ADB (Android Debug Bridge) is the primary interface for controlling, modifying, inspecting, and attacking Android devices during pentesting. It provides direct shell access, file operations, package management, log extraction, activity launching, service triggering, component testing, and full device-level manipulation. This chapter gives a complete, practical, full-length ADB reference focused entirely on pentesting usage.
Installing and Verifying ADB
Install platform tools:
-
Windows/macOS/Linux: download from Android Developer Tools
-
Extract tools → open terminal inside folder
Check ADB version:
adb version
Verify device detection:
adb devices
If device shows “unauthorized”, check the prompt on the device screen and allow USB debugging.
Connecting Devices (USB + Wireless)
USB
Enable Developer Options → enable USB Debugging.
Connect device with cable:
adb devices
Should show your device.
Wireless ADB
Connect over TCP:
adb tcpip 5555
adb connect <device_ip>:5555
Verify:
adb devices
Wireless ADB is useful for pentesting when USB is not convenient.
Entering ADB Shell
Use shell to run Linux commands inside Android:
adb shell
Become root (if device is rooted):
su
Check path:
which su
File System Navigation
List root directory:
adb shell ls /
List app directory structure:
adb shell ls /data/data/
Check inside a specific package:
adb shell ls /data/data/<package>/
Pulling Files (Extracting Sensitive Data)
Pull SharedPreferences:
adb pull /data/data/<package>/shared_prefs/ prefs/
Pull SQLite databases:
adb pull /data/data/<package>/databases/ dbs/
Pull entire app data:
adb pull /data/data/<package>/ .
These actions expose:
-
Tokens
-
User data
-
PII
-
API keys
-
Logs
-
Credentials
Pushing Files (Dropping Payloads)
Push Frida server:
adb push frida-server /data/local/tmp/
Push modified APK or config file:
adb push file /sdcard/
Push custom hosts file:
adb push hosts /system/etc/hosts
Installing and Uninstalling APKs
Install:
adb install app.apk
Reinstall:
adb install -r app.apk
Downgrade install:
adb install -r -d app.apk
Uninstall:
adb uninstall com.app.package
Activity & Component Testing
List all packages
adb shell pm list packages
Launch an Activity (Manual Trigger)
adb shell am start -n com.app/.MainActivity
Start with parameters:
adb shell am start -n com.app/.Login --es user test --es pass 1234
Trigger a Service
adb shell am startservice -n com.app/.SyncService
Trigger a Broadcast Receiver
adb shell am broadcast -a com.app.CUSTOM_ACTION
Query a Content Provider
adb shell content query --uri content://com.app.provider/users
Content providers often leak entire databases.
Managing Permissions
Grant permission:
adb shell pm grant com.app android.permission.CAMERA
Revoke permission:
adb shell pm revoke com.app android.permission.ACCESS_FINE_LOCATION
List permissions of an app:
adb shell dumpsys package com.app | grep permission
Pentesters use this to break app flows and discover missing validation.
Dumping System and App Information
Package info:
adb shell dumpsys package com.app
Activity info:
adb shell dumpsys activity activities
Battery info:
adb shell dumpsys battery
Network info:
adb shell dumpsys connectivity
These dumps often expose:
-
Backend endpoints
-
API URLs
-
Debug flags
-
Environment variables
-
Authentication tokens
Logcat for Debugging & Data Leakage
Real-time logs:
adb logcat
Filter logs:
adb logcat | grep com.app
Clear logs:
adb logcat -c
Logcat is crucial for discovering leaked secrets, crash traces, backend URLs, or insecure debug messages.
Rebooting & Boot Modes
Normal reboot:
adb reboot
Bootloader:
adb reboot bootloader
Recovery:
adb reboot recovery
These are required during rooting, flashing, or patching workflows.
Network Manipulation
Test network connectivity from device
adb shell ping 8.8.8.8
Check DNS:
adb shell getprop net.dns1
Set proxy (system-wide)
adb shell settings put global http_proxy <ip>:<port>
Unset:
adb shell settings put global http_proxy :0
Editing system files (Root Required)
Remount system partition:
adb root
adb remount
Edit hosts file:
adb shell
su
echo "10.0.2.2 api.target.com" >> /system/etc/hosts
Used for redirecting traffic to your own server.
Running Commands as Root
adb shell
su
Change file permissions:
chmod 644 file
Change file ownership:
chown root:root file
Root commands allow deep exploitation and OS-level modifications.
Port Forwarding for Pentesting
Forward local port to device:
adb forward tcp:8888 tcp:8080
Useful for:
-
Frida
-
Debuggers
-
Intercepting custom ports
Reverse forward:
adb reverse tcp:8080 tcp:8080
Used to test Android app servers running on localhost of PC.
Pulling Full Backup (If allowBackup = true)
adb backup -apk -shared -all -f backup.ab
Convert backup:
dd if=backup.ab bs=24 skip=1 | openssl zlib -d > backup.tar
Inspect files from backup.
Killing & Restarting Apps
Kill an app:
adb shell am force-stop com.app
Clear app data:
``>
adb shell pm clear com.app
Restart:
adb shell monkey -p com.app -c android.intent.category.LAUNCHER 1
This helps reset the environment quickly.
---
## Full Pentester ADB Workflow
1. Detect and connect device
2. Install target APK
3. Decode manifest and extract components
4. Launch/exported activities
5. Trigger services manually
6. Send fake broadcasts
7. Query content providers
8. Pull /data/data for insecure storage
9. Use logcat for secret discovery
10. Grant/revoke permissions for logic testing
11. Route traffic through proxy
12. Push Frida + start server
13. Modify hosts file for redirection
14. Intercept, manipulate, and exploit traffic
ADB is your primary weapon for controlling the entire device environment.
---
# Intel Dump
- ADB provides full device control for pentesting
- Supports installing apps, launching components, and pulling sensitive files
- Shell access enables system-level operations
- Permissions can be granted/revoked dynamically
- Activities, services, receivers, and providers can be triggered manually
- Rooted devices allow deep system modifications
- Logcat exposes secrets, debug data, and API details
- Proxy routing and hosts editing enable traffic manipulation
- Port forwarding supports Frida and debugging workflows