The latest articles on DEV Community by Ashish Bhatia (@ashishb). https://dev.to/ashishb https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F90784%2Fd10f863f-10ec-4279-89f0-233c4166fcd1.jpeg https://dev.to/ashishb en Ashish Bhatia Wed, 14 Aug 2019 06:00:16 +0000 https://dev.to/ashishb/android-security-don-t-leave-webview-debugging-enabled-in-production-5fo9 https://dev.to/ashishb/android-security-don-t-leave-webview-debugging-enabled-in-production-5fo9 <p>WebView debugging can be enabled via <code>WebView.setWebContentsDebuggingEnabled(true)</code>. Leaving WebView debugging enabled in production Android apps is a bad idea. Anyone who gets hold of the unlocked phone can access the app’s data forever.</p> <p>Consider this, the Tripit app exposes WebView debugging and by using that I can read all the files inside the private data directory. As an example, by connecting a user’s unlocked mobile phone to my laptop, I can extract TripIt OAuthToken.</p> <p>First connect the phone via ADB, open chrome://inspect in the Chrome browser, then enter the following in there.<br> </p> <div class="highlight"><pre class="highlight plaintext"><code>window.location="file:///data/data/com.tripit/shared_prefs/com.tripit.xml" document.getElementsByTagName("html")[0].innerHTML </code></pre></div> <p>Now, you can see all the entries like<br> </p> <div class="highlight"><pre class="highlight plaintext"><code>&lt;string name=”oauthTokenSecret”&gt;f731d36cdbf9006f917307…&lt;/string&gt; </code></pre></div> <p>These auth tokens can be copied and used to get permanent access to the user’s TripIt account.</p> <p>Original post at <a href="https://ashishb.net/security/android-security-dont-leave-webview-debugging-enabled-in-production/">ashishb.net</a></p> android security androidsecurity webview Ashish Bhatia Sun, 03 Feb 2019 23:14:11 +0000 https://dev.to/ashishb/introducing-adb-enhanced-a-swiss-army-knife-for-android-development-3b78 https://dev.to/ashishb/introducing-adb-enhanced-a-swiss-army-knife-for-android-development-3b78 <p>Android development requires tons of disconnected approaches for the development and testing. Consider some scenarios</p> <ol> <li>To test runtime permission – Go to Settings -&gt; Applications -&gt; Application info of the app you are looking for and disable that permission.</li> <li>To test a fresh install – <code>adb shell pm clear-data com.example</code> </li> <li>To test your app under the battery saver mode – turn on the battery saver mode by expanding the notification bar</li> <li>To stop the execution of an app – kill it via activity manager, <code>adb shell am kill com.example</code> </li> <li>To test your app under doze mode – first, make the device believe that it is unplugged via <code>adb shell dumpsys battery unplug</code>, then, make it think that it is discharging via <code>adb shell dumpsys battery set status 3</code>, and then enable doze mode via <code>adb shell dumpsys deviceidle force-idle</code>. And don’t forget to execute a set of unrelated complementary commands once you are done to bring the device back to the normal state.</li> <li>To see the overdraw of an app – Go to the developer options and enable/disable it there.</li> </ol> <p>Over time, this became a significant mental burden that I first wrote some of these flows in a text file and then converted them to automated shell scripts. But when even that felt insufficient, I created a tool for myself called adb-enhanced.<br> How it works:<br> First, install the tool. I wrote this in Python, so, if the following command does not work, install Python</p> <p><code>pip3 install adb-enhanced # I would discourage Python 2 based install at this point</code></p> <p>Now, let’s look at the about use-cases again with this tool:</p> <ol> <li>To test a runtime permission :</li> </ol> <div class="highlight"><pre class="highlight plaintext"><code># Use grant instead of revoke to grant the permission adbe permission revoke com.example camera # See all possible such permissions via "adbe -h" # Use grant instead of revoke to grant the permission adbe permission revoke com.example camera # See all possible such permissions via "adbe -h" </code></pre></div> <ol> <li>To test a fresh install –</li> </ol> <div class="highlight"><pre class="highlight plaintext"><code># Unlike adb shell pm clear-data com.example, this command will # produce an error if com.example is not installed # which is good for catching typos adbe clear-data com.example # Unlike adb shell pm clear-data com.example, this command will # produce an error if com.example is not installed # which is good for catching typos adbe clear-data com.example </code></pre></div> <ol> <li>To test your app under the battery saver mode –</li> </ol> <div class="highlight"><pre class="highlight plaintext"><code># As you would guess, use "off" to turn the battery saver off adbe battery saver on # As you would guess, use "off" to turn the battery saver off adbe battery saver on </code></pre></div> <ol> <li>To stop the execution of an app –</li> </ol> <div class="highlight"><pre class="highlight plaintext"><code># For a more aggressive kill, try adbe force-stop com.example adbe stop com.example </code></pre></div> <ol> <li>To test your app under doze mode</li> </ol> <div class="highlight"><pre class="highlight plaintext"><code>adbe doze on # Use "off" to turn the doze mode off </code></pre></div> <ol> <li>To see the overdraw of the app</li> </ol> <div class="highlight"><pre class="highlight plaintext"><code>adbe overdraw on </code></pre></div> <p>I open-sourced the code at <a href="https://github.com/ashishb/adb-enhanced">https://github.com/ashishb/adb-enhanced</a>. See the GitHub repository for what all this tool can do. Feedbacks and pull requests are welcome.</p> android androiddevelopment adb