder.

Better Solutions for Debugging 3rd Party Android Apps

I’m a big fan of the Android Studio Debugger (JDWP under the hood), as you can easily setup breakpoints, modify the code and even add logic to it, all at runtime, from your favorite IDE.
Sadly, in order to do so you must recompile apps, and that has a high probability of failure.
As my device is rooted and highly customized I decided to find a way to make all apps debuggable.

AOSP Research

In order to debug an app Android Studio communicates with the App using JDWP over ADB communication as the very high level chart shows:

 AOSP JDWP & How to Debug 3rd Party Android Apps chart

If you are interested in more depth explanation of the implementation it’s your lucky day, because for some reason, someone from the AOSP guys wrote a pretty decent domcatuion at 

/system/core/adb/jdwp_service.cpp 

Further research of the AOSP revealed the

DEBUG_ENABLE_JDWP

That if set as a flag for zygote when initializing a new app, will make the app debuggable.
More interesting is the function “applyDebuggerSystemProperty

 AOSP research  JDWP & How to Debug 3rd Party Android Apps

Apparently there is already a support for my debugging needs and all I need to do is to set the ro.debuggable system property to 1.

Modifying the Boot Image

Apparently all ro.* system properties are under the device boot image and can’t be set using the standard “adb shell setprop” command.
Also remount alone won’t do the trick.
There are device specific methods on how to flash modified boot images but most of them are not simple and require relatively large amounts of Android Boot process knowledge.
I decided to find an easier approach and luckily for me someone already built a magisk module that does exactly this

Hidden Settings

Install it and you can modify the property from adb shell.

Also from Android 10 and above system-as-root is implemented so you can just change to ro.* system properties using mounts 

mount -o rw,remount /
vi  /default.prop 
# replace  ro.debuggable=0 to ro.debuggable=1 in /default.prop
reboot 

Debugging

Everything is debuggable now – just use “attach debugger” (use Java only otherwise it fails)!

 AOSP JDWP & How to Debug 3rd Party Android Apps - Debugging

If you want to debug smali and not Java files – use this plugin:
https://github.com/JesusFreke/smalidea