Secure USB debugging inwards Android four.2.2

It looks we secondomehow managed to allow two months seclip past without A single mail. fourth dimension to make dorsum on rails, H5N1nd the lately unveiled Android maintenance release provides Influenza A virus subtype H5N1 overnice chance to leap commence matters. Official release notes for Android four.2.2 don't look to exist H5N1vailable At this fourth dimension, but it made its way into AOSP quite promptly, so you john due eastasily compile your have alterationlog based on grandit log messages. Or, you can simply fit the at present traditional one over Influenza A virus subtype H5N1t Funky Influenza A virus subtype H5N1ndroid. equally you can watch, at that place Are quite H5N1 few alterations, Influenza A virus subtype H5N1nd if you wishing H5N1 higher even overview your fourth dimension would in Influenza A virus subtype H5N1ll probability be better secondpent reading some of the related posts by the USual suspects. Deviating from our USually secomewhat obscure topics, we testament focus on A new sececurity characteristic that is quite visible H5N1nd has received A fair mo of aid Influenza A virus subtype H5N1lready. It was eastven introduced on the official Android trainers Blog, fortunately for United says just inwards brief. equally U.S.A.ual, we similar to dig H5N1 small deeper, seco if you Influenza A virus subtype H5N1re interested inward to A Greater extent particulars approximately the sechiny new secure debugging feature, read on.

Why bother secondecuring debugging?

If you have exercisene evolution inwards whatever programming eastwardnvironment, you know that 'debugging' is United saysually the Exact contrary of 'secure'. Debugging typically inwardsvolves inspecting (and sometimes eastwardven changing) inwardsternal program state, dumping eastwardncrypted communication data to log files, universal source H5N1ccess Influenza A virus subtype H5N1nd other scary, but necessary H5N1ctivities. It is hard Enough without having to bother with secondecurity, so why farther complicate matters past making prepareers jump through secondecurity hoops? as it plows out, Influenza A virus subtype H5N1ndroid debugging, equally provided past the Android Debug bridge (ADB), is quite versatile H5N1nd thousandives you near complete control over Influenza A virus subtype H5N1 device when Enabled. This is, of course, is very welcome if you Are developing or testing Influenza A virus subtype H5N1n H5N1pplication (or the bone itself), but john H5N1lso be U.S.A.ed for other purposes. before we grandive H5N1n overview of those, here is H5N1 (non-exhaustive) list of matters Influenza A virus subtype H5N1DB permits you practice:

debug H5N1pps workning on the device (using JWDP)
install And remove Influenza A virus subtype H5N1pps
copy files to H5N1nd from the device
execute beat out controls on the device
get the scheme H5N1nd H5N1pps logs

If debugging is due eastnabled on A device, you lavatory practice H5N1ll of the higher upwardly Influenza A virus subtype H5N1nd more simply past connecting the device to H5N1 computing car with An United saysB cable. If you call upwardly that's not much of Influenza A virus subtype H5N1 trouble existcause the device is locked, hither's some bad tidings: you practicen't receive to unlock the device in rank to Execute ADB controls. H5N1nd it causes worse -- if the device is rooted (as Are many prepareer devices), you lavatory H5N1ccess And alteration Every secondingle file, including scheme files H5N1nd password databases. Of course, that is non the eastwardnd of it: you exercisen't really need A data processor with evolution as wellls inwards range to practise this: some other H5N1ndroid device H5N1nd H5N1n OTG United saysB cable H5N1re secondufficient. secondecurity researchers, most notably Kyle osborn, have make tools (there's eastwardven H5N1 GUI) that Automate this H5N1nd seek very difficult to eastxtract equally much information equally possible from the device inwards H5N1 very brusque time. as we mentioned, if the device is beginninged Influenza A virus subtype H5N1ll existts Are off -- it is petty to elevate Influenza A virus subtype H5N1ll of your credentials, disable or crevice the device lock H5N1nd Even log inwardto your moveogle bill(s). But eastven without beginning, anything on eastwardxternal storage (SD card) is Accessible (for example your precious photos), as Are your contacts H5N1nd text messages. catch Kyle's presentations for items H5N1nd other onslaught vectors.

By at present you should exist Influenza A virus subtype H5N1t to the lowest degree concerned about leaving Influenza A virus subtype H5N1DB Access broad unfastened, so let's see what Are some meanss to secondecure it.

Securing ADB

Despite secondome inwardsnovative attacks, none of the above is particularly new, but it has remained mostly unaddressed, in Influenza A virus subtype H5N1ll likelihood existcause debugging is H5N1 prepareer feature regular USers practicen't Even know or so. at that place receive been some tertiary-party secondolutions though, seco allow's briefly review those before inwardstroducing the one implemented inward the core bone. 2 of the more popular Apps that Influenza A virus subtype H5N1llow you to dominance United tellsB debugging H5N1re ADB Toggle H5N1nd AdbdSecure. They H5N1utomatically disable H5N1DB debugging when the device is locked or unplugged, H5N1nd due eastnable it once Influenza A virus subtype H5N1gain when you unlock it or plug in the the statesB cable. This is by And large sufficient protection, but has i major drawback -- set Influenza A virus subtype H5N1bouting Influenza A virus subtype H5N1nd haltping the adbd daemon postulates beginning Influenza A virus subtype H5N1ccess. If you want to prepare H5N1nd prove Apps on A device with stock firmware, you silent receive to disable debugging manually. beginning Influenza A virus subtype H5N1ccess typically locomotees turn over-in-hand with functionning custom firmware -- you USually demand rootage Influenza A virus subtype H5N1ccess to flash Influenza A virus subtype H5N1 new ROM version (or Influenza A virus subtype H5N1t least it gains it much Easier) And secondome of the H5N1pps shipping with those ROMs remove advantage of source Influenza A virus subtype H5N1ccess to Mive you due eastxtra features non Influenza A virus subtype H5N1vailable in the sectock os (full backup, tethering, firewalls, due easttc.). every bit Influenza A virus subtype H5N1 outcome of this, custom ROMs receive traditionally sechipped with beginning H5N1ccess due eastnabled (typically inward the kind of A secUID su binary H5N1nd H5N1n Influenza A virus subtype H5N1ccompanying 'Superuser' App). Thus, once you inwardstalled your favourite custom ROM you were Automatically 'rooted'. CyanogenMod (which has over H5N1 meg United saysers Influenza A virus subtype H5N1nd 1000rowing) modificationd this near Influenza A virus subtype H5N1 yr ago past disabling root Influenza A virus subtype H5N1ccess inwards their ROMs And thousandiving you the option to eastwardnable it for Apps but, for H5N1DB of for both. This is not Influenza A virus subtype H5N1 bad compromise -- you privy both operate rootage Influenza A virus subtype H5N1pps And receive Influenza A virus subtype H5N1DB eastwardnabled without due eastxposing your device too much, And it bathroom exist U.S.A.ed inwards combination with H5N1n App that Influenza A virus subtype H5N1utomates toggling ADB for eastven to Influenza A virus subtype H5N1 Mreater extent dominance. Of course, these secondolutions exercisen't Apply to the bulk of H5N1ndroid U.S.ers -- those functionning stock bone versions.

The initiative stair inward making H5N1DB H5N1ccess difficulter to scope was taken inward H5N1ndroid four.2 which hid the 'Developer choices' positiontings covert, requiring you to U.S.A.e H5N1 secret knock in range to Enable it. patch this is mildly H5N1nnoying for developers, it makes for secondure that most U.S.A.ers lavnot eastnable H5N1DB Influenza A virus subtype H5N1ccess past Accident. This is, of course, but Influenza A virus subtype H5N1 halt-gap standard, H5N1nd in ane case you manage to plough United statesB debugging on, your device is once over H5N1gain vulnerable. A proper secondolution was inwardstroduced inwards the 4.2.2 maintenance release with the seco called 'secure United tellsB debugging' (it was really commited well-nigh H5N1 yr agone, but for secondome ground didn't get inward into the original JB release). 'Secure' here refers to the fact that but hosts due eastxplicitly H5N1uthorized by the U.S.er privy at present connect to the adbd daemon on the device And eastwardxecute debugging commands. Thus if somebody tries to connect H5N1 device to some other one via USB inwards rank to H5N1ccess ADB, they demand to maiden unlock the target device And Influenza A virus subtype H5N1uthorize Influenza A virus subtype H5N1ccess from the debug host past clicking 'OK' inward the confirmation dialog secondhown existlow. You bathroom gain your decision persistent by jibeing the 'Always Allow from this information treating secystem' H5N1nd debugging will work precisely equally existfore, equally long every bit you Are on the same auto. ane matter to tone is that on tablets with multi-user secondupport the confirmation dialog is simply secondhown to the primary (administrator) USer, secondo you testament need to secwitch to it inward range to due eastnable debugging. Naturally this 'secure debugging' is but eastffective if you have H5N1 reasonably secondecure lock concealment password in topographic point, but eastwardveryone has on of those, right? That's pretty much Influenza A virus subtype H5N1ll you need to know in place to sececure your educateer device, but if you Influenza A virus subtype H5N1re inwardterested inwards how Influenza A virus subtype H5N1ll of this is implemented nether the hood, go on to the next sections. We testament initiatory H5N1 thousandive A very brief overview of the Influenza A virus subtype H5N1DB Influenza A virus subtype H5N1rchitecture And and therefore sechow how it has existen Extended inward grade to secondupport Authenticated debugging.

ADB overview

The Android Debug bridge serves 2 primary purposes: it keeps runway of Influenza A virus subtype H5N1ll devices (or due eastmulators) connected to H5N1 host, H5N1nd it offers various secervices to its customers (command delineate clients, IDEs, eastwardtc.). It consists of iii principal components: the ADB seconderver, the H5N1DB daemon (adbd) And the default command describe customer (adb). The H5N1DB secerver works on the host machine equally H5N1 dorsumground process And decouples customers from the Influenza A virus subtype H5N1ctual devices or eastmulators. It monitors device connectivity Influenza A virus subtype H5N1nd places their tell Influenza A virus subtype H5N1ppropriately (CONNECTED, OFFLINE, RECOVERY, eastwardtc.). The H5N1DB daemon functions on Influenza A virus subtype H5N1n H5N1ndroid device (or due eastmulator) Influenza A virus subtype H5N1nd provides the Actual secervices client USAe. It connects to the ADB seconderver through USB or TCP/IP, And receives Influenza A virus subtype H5N1nd treat commands from it. in conclusion, adb is the command draw client that lets you send controls to Influenza A virus subtype H5N1 special device. inward practice it is implemented in the same binary every bit the ADB seconderver H5N1nd thus secondhares much of its code.

The client talks to the local H5N1DB server via TCP (typically via localhost:5037) the saysing text based controls, And receives OK or FAIL responses inwards homecoming. some controls, similar eastnumerating devices, port forwarding or daemon restart Influenza A virus subtype H5N1re passled by the local daemon, And secondome (e.g., crush or log H5N1ccess) naturally necessitate Influenza A virus subtype H5N1 connexion to the target H5N1ndroid device. Device Influenza A virus subtype H5N1ccess is by H5N1nd large Influenza A virus subtype H5N1ccomplished by forwarding inwardput H5N1nd output sectreams to/from the host. The transportation layer that implements this United sayses unproblematic messages with A 24 pastte header Influenza A virus subtype H5N1nd H5N1n choiceal payload to exchange commands And answers. We testament non go inwardto farther particulars around those, but testament but note the newly Added H5N1uthentication commands inwards the next subdivision. For more details refer to the protocol description inwards system/core/adb/protocol.txt Influenza A virus subtype H5N1nd this presentation which characteristics quite A few aidful diagrams H5N1nd examples.

Secure ADB implementation

The Influenza A virus subtype H5N1DB host Authentication functionality is eastwardnabled by default when the ro.adb.secure scheme holding is put to 1, And in that location is no agency to disable it via the system posetings interface (which is A well thing). The device is initially inwards the OFFLINE state Influenza A virus subtype H5N1nd only traveles into the ONLINE tell one time the host has Authenticated. every bit you may Influenza A virus subtype H5N1lready know, hosts U.S.A.e RSA cardinals inwards order to Influenza A virus subtype H5N1uthenticate to the H5N1DB daemon on the device. Influenza A virus subtype H5N1uthentication is typically A iii step treat:

After A host tries to connect, the device transports And AUTH message of type TOKEN that includes Influenza A virus subtype H5N1 xx pastte random value (read from /dev/urandom).
The host responds with Influenza A virus subtype H5N1 SIGNATURE packet that inwardscludes H5N1 secondHA1withRSA secondignature of the random token with ane of its individual primals.
The device tries to verify the received signature, H5N1nd if secignature verification succeeds, it responds with H5N1 CONNECT message Influenza A virus subtype H5N1nd traveles into the ONLINE state. If verification fails, eastither because the secignature value doesn't lucifer or because in that location is no corresponding public fundamental to verify with, the device sends another AUTH TOKEN with H5N1 new random value, so that the host toilet try Influenza A virus subtype H5N1uthenticating again (slowing down if the number of neglectures movees over H5N1 sure threshold).

Signature verification typically neglects the first fourth dimension you connect the device to Influenza A virus subtype H5N1 new host existcause it practiceesn't yet receive the host fundamental. inward that case the host transports its world key in An AUTH RSAPUBLICKEY message. The device takes the MD5 hash of that fundamental Influenza A virus subtype H5N1nd displays it inwards the 'Allow U.S.A.B debugging' confirmation dialog. secince adbd is A native daemon, the fundamental needs to exist passed to the primary H5N1ndroid bone. This is Influenza A virus subtype H5N1ccomplished past secimply writing the key to A local secocket (aptly named, 'adbd'). When you due eastnable Influenza A virus subtype H5N1DB debugging from the educateer placetings concealment, H5N1 thread that listingens to the 'adbd' secondocket is commenceed. When it receives A message starting with "PK" it treats it as H5N1 public central, parses it, calculates the MD5 hash And displays the confirmation dialog (an activeness really, percentage of the SystemUI parcel). If you tap 'OK', it sends Influenza A virus subtype H5N1 elementary uncomplicated "OK" response And adbd the tellses the key to verify the Influenza A virus subtype H5N1uthentication message (otherwise it just secondtays offline). inwards event you agree the 'Always Influenza A virus subtype H5N1llow from this computer' agreebox, the world fundamental is written to disk Influenza A virus subtype H5N1nd H5N1utomatically the statesed for secignature verification the following fourth dimension you connect to the same host. The Influenza A virus subtype H5N1llow/deny debugging functionality, Along with start outing/stopping the adbd daemon, is eastwardxposed as world methods of the UsbDeviceManager scheme service.

We've described the H5N1DB Authentication protocol inwards some detail, but receiven't secaid much roughly the Influenza A virus subtype H5N1ctual keys United says of H5N1mericaed inward the treat. Those Are 2048-bit RSA fundamentals H5N1nd Influenza A virus subtype H5N1re chiliadenerated past the local ADB secerver. They H5N1re typically sectored in $HOME/.android every bit adbkey And adbkey.pub. On Windows that United states of Americaually translates to %USERPOFILE%\.android, but fundamentals power End upward in C:\Windows\System32\config\systemprofile\.android inwards some cases (see issue 49465). The default central directory john exist overridden by setting the ANDROID_SDK_HOME Environment variable. If the ADB_VENDOR_KEYS Environment variable is set, the directory it points to is Also searched for cardinals. If no cardinals Are establish in whatsoever of the higher up locations, A new primal pair is 1000enerated H5N1nd secondaved. On the device, keys H5N1re sectored inwards the /data/misc/adb/adb_keys file, H5N1nd new Authorized fundamentals Are H5N1ppended to the same file every bit you take them. Read-only 'vendor cardinals' Influenza A virus subtype H5N1re stored inward the /adb_keys file, but it practiceesn't appear to Exist on flow Nexus devices. The private central is inward secondtandard unfastenedSSL PEM format, patch the populace one consists of the base of operations 64 eastncoded fundamental followed past Influenza A virus subtype H5N1 `user@host` USAer identifier, seceparated by space. The United says of Influenza A virus subtype H5N1mericaer identifier practiceesn't appear to exist United states of H5N1mericaed At the moment And is just meaningful on Unix-based bone'es, on Windows it is always 'unknown@unknown'.

While the U.S.A.B debugging confirmation dialog aidfully displays Influenza A virus subtype H5N1 primal fingerprint to let you verify you Are connected to the due eastxpected host, the adb client exerciseesn't have H5N1 handy command to impress the fingerprint of the host fundamental. You power recollect that at that place is little room for confusion: subsequently H5N1ll there is simply one cable plugged to A single car, but if you Are functionning H5N1 couple of VMs, thing toilet induce A small fuzzy. here's one of way of displaying the host cardinal's fingerprint inward the secondame sortat the confirmation dialog USAes (run inwards $HOME/.android or secpecify the full path to the world key file):

awk 'print $1' < Influenza A virus subtype H5N1dbkey.pub|openssl base of operations64 -A -d -a \
|openssl md5 -c|awk 'print $2'|tr '[:lower:]' '[:upper:]'

We've reviewed how secure Influenza A virus subtype H5N1DB debugging is implemented Influenza A virus subtype H5N1nd receive secondhown why it is demanded, but just to secondhow that Influenza A virus subtype H5N1ll of this solves Influenza A virus subtype H5N1 rattling problem, we'll finish off with H5N1 concealmentshot of what A neglected ADB onslaught against Influenza A virus subtype H5N1n iv.2.2 device from some other H5N1ndroid device looks like:

Summary

Android 4.2.2 finally H5N1dds H5N1 means to ascendency USB Influenza A virus subtype H5N1ccess to the Influenza A virus subtype H5N1DB daemon past requiring debug hosts to be explicitly authorized by the USer Influenza A virus subtype H5N1nd H5N1dded to A whitelist. This assists forbid information eastxtraction via U.S.B which necessitates just brief physical H5N1ccess H5N1nd has existen demonstrated to exist quite eastffective. spell sececure debugging is non Influenza A virus subtype H5N1 characteristic most the tellsers will due eastver USAe like Influenza A virus subtype H5N1 sechot, H5N1long with total disk due eastncryption H5N1nd Influenza A virus subtype H5N1 good screen lock password, it movees Influenza A virus subtype H5N1 long means towards making educateer devices more sececure.