AndBug can be downloaded from the following link. https://github.com/swdunlop/AndBug Once after downloading, use the following commands to unzip and install AndBug on your machine. Make sure that you have python installed before doing this. After finishing the installation, you can run AndBug as shown in the excerpt below to check if the installation is successful. $ ls CONTRIBUTORS    Makefile    andbug        info        pylint.rc    tests LICENSE        README.rst    build        lib        setup.py $ $ sudo python setup.py install $ Now, start an emulator and verify if it is accessible via adb as shown below. accessed using: $ andbug shell [-d ] -p . The device specification, if omitted, defaults in an identical fashion to the ADB debugging bridge command, which AndBug uses heavily. The process specification is either the PID of the process to debug, or the name of the process, as found in “adb shell ps.” AndBug is NOT intended for a piracy tool or other illegal purposes, but as a tool for researchers and developers to gain insight into the implementation of Android applications. Use of AndBug is at your own risk, like most open source tools, and no guarantee of fitness or safety is made or implied.

Options:

— -p, –pid the process to be debugged, by pid or name — -d, –dev the device or emulator to be debugged (see adb) — -s, –src adds a directory where .java or .smali files could be found

Commands:

— class-trace | ct | ctrace reports calls to dalvik methods associated with a class — classes [] lists loaded classes. if no partial class name supplied, list all classes. — dump [] dumps methods using original sources or apktool sources — help [] information about how to use andbug — inspect inspect an object — methods [] lists the methods of a class — shell starts the andbug shell with the specified process — source adds a source directory for finding files — statics lists the methods of a class — thread-trace | tt | ttrace reports calls to specific thread in the process — threads [] [verbose=] lists threads in the process. verbosity: 0 (thread), (1 methods), (2 vars), (3 vars data) — version | v Send version request.

Examples:

— andbug classes -p com.ioactive.decoy — andbug methods -p com.ioactive.decoy com.ioactive.decoy.DecoyActivity onInit As you can see in the above excerpt, an emulator is running. Now, we need an app to test and observe the results. I have developed a simple application for this article. The target app can be downloaded from the downloads section of this article. The app uses a publicly available wrapper called AESCrypt to encrypt the card numbers entered by the user. Please note that the passphrase used to generate the key is hard coded within the application. You can install the application using the following command. Now that, we have completed the setup. Let’s launch the target application for analysis using AndBug. When the application is launched, it looks as shown below.

Next, let us find out the process id of this target application using adb. We can do it by running ps command and grep the string andbug. The above command shows that the process id of andbug in my case is 1090. Let’s hook into this process using AndBug and get a shell to interact. This can be done as shown below. We can do various interesting things using the shell we have now. Let’s first identify the loaded classes. This can be done as shown below. As you can notice, we are looking for the classes using the word andbug. There are two classes loaded matching this search query. You can also search using the complete package name.

Now, lets identify the methods loaded in com.androidpentesting.andbug.MainActivity class. This can be done as shown below. As you can see in the above excerpt, encryptandSave() is one interesting method within the class. — com.androidpentesting.andbug.MainActivity.encryptandSave(Ljava/lang/String;Ljava/lang/String;)V — com.androidpentesting.andbug.MainActivity.onCreate(Landroid/os/Bundle;)V

Here is where the interesting part comes in. We can hook into these methods using method-trace command and monitor them while the application is running. If you want to analyze all the methods within a class, you can simply run ct command, which is short for class-trace. Lets run ct command against com.androidpentesting.andbug.MainActivity class. This is shown below. As you can see in the above excerpt, the specified class has been hooked. Now, lets come back to the application and enter a number and then click Encrypt and Store button.

When the button is clicked, the application takes the user input, encrypts the input using AES 256 and then stores the encrypted string in SharedPreferences. This is shown below. As you can see in the above excerpt, the string is encrypted and stored. lib shared_prefs root@generic:/data/data/com.androidpentesting.andbug # cd shared_prefs root@generic:/data/data/com.androidpentesting.andbug/shared_prefs # ls bankdetails.xml ankdetails.xml <

789W4Kw6WOtAmY6fKasj3g== root@generic:/data/data/com.androidpentesting.andbug/shared_prefs # But, let’s come back and see what happened at AndBug shell. Interesting! We could see the passphrase used to generate the encryption key. When a specific method is invoked, AndBug shows its arguments as shown in the above excerpt. This comes handy in a variety of scenarios during our penetration tests. In the above case, the output is truncated, but AndBug shows all the methods and their arguments of the specified class. As mentioned earlier, you can use method-trace or mt command to hook into a specific method. — com.androidpentesting.andbug.MainActivity.access$000 (Lcom/androidpentesting/andbug/MainActivity;Ljava/lang/String;Ljava/lang/String;)V:0 — com.androidpentesting.andbug.MainActivity$1.onClick(Landroid/view/View;)V:25 — this=Lcom/androidpentesting/andbug/MainActivity$1; <831945677304> — accountnumber=12345 — v=Landroid/widget/Button; <831945630640> — android.view.View.performClick()Z:18 — this=Landroid/widget/Button; <831945630640> — li=Landroid/view/View$ListenerInfo; <831945677320> — android.view.View$PerformClick.run()V:2 — this=Landroid/view/View$PerformClick; <831945498576> com.androidpentesting.andbug.MainActivity.access$000 (Lcom/androidpentesting/andbug/MainActivity;Ljava/lang/String;Ljava/lang/String;)V:6 — x2=superstrongsecretkey — x0=Lcom/androidpentesting/andbug/MainActivity; <831945423976> — x1=12345 — com.androidpentesting.andbug.MainActivity$1.onClick(Landroid/view/View;)V:25 — this=Lcom/androidpentesting/andbug/MainActivity$1; <831945677304> — accountnumber=12345 — v=Landroid/widget/Button; <831945630640> — android.view.View.performClick()Z:18 — this=Landroid/widget/Button; <831945630640> — li=Landroid/view/View$ListenerInfo; <831945677320> AndBug is an interesting and useful tool that should be in your arsenal during black box assessments of Android Applications. I am sure; you will also start loving this tool if you use it once.