security - secure adb

CTS case: testUsbDebugging:
Android: Lollipop

1. What will happen with secure adb

When ro.adb.secure=1 :

For devices w/o USB gadget driver:

(1) vendor key only works for /adb_keys, not for /data/misc/adb/adb_keys
So if you don’t want to see the confirmation dialog:
put ~/.android/adbkey.pub into root directory with name “/adbkeys”.

(2) key verification process will check username/hostname, so other hosts using the same RSA key doesn’t work. (We can hack host machine to workaround)
[ro.build.host]: [my_host]
[ro.build.user]: [my_name]

(3) adb connection via network won’t trigger AUTH confirmation dialog. – This is google bug, we can fix it locally, see EOF.

For devices w/ USB gadget driver:

(1)adb connect will trigger AUTH dialog, then user can decide what to do next.

2. How to enable secure adb

enable secure adb in config:(product.mk)
ifeq ($(TARGET_BUILD_VARIANT),user)
ADDITIONAL_DEFAULT_PROPERTIES += ro.adb.secure=1
endif

or:

ifeq ($(TARGET_BUILD_VARIANT),user)
PRODUCT_PROPERTY_OVERRIDES += ro.adb.secure=1
endif

3. for developers

how to debug adb

/data/adb is used for writing adb debugging information when persist.adb.trace_mask is set.

adb keygen

---

commit 86c9e5f7e20a3f1712038ce642628c2e1e866434
Author: Nick Kralevich <nnk@google.com>
Date:   Thu Nov 13 15:17:29 2014 -0800

    Introduce "adb keygen"

    Introduce the "adb keygen" command.

      Usage: adb keygen <filename>

    This command creates an adb public/private key pair in a user
    specified file. This can be used to create new adb keys, or rotate
    existing keys.

---

Attachment: Workaround for network adb

File: frameworks/base/services/usb/java/com/android/server/usb/UsbService.java
Cause: it will check existence of /sys/class/android_usb, if it doesn’t exist, the daemon listener will not start.

Fix:

---
 services/usb/java/com/android/server/usb/UsbDeviceManager.java | 3 ++-
 services/usb/java/com/android/server/usb/UsbService.java       | 4 ++--
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/services/usb/java/com/android/server/usb/UsbDeviceManager.java b/services/usb/java/com/android/server/usb/UsbDeviceManager.java
index f3fa747..42654c7 100644
--- a/services/usb/java/com/android/server/usb/UsbDeviceManager.java
+++ b/services/usb/java/com/android/server/usb/UsbDeviceManager.java
@@ -355,7 +355,8 @@ public class UsbDeviceManager {
                 }

                 mCurrentFunctions = getDefaultFunctions();
-                String state = FileUtils.readTextFile(new File(STATE_PATH), 0, null).trim();
+                //String state = FileUtils.readTextFile(new File(STATE_PATH), 0, null).trim();
+                String state = "null_state";
                 updateState(state);
                 mAdbEnabled = containsFunction(mCurrentFunctions, UsbManager.USB_FUNCTION_ADB);

diff --git a/services/usb/java/com/android/server/usb/UsbService.java b/services/usb/java/com/android/server/usb/UsbService.java
index fd83f92..919ea90 100644
--- a/services/usb/java/com/android/server/usb/UsbService.java
+++ b/services/usb/java/com/android/server/usb/UsbService.java
@@ -99,9 +99,9 @@ public class UsbService extends IUsbManager.Stub {
         if (pm.hasSystemFeature(PackageManager.FEATURE_USB_HOST)) {
             mHostManager = new UsbHostManager(context);
         }
-        if (new File("/sys/class/android_usb").exists()) {
+        //if (new File("/sys/class/android_usb").exists()) {
             mDeviceManager = new UsbDeviceManager(context);
-        }
+        //}

         setCurrentUser(UserHandle.USER_OWNER);

--