ADB (Android Debug Bridge) is the Swiss Army knife of Android security testing. Beyond basic device management, ADB exposes powerful capabilities for APK extraction, data forensics, log analysis, and attack surface enumeration. This is the reference guide security researchers bookmark.
Device Connection and APK Extraction
bash — ADB basics
$ adb devices -l
emulator-5554 device product:sdk_gphone64_arm64
RF8N12A8B4E device product:dreamqltesq model:SM-G950F
# Extract APK from device
$ adb shell pm path com.bank.app
package:/data/app/~~AbCdEf==/com.bank.app-XYZ==/base.apk
$ adb pull /data/app/~~AbCdEf==/com.bank.app-XYZ==/base.apk bank.apk
bank.apk: 1 file pulled. 12,453,221 bytes in 0.160s
App Data Extraction and Forensics
bash — data extraction
# Read app private data (run-as trick)
$ adb shell “run-as com.bank.app cat /data/data/com.bank.app/shared_prefs/prefs.xml”
<map>
<string name=”auth_token”>eyJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjo…</string>
<string name=”session_id”>sess_a7f2b3c9d4e8f1a6b2c3</string>
</map>
Logcat: Real-Time Log Analysis
Apps frequently log sensitive data in debug builds and sometimes production builds. Logcat captures everything in real-time:
bash — logcat
$ adb logcat -v threadtime | grep -i “bank\|auth\|token”
04-22 14:23:01 D AuthManager: Verifying PIN for user: 964032
04-22 14:23:01 I TokenCache: Storing token: Bearer eyJhbGciOiJI…
04-22 14:23:01 D CertPinner: Pin check passed for api.bank.com
Component Enumeration and Exploitation
# List exported activities (attack surface)
adb shell dumpsys package com.bank.app | grep -A1 "android.intent.action"
# Launch an exported activity (intent injection)
adb shell am start -n com.bank.app/.ui.DeepLinkActivity -d "bank://transfer?to=attacker&amount=1000"
# Send a broadcast to an exported receiver
adb shell am broadcast -a com.bank.app.ACTION_REFRESH -n com.bank.app/.receivers.DataReceiverFile System and Database Access
# Pull entire app data directory (root)
adb pull /data/data/com.bank.app/ ./bank_data/
# Find and dump SQLite databases
adb shell find /data/data/com.bank.app -name "*.db"
adb pull /data/data/com.bank.app/databases/app.db
adb shell sqlite3 /data/data/com.bank.app/databases/app.db .dump
# Check for world-readable files (misconfiguration)
adb shell find /data/data/com.bank.app -perm -004 -lsNetwork and Proxy Setup
# Set system proxy (works for Java HttpClient, not Flutter)
adb shell settings put global http_proxy 192.168.1.100:8080
# Install Burp CA certificate
adb push burp-cert.der /sdcard/
adb shell am start -n com.android.certinstaller/.CertInstallerMain -a android.intent.action.VIEW -d file:///sdcard/burp-cert.derADB Over WiFi
# Android 11+: wireless pairing
adb pair 192.168.1.105:37149 # enter pairing code from device
adb connect 192.168.1.105:5555
# Legacy method (USB first)
adb tcpip 5555
adb connect 192.168.1.105:5555This covers the ADB commands that matter for security testing. Pair this with Frida for dynamic analysis and Jadx for static analysis — the three tools together cover the full mobile penetration testing workflow. For structured practice, see the Mobile Hacking Lab course catalog.
