Conversation

Look what you do to people sometimes, security.

Quote Tweet

Oct 13, 2018

OK so - adb push into the data directory of my application is not allowed because of permissions - but i'm allowed to adb push into a temp directory, then adb shell, then run-as, then copy files over - what. why. - that's slow - can i work around it? - how do people live this way

Show this thread

Replying to

it's baffling because there's no security! it makes it really hard to develop code without protecting against any attack i can think of!

Replying to

and

The build of an app build being debuggable isn't reflected in the app data permissions. It's not a case of security people locking stuff down and making development inconvenient. ADB is a low-level tool and isn't designed to offer a high level user interface.

Replying to

and

whyever would somebody expect the android debugger to allow debugging

Replying to

and

It's not "the Android debugger". It's the Android Debug Bridge i.e. the low-level bridge between the host and mobile device.

Replying to

and

I have no kind responses to this observation.

Replying to

and

Debugging on a mobile device isn't done the same way as traditional development, since it's tethered to another host. ADB is the low-level implementation of that bridge between the devices. It's not a debugger or an app development tool.

Replying to

and

It's the base for higher-level tools by bridging between the devices. For example it can proxy gdb <-> gdbserver on the device and similarly for jdb, perf, etc. The app layer could be completely different like a desktop Linux stack without app sandboxing and ADB wouldn't change.

Replying to

and

wrote a programming language and I'm me. We do know what adb is, we're just not impressed about what it isn't. That's all.

Replying to

and

I don't understand where the hostility is coming from, sorry. You presented this as a narrative about security people hindering development, which isn't the case at all.

11:56 PM · Oct 13, 2018Twitter Web Client

Replying to

and

I don't quite understand the problem with ADB being implemented as low-level plumbing and higher-level tooling sitting on top of it, but whether or not that's subjectively a good design the attack on the security engineers and security model doesn't fit or make much sense.

Replying to

and

You sort of view adb as an internal interface and, well, there are other views. Adb reflects a security design that has gotten quite locked down, inflexible, and not well documented over the years and pressures. A lot of things look like they should work.

Show replies

Replying to

and

I see. You thought I was complaining about the tool. I was complaining about the permissions jank. Which of course high level tools work around, but then introduce their own headaches about. Spent a manweek building an Android ROM a few weeks ago. Took only a few hrs 6mo ago.

Replying to

and

No, I think you're trying to fit complaints about the lack of features in ADB into your narrative about Android security when it doesn't fit. My impression is that

@mcclure111

would be happy with it integrating the same feature that run-as implements, which it could do.

Show replies