How we can debug a signed apk without having source code?

I want to ask if there is a possibility to debug a release apk without having source code and how we can prevent user to do this action ?

I thought that I can't debug an apk without a source code ( manifest has by default android:debuggable="false") until I sent it to a client and he asks me to disable debuggable mode because he got this issue . I try to reproduce the problem and I'm thinking if he did a reverse engineering.

Asked By: Imene Noomene
||

Answer #1:

You can debug an already signed APK with a number of different tools. Most approaches would be considered a form of reverse engineering. At a high level, a common approach (for dynamic "live" debugging) would be to:

  1. Use APKTool to enable debugging via the property in the AndroidManifest.xml. Align and sign the newly modified APK.
  2. Use ADB to push the new "debuggable" APK to the device/emulator.
  3. Use a debugger such as GDB (NDK includes a gdbserver with the arm toolchain).

It's worth mentioning that static analysis can be an option too, whereby the APK could be unpacked and decompiled to SMALI/Java.

There are a number of tools available to help reverse and debug APK's. Some I use frequently are; dex2jar, JDGUI, APK Studio, JEB, IDA Pro, VisualGDB.

Answered By: Imene Noomene

Answer #2:

You can debug APKs without having source code, using Android Studio 3.0 and higher

  • First make sure to Enable Debugging
  • To start debugging an APK, click Profile or debug APK from the Android Studio Welcome screen. Or, if you already have a project open, click File > Profile or Debug APK from the menu bar. In the next dialog window, select the APK you want to import into Android Studio and click OK.

Some prevention tricks against debugging:

1. Checking the Debuggable Flag in ApplicationInfo

The android:debuggable flag in the Android Manifest determines whether the JDWP thread is started for the app. Its value can be determined programmatically, via the app's ApplicationInfo object. If the flag is set, the manifest has been tampered with and allows debugging.

public static boolean isDebuggable(Context context){
    return ((context.getApplicationContext().getApplicationInfo().flags & ApplicationInfo.FLAG_DEBUGGABLE) != 0);
}

2. isDebuggerConnected

The Android Debug system class offers a static method to determine whether a debugger is connected. The method returns a boolean value.

public static boolean detectDebugger() {
    return Debug.isDebuggerConnected();
}

The same API can be called via native code by accessing the DvmGlobals global structure.

JNIEXPORT jboolean JNICALL Java_com_test_debugging_DebuggerConnectedJNI(JNIenv * env, jobject obj) {
    if (gDvm.debuggerConnected || gDvm.debuggerActive)
        return JNI_TRUE;
    return JNI_FALSE;
}

3. APK Signatures check

If APK is resigned, its signature would have changed. Check that against your original APK signature.

Answered By: nullable

Answer #3:

i saw you can do that with reverse engineering check this link, maybe will help. https://reverseengineering.stackexchange.com/questions/10902/debugging-third-party-android-apks

Answered By: Zeero0

Answer #4:

we can not debug apk.

You can check only logs if used for release build.

  • open Android Monitor in android studio at the bottom
  • and select No Filter from drop down appears at top-left.

You will be able to see logs of released .apk

Answered By: Stoica Mircea
The answers/resolutions are collected from stackoverflow, are licensed under cc by-sa 2.5 , cc by-sa 3.0 and cc by-sa 4.0 .



# More Articles