ADB, the full name of Android Debug Bridge, is Android debug bridge. It is an essential tool for Android developers and testers. adb is included in the Android SDK Platform Tools package. This package can be downloaded using the SDK Manager , which will install it android_sdk/platform-tools/under . If you need a standalone Android SDK Platform Tools package, please click here to download it .
Regarding the detailed usage of adb, whether it is the official Android site or other blogs, there are quite detailed descriptions. You can refer to the following article . This blog summarizes the adb commands commonly used by the author in security testing.
- Android Debug Bridge (adb) (Official document, you may need to go online)
- ADB Usage Complete / ADB Usage Complete
Commonly used ADB commands for security testing
Current system foreground activity
The user's current foreground Activity is our top Activity
method one
adb shell dumpsys activity activities | findstr mResumedActivity
Method Two
adb shell dumpsys activity activities | grep mResumedActivity
output
mCurrentFocus=Window{
86c6209 u0 shengivictor.androidcomm/com.example.shengivictor.androidcomm.MainActivity}
All activities running on the system
Order
adb shell dumpsys activity | findstr Run
output
Running activities (most recent first):
Run #0: ActivityRecord{8240a87 u0 shengivictor.androidcomm/com.example.shengivictor.androidcomm.MainActivity t577}
Running activities (most recent first):
Run #0: ActivityRecord{84a6505 u0 com.huawei.android.launcher/.unihome.UniHomeLauncher t1}
Running activities (most recent first):
Run #0: ActivityRecord{8240b83 u0 com.huawei.health/.MainActivity t581}
APK installation path
Order
adb shell pm path shengivictor.androidcomm
output
package:/data/app/shengivictor.androidcomm-40RDkYJdHTo3JwTI8ohknA==/base.apk
Application installation file directory description
/system/appStore the software that comes with the rom itself, which is the system software;/system/priv-appStore system-level applications customized by mobile phone manufacturers;/data/appStore software installed by users themselves
Please note that the above directories only store the installation data of the application, including apk and corresponding lib library files, not the files in which the application stores data . The data actually stored by the application is generally placed in its private directory /data/data/com.kugou.android. Only the root user and the app itself can read and write this directory.
/system/appOrdinary users cannot uninstall the files under (using the CVE-2022-20611 vulnerability, ordinary users can uninstall system applications), while /data/appusers can uninstall the files under .
Useful script: Download all system APKs to local
Running Services
Order
adb shell dumpsys activity services [<packagename>]
output
Activity Resolver Table:
Non-Data Actions:
android.intent.action.MAIN:
5b4cba8 org.mazhuang.guanggoo/.SplashActivity filter 5ec9dcc
Action: "android.intent.action.MAIN"
Category: "android.intent.category.LAUNCHER"
AutoVerify=false
Registered ContentProviders:
org.mazhuang.guanggoo/com.tencent.bugly.beta.utils.BuglyFileProvider:
Provider{
7a3c394 org.mazhuang.guanggoo/com.tencent.bugly.beta.utils.BuglyFileProvider}
#...
System defined permissions
Order
adb shell pm list permissions -f | grep -A4 ACCESS_NOTIFICATION_SERVICE
output
+ permission:com.android.systemui.permission.ACCESS_NOTIFICATION_SERVICE
package:com.android.systemui
label:null
description:null
protectionLevel:signature|privileged
System log
Order
adb logcat [<option>]
output
I/ActivityManager( 585): Starting activity: Intent {
action=android.intent.action...}
Note: Each time the above command is re-run, all previously cached logs will be printed. You can clear the cached logs-c through the option
adb logcat -c
Other log storage paths
/data/system/dropbox/Used to record logs when serious problems occur in the kernel, system processes, user processes, etc. during the running of Android./data/tombstoneStore Native layer crash logs
system message
system structure
adb shell getprop ro.product.cpu.abi
Android version
adb shell getprop ro.system.build.version.release
In fact, this information can be /system/build.propseen in the file.
Interact with the application (pass the intent)
ADB can be used to easily communicate with the four major components ( amcommands)
| command | use |
|---|---|
| start [options] | Start the specified Activity |
| startservice [options] | Start the specified Service |
| broadcast [options] | Send specified broadcast |
| force-stop | Stop related processes |
1. Pull up the application (Activity)
# 拉起应用
adb shell am start -n com.tencent.mm/.ui.LauncherUI
# 停止应用
adb shell am com.tencent.mm
2. Pull up services
adb shell am startservice -n com.tencent.mm/.plugin.accountsync.model.AccountAuthenticatorService
3.Send broadcast
adb shell am broadcast -a android.intent.action.BOOT_COMPLETED
4. Parameter explanation
start [options] intent
-D: Enable debugging function.-W: Wait for startup to complete.--start-profiler file: Start the profiler and send the results to file.-P file: Similar to --start-profiler, but profiling stops when the application enters idle state.-R count: Repeat the activity count times. Before each iteration, the top-level Activity will be completed.-S: Forcefully stop the target application before starting the Activity.--opengl-trace: Enable tracing of OpenGL functions.--user user_id | current: Specifies which user to run as; if not specified, runs as the current user.
Intent
-a actionSpecify the intent action, such as android.intent.action.VIEW. Can only be declared once.-d data_uriSpecify the intent data URI, such as content://contacts/people/1. Can only be declared once.-t mime_typeSpecify the intent MIME type, such as image/png. Can only be declared once.-c categorySpecify the intent category, such as android.intent.category.APP_CONTACTS.-n componentSpecify the component name prefixed with the package name to create an explicit intent, such as com.example.app/.ExampleActivity.-f flagsAdds flags to intents supported by setFlags().--esn extra_keyAdd an empty extra. This option is not supported for URI intents.--es extra_key extra_string_valueAdd string data as key-value pairs.--ez extra_key extra_boolean_valueAdd boolean data as key-value pairs.--ei extra_key extra_int_valueAdd integer data in the form of key-value pairs.--el extra_key extra_long_valueAdd long data as key-value pairs.--ef extra_key extra_float_valueAdd floating point data in the form of key-value pairs.--eu extra_key extra_uri_valueAdd URI data as key-value pairs.
Use ADB related tools
scrcpy
scrcpy uses ADB debugging to project the mobile phone screen to the computer, and can control Android devices through the computer. Supports Linux , Windows and macOS . Audio forwarding is also supported on the latest version of Android (API 30: Android 11) .
QtScrcpy
QtScrcpy can connect Android devices via USB/network and display and control them. No root access is required. Linux , Windows and macOS are also supported. The biggest difference from scrcpy is that QtScrcpy supports custom key mapping .
Android Device Monitor
The tools provided by the Android SDK are used to view Android system resources, APP and file system operations, etc. Personally, I find it useful, but Android Device Monitor has been deprecated in Android Studio 3.1 and has been removed from Android Studio 3.2 .
Of course, there are more tools. I won’t list them one by one. Most Android security testing tools use ADB. Here are just the tools that are fully implemented using ADB.
Summarize
ADB is a native tool provided by Android. It is actually a powerful tool set, including various sub-binaries, distributed in various locations in the Android file system. Ordinary developers can use ADB for routine debugging and testing, and penetration personnel can also use ADB for security testing. Understanding common ADB commands is an essential basic skill for Android security testing. We only describe some security-related test commands here. If you want to know more, you can refer to the official and third-party manuals mentioned at the beginning of the article.