I recently spent some time learning how to debug third party Android applications. There are many methods listed online, but most don’t work. Today, I’ll explain why most of these don’t work and explain one way that does. You can skip down to What works if you’re only interested in that. First lets get into why this may be useful.
With dynamic analysis you can
- See live code flow - can be difficult to determine in static analysis especially with obfuscated code
- Read data not available to you, including checksums, user information, and more
- Find the code you may want to patch
Enabling Debugging: Ways that don’t work
Here’s a few methods of debugging Android applications that I found do not work, no longer work, or only work in some cases.
Add android:debuggable=“true” to the AndroidManifest.xml
Stack Exchange and several other blogs recommend this method. Usually the steps are something like:
- Use apktool to decompile the application and its resources
- Add
android:debuggable="true"
to the AndroidManifest.xml - Recompile, resign, and repackage the APK
The reason this doesn’t work is because apktool cannot handle resources properly. On an APK with decompiled resources, you will probably see this BrutException
when you try to build it.
If the app your reversing has really simple resources, you may not run into this, but I have a feeling it’s a bit common these days.
APKTool Debug Option
You used to be able to pass apktool a debug flag, and it could automatically add the debug flag to the manifest for you.
apktool --debug test.apk
This is no longer supported by apktool.
Root your phone and set ro.debuggable=1
There’s a Magisk module called MagiskHide Props Config that claims to allow you to set ro.debuggable
to 1. This is usually a readonly setting on Android phones, hence the ro
. Once installed, you are supposed to be able to modify properties like this from the Android terminal on your device by typing props
and following the prompt’s instructions.
I tried many variations of this, including the suggestion to use a configuration file, but I also couldn’t get this one working. Others may have more luck and it could’ve been a fluke with my old Nexus 5X.
What works
After much researching, I realized that I was going to need to figure out how to set ro.debuggable=1
on my device. In an old JIRA issue for LineageOS, I found that the custom ROM comes with ro.debuggable
set to 1
by default. There are many guides for installing LineageOS on different devices, so I won’t get into it here. I will call out though, that you will probably need to install OpenGAPPS before you first boot into Lineage if the app you’re reversing uses Google services.
Once you have ro.debuggable=1
on your device, there is a great guide here on how to debug smali code in Android Studio.
(archived link)
TLDR: Install LineageOS
Hope this was helpful. In an upcoming post, I’ll explain how I used debugging to get access to an app’s pro feature for free.