ADB, the full name of Android Debug Bridge, is Android debug bridge. It is an essential tool for Android developers and testers. adb is included in the Android SDK Platform Tools package. This package can be downloaded using the SDK Manager , which will install it android_sdk/platform-tools/
under . If you need a standalone Android SDK Platform Tools package, please click here to download it .
Regarding the detailed usage of adb, whether it is the official Android site or other blogs, there are quite detailed descriptions. You can refer to the following article . This blog summarizes the adb commands commonly used by the author in security testing.
- Android Debug Bridge (adb) (Official document, you may need to go online)
- ADB Usage Complete / ADB Usage Complete
Commonly used ADB commands for security testing
Current system foreground activity
The user's current foreground Activity is our top Activity
method one
adb shell dumpsys activity activities | findstr mResumedActivity
Method Two
adb shell dumpsys activity activities | grep mResumedActivity
output
mCurrentFocus=Window{
86c6209 u0 shengivictor.androidcomm/com.example.shengivictor.androidcomm.MainActivity}
All activities running on the system
Order
adb shell dumpsys activity | findstr Run
output
Running activities (most recent first):
Run #0: ActivityRecord{8240a87 u0 shengivictor.androidcomm/com.example.shengivictor.androidcomm.MainActivity t577}
Running activities (most recent first):
Run #0: ActivityRecord{84a6505 u0 com.huawei.android.launcher/.unihome.UniHomeLauncher t1}
Running activities (most recent first):
Run #0: ActivityRecord{8240b83 u0 com.huawei.health/.MainActivity t581}
APK installation path
Order
adb shell pm path shengivictor.androidcomm
output
package:/data/app/shengivictor.androidcomm-40RDkYJdHTo3JwTI8ohknA==/base.apk
Application installation file directory description
/system/app
Store the software that comes with the rom itself, which is the system software;/system/priv-app
Store system-level applications customized by mobile phone manufacturers;/data/app
Store software installed by users themselves
Please note that the above directories only store the installation data of the application, including apk and corresponding lib library files, not the files in which the application stores data . The data actually stored by the application is generally placed in its private directory /data/data/com.kugou.android
. Only the root user and the app itself can read and write this directory.
/system/app
Ordinary users cannot uninstall the files under (using the CVE-2022-20611 vulnerability, ordinary users can uninstall system applications), while /data/app
users can uninstall the files under .
Useful script: Download all system APKs to local
Running Services
Order
adb shell dumpsys activity services [<packagename>]
output
Activity Resolver Table:
Non-Data Actions:
android.intent.action.MAIN:
5b4cba8 org.mazhuang.guanggoo/.SplashActivity filter 5ec9dcc
Action: "android.intent.action.MAIN"
Category: "android.intent.category.LAUNCHER"
AutoVerify=false
Registered ContentProviders:
org.mazhuang.guanggoo/com.tencent.bugly.beta.utils.BuglyFileProvider:
Provider{
7a3c394 org.mazhuang.guanggoo/com.tencent.bugly.beta.utils.BuglyFileProvider}
#...
System defined permissions
Order
adb shell pm list permissions -f | grep -A4 ACCESS_NOTIFICATION_SERVICE
output
+ permission:com.android.systemui.permission.ACCESS_NOTIFICATION_SERVICE
package:com.android.systemui
label:null
description:null
protectionLevel:signature|privileged
System log
Order
adb logcat [<option>]
output
I/ActivityManager( 585): Starting activity: Intent {
action=android.intent.action...}
Note: Each time the above command is re-run, all previously cached logs will be printed. You can clear the cached logs-c
through the option
adb logcat -c
Other log storage paths
/data/system/dropbox/
Used to record logs when serious problems occur in the kernel, system processes, user processes, etc. during the running of Android./data/tombstone
Store Native layer crash logs
system message
system structure
adb shell getprop ro.product.cpu.abi
Android version
adb shell getprop ro.system.build.version.release
In fact, this information can be /system/build.prop
seen in the file.
Interact with the application (pass the intent)
ADB can be used to easily communicate with the four major components ( am
commands)
command | use |
---|---|
start [options] | Start the specified Activity |
startservice [options] | Start the specified Service |
broadcast [options] | Send specified broadcast |
force-stop | Stop related processes |
1. Pull up the application (Activity)
# 拉起应用
adb shell am start -n com.tencent.mm/.ui.LauncherUI
# 停止应用
adb shell am com.tencent.mm
2. Pull up services
adb shell am startservice -n com.tencent.mm/.plugin.accountsync.model.AccountAuthenticatorService
3.Send broadcast
adb shell am broadcast -a android.intent.action.BOOT_COMPLETED
4. Parameter explanation
start [options] intent
-D
: Enable debugging function.-W
: Wait for startup to complete.--start-profiler file
: Start the profiler and send the results to file.-P file
: Similar to --start-profiler, but profiling stops when the application enters idle state.-R coun
t: Repeat the activity count times. Before each iteration, the top-level Activity will be completed.-S
: Forcefully stop the target application before starting the Activity.--opengl-trace
: Enable tracing of OpenGL functions.--user user_id | current
: Specifies which user to run as; if not specified, runs as the current user.
Intent
-a action
Specify the intent action, such as android.intent.action.VIEW. Can only be declared once.-d data_uri
Specify the intent data URI, such as content://contacts/people/1. Can only be declared once.-t mime_type
Specify the intent MIME type, such as image/png. Can only be declared once.-c category
Specify the intent category, such as android.intent.category.APP_CONTACTS.-n component
Specify the component name prefixed with the package name to create an explicit intent, such as com.example.app/.ExampleActivity.-f flags
Adds flags to intents supported by setFlags().--esn extra_key
Add an empty extra. This option is not supported for URI intents.--es extra_key extra_string_value
Add string data as key-value pairs.--ez extra_key extra_boolean_value
Add boolean data as key-value pairs.--ei extra_key extra_int_value
Add integer data in the form of key-value pairs.--el extra_key extra_long_value
Add long data as key-value pairs.--ef extra_key extra_float_value
Add floating point data in the form of key-value pairs.--eu extra_key extra_uri_value
Add URI data as key-value pairs.
Use ADB related tools
scrcpy
scrcpy uses ADB debugging to project the mobile phone screen to the computer, and can control Android devices through the computer. Supports Linux , Windows and macOS . Audio forwarding is also supported on the latest version of Android (API 30: Android 11) .
QtScrcpy
QtScrcpy can connect Android devices via USB/network and display and control them. No root access is required. Linux , Windows and macOS are also supported. The biggest difference from scrcpy is that QtScrcpy supports custom key mapping .
Android Device Monitor
The tools provided by the Android SDK are used to view Android system resources, APP and file system operations, etc. Personally, I find it useful, but Android Device Monitor has been deprecated in Android Studio 3.1 and has been removed from Android Studio 3.2 .
Of course, there are more tools. I won’t list them one by one. Most Android security testing tools use ADB. Here are just the tools that are fully implemented using ADB.
Summarize
ADB is a native tool provided by Android. It is actually a powerful tool set, including various sub-binaries, distributed in various locations in the Android file system. Ordinary developers can use ADB for routine debugging and testing, and penetration personnel can also use ADB for security testing. Understanding common ADB commands is an essential basic skill for Android security testing. We only describe some security-related test commands here. If you want to know more, you can refer to the official and third-party manuals mentioned at the beginning of the article.