I recently spent some time learning how to debug third party Android applications. There are many methods listed online, but most don’t work. Today, I’ll explain why most of these don’t work and explain one way that does. You can skip down to What works if you’re only interested in that. First lets get into why this may be useful.

With dynamic analysis you can

  • See live code flow - can be difficult to determine in static analysis especially with obfuscated code
  • Read data not available to you, including checksums, user information, and more
  • Find the code you may want to patch

Enabling Debugging: Ways that don’t work

Here’s a few methods of debugging Android applications that I found do not work, no longer work, or only work in some cases.

Add android:debuggable=“true” to the AndroidManifest.xml

Stack Exchange and several other blogs recommend this method. Usually the steps are something like:

  1. Use apktool to decompile the application and its resources
  2. Add android:debuggable="true" to the AndroidManifest.xml
  3. Recompile, resign, and repackage the APK

The reason this doesn’t work is because apktool cannot handle resources properly. On an APK with decompiled resources, you will probably see this BrutException when you try to build it.

BrutException

If the app your reversing has really simple resources, you may not run into this, but I have a feeling it’s a bit common these days.

APKTool Debug Option

You used to be able to pass apktool a debug flag, and it could automatically add the debug flag to the manifest for you.

apktool --debug test.apk

This is no longer supported by apktool.

Root your phone and set ro.debuggable=1

There’s a Magisk module called MagiskHide Props Config that claims to allow you to set ro.debuggable to 1. This is usually a readonly setting on Android phones, hence the ro. Once installed, you are supposed to be able to modify properties like this from the Android terminal on your device by typing props and following the prompt’s instructions.

I tried many variations of this, including the suggestion to use a configuration file, but I also couldn’t get this one working. Others may have more luck and it could’ve been a fluke with my old Nexus 5X.

What works

After much researching, I realized that I was going to need to figure out how to set ro.debuggable=1 on my device. In an old JIRA issue for LineageOS, I found that the custom ROM comes with ro.debuggable set to 1 by default. There are many guides for installing LineageOS on different devices, so I won’t get into it here. I will call out though, that you will probably need to install OpenGAPPS before you first boot into Lineage if the app you’re reversing uses Google services.

debuggable

Once you have ro.debuggable=1 on your device, there is a great guide here on how to debug smali code in Android Studio. (archived link)

TLDR: Install LineageOS

Hope this was helpful. In an upcoming post, I’ll explain how I used debugging to get access to an app’s pro feature for free.