I want to ask if there is a possibility to debug a release apk without having source code and how we can prevent user to do this action ?
I thought that I can't debug an apk without a source code ( manifest has by default android:debuggable="false") until I sent it to a client and he asks me to disable debuggable mode because he got this issue . I try to reproduce the problem and I'm thinking if he did a reverse engineering.
You can debug an already signed APK with a number of different tools. Most approaches would be considered a form of reverse engineering. At a high level, a common approach (for dynamic "live" debugging) would be to:
Use APKTool to enable debugging via the property in the AndroidManifest.xml. Align and sign the newly modified APK.
Use ADB to push the new "debuggable" APK to the device/emulator.
Use a debugger such as GDB (NDK includes a gdbserver with the arm toolchain).
It's worth mentioning that static analysis can be an option too, whereby the APK could be unpacked and decompiled to SMALI/Java.
There are a number of tools available to help reverse and debug APK's. Some I use frequently are; dex2jar, JDGUI, APK Studio, JEB, IDA Pro, VisualGDB.
You can debug APKs without having source code, using Android Studio 3.0 and higher
First make sure to Enable Debugging
To start debugging an APK, click Profile or debug APK from the Android
Studio Welcome screen. Or, if you already have a project open, click
File > Profile or Debug APK from the menu bar. In the next dialog
window, select the APK you want to import into Android Studio and
click OK.
Some prevention tricks against debugging:
1. Checking the Debuggable Flag in ApplicationInfo
The android:debuggable flag in the Android Manifest determines whether the JDWP thread is started for the app. Its value can be determined programmatically, via the app's ApplicationInfo object. If the flag is set, the manifest has been tampered with and allows debugging.
public static boolean isDebuggable(Context context){
return ((context.getApplicationContext().getApplicationInfo().flags & ApplicationInfo.FLAG_DEBUGGABLE) != 0);
}
2. isDebuggerConnected
The Android Debug system class offers a static method to determine whether a debugger is connected. The method returns a boolean value.
public static boolean detectDebugger() {
return Debug.isDebuggerConnected();
}
The same API can be called via native code by accessing the DvmGlobals global structure.
JNIEXPORT jboolean JNICALL Java_com_test_debugging_DebuggerConnectedJNI(JNIenv * env, jobject obj) {
if (gDvm.debuggerConnected || gDvm.debuggerActive)
return JNI_TRUE;
return JNI_FALSE;
}
3. APK Signatures check
If APK is resigned, its signature would have changed. Check that against your original APK signature.
we can not debug apk.
You can check only logs if used for release build.
open Android Monitor in android studio at the bottom
and select No Filter from drop down appears at top-left.
You will be able to see logs of released .apk
Related
Some folders in my phone storage include files like this:
dzG럫saᡑῑ.sg
존Ὣ 졼).sg
So when I try to read files from this folder with File.listFiles() function my app crashes:
JNI DETECTED ERROR IN APPLICATION: input is not valid Modified UTF-8:
illegal start byte ...... string: 'dzG럫saᡑῑ.sg'
I found out which app creates them, but it doesn't matter, for example if other users would have similar files on their phone memory, I can't just ask them to remove it
I just want to avoid app crashing
Even try...catch doesn't help (cause error with JNI/LINUX/C++):
try {
... = dir.listFiles();
} catch (RuntimeException e) {
//
}
So how am I supposed to solve this problem?
Same issue here File.listFiles crashes for invalid UTF-8 characters
But answer with signing apk isn't good, how is it even related to this issue?
Any other solutions?
And seems debug apk is signed automatically (with debug certificate):
When running or debugging your project from the IDE, Android Studio
automatically signs your APK with a debug certificate generated by the
Android SDK tools. The first time you run or debug your project in
Android Studio, the IDE automatically creates the debug keystore and
certificate in $HOME/.android/debug.keystore, and sets the keystore
and key passwords.
As a workaround for API>=26 you can use DirectoryStream
I am using the "org.simalliance.openmobileapi.jar" file from SDK. I copied it to my libs folder and added the dependency like this
Case #1: working fine (in debug mode)
In app Gradle file I have:
provided files('libs/org.simalliance.openmobileapi.jar')
Case #2: not working (in release mode - without minifyEnabled)
In app Gradle file I have:
compile files('libs/org.simalliance.openmobileapi.jar')
In case #2 I get the following exception:
(java.lang.SecurityException: Access Control Enforcer: no APDU access allowed!)
What could cause the problem?
First of all, you need to use the "provided" scope in your build.gradle file for both your debug and your release build:
dependencies {
[...]
provided files('libs/org.simalliance.openmobileapi.jar')
}
UPDATE
"provided" is obsolete and has been replaced with "compileOnly", so for current gradle versions, you need to use (as commented by TT):
dependencies {
[...]
compileOnly files('libs/org.simalliance.openmobileapi.jar')
}
Moreover, you need to have a uses-library entry in your AndroidManifest.xml:
<uses-library android:name="org.simalliance.openmobileapi"
android:required="true" />
However, since you got a SecurityException with the reason "Access Control Enforcer: no APDU access allowed!", this is a clear indication that linking to and using the system-provided Open Mobile API library worked as expected and that you successfully connected to the SmartcardService system service on your device. Consequently, you seem to have your build working as expected.
Therefore, the SecurityException already clearly tells you what the problem is:
Access Control Enforcer: no APDU access allowed!
This means that the access control list on the secure element is not properly configured. Since your debug build works, you probably did register the certificate for your debug environment with the ARA applet (and/or the ARF file) on the secure element. However, release builds are not signed with that same debug keys (certificate). Instead, they are signed with the release keys (certificate) that you chose when selecting "Generate Signed APK..." in Android Studio. Therefore, you have two options:
Add the release certificate to the list of allowed applications for your applet on the secure element.
Change access conditions on the secure element to ALLOW ALL in order to allow access to any applet from any device app.
Depending on your secure element, you would typically need to update the ARA (GlobalPlatform Access Control) applet (AID A00000015141434C00) or the access rules file (ARF) located in a PKCS#15 application (AID A000000063504B43532D3135) or in the SIM file system with the new access conditions.
Using react-native-code-push.
Whenever I release an iOS version (using code-push release-react ... ios), it breaks my Android code push. Next time I try to get an update I get the following error:
You attempted to set the key isPending with the value true on an
object that is meant to be immutable and has been frozen.
Then, if I release an Android version, it breaks my iOS, getting this error:
Update is invalid - A JS bundle file named "main.jsbundle" could not
be found within the downloaded contents. Please ensure that your app
is syncing with the correct deployment and that you are releasing your
CodePush updates using the exact same JS bundle file name that was
shipped with your app's binary.
It's very strange and the documentation doesn't say anything about collisions between the two platforms.
You need to setup an app for each platform
code-push app add [name]-ios
code-push app add [name]-android
i think the code-push release-react [app-name] [platform] ... the platform argument only tells the react-native bundler what entry file to use (index.ios.js or index.android.js) it doesnt work as "install only on ios"
Is there any way, at least temporarily, to tell ADT to leave BuildConfig.DEBUG as TRUE even for release builds?
At that point, you should just create your own constant like
public class MyConfig {
public static final boolean DEBUG = true;
}
BuildConfig really is meant to tell if it is a debug or production release.
Note that you can modify your own constant from outside the code. For example, on Linux or OSX:
#!/bin/bash
cat MyConfig.java | sed -e 's/DEBUG = true/DEBUG = false/g' > newMyConfig.java
mv newMyConfig.java myConfig.java
ant release
This simply rewrites the config via an outside source.
I was facing the same issue as everytime I was running the project as android application it used to open in debugger mode but then the problem was solved.
-If you are working in eclipse you must be using Java EE perspective
-Instead just select Java perspective.
-Clean your app.
-uninstall the app from the device.
-Restart your device (Just like that so that no cache is stored)
-Run your app.
The debugger mode won't show up this time. Copy the apk generated in your bin folder and try it out on other devices as well
I've come across a strange issue in a custom Android build recently? I've had a working ROM for months, and using this ROM I've been able to install platform signed apks to user space (/data/app). Recently, after rebuilding the ROM, I've been unable to install those same apks. Any attempt to install a platform signed app (whether it's via adb install, or pm install) yields the following message:
Failure [INSTALL_FAILED_INVALID_INSTALL_LOCATION]
After digging through the Android source, I found the following relevant code block:
if ((compareSignatures(pkg.mSignatures, s1) == PackageManager.SIGNATURE_MATCH)) {
Slog.w(TAG, "Cannot install platform packages to user storage");
mLastScanError = PackageManager.INSTALL_FAILED_INVALID_INSTALL_LOCATION;
return null;
}
Based on my reading, it seems that installing system applications in user space should never have been allowed. Was the initial case where installing system applications in user space an anomaly? Is it possible to install platform signed applications in user space and if so, how does one do it?
The situation described above occurred because we have a shared Android build machine (shared within the company). A co-worker switched a Git branch without informing me, and thus we were left with old code in our build space. Switching it back to the correct branch solved the problem. To answer the above question more explicitly, it appears that unless you comment out the following code-block, installing platform signed applications in user space is not possible.
(The class file is /frameworks/base/services/src/com/android/server/pm/PackageManagerService.java);
if (!pkg.applicationInfo.sourceDir.startsWith(Environment.getRootDirectory().getPath()) &&
!pkg.applicationInfo.sourceDir.startsWith("/vendor")) {
Object obj = mSettings.getUserIdLPr(1000);
Signature[] s1 = null;
if (obj instanceof SharedUserSetting) {
s1 = ((SharedUserSetting)obj).signatures.mSignatures;
}
if ((compareSignatures(pkg.mSignatures, s1) == PackageManager.SIGNATURE_MATCH)) {
Slog.w(TAG, "Cannot install platform packages to user storage");
mLastScanError = PackageManager.INSTALL_FAILED_INVALID_INSTALL_LOCATION;
return null;
}
}