Phone crashes in setProxy() on Android in large-scale analysis

[baltpeter]

In the analysis for tweaselORG/meta#16 (source: https://github.com/tweaselORG/experiments/tree/main/cert-pinning-bypass), I get the following error maybe every couple hundred runs:

/home/benni/coding/JS/tweasel/experiments/cert-pinning-bypass/node_modules/execa/lib/error.js:59
		error = new Error(message);
		        ^


Error: Command failed with exit code 224: /home/benni/.cache/andromatic/platform-tools/adb shell am broadcast -a com.wireguard.android.action.SET_TUNNEL_UP -n 'com.wireguard.android/.model.TunnelManager$IntentReceiver' -e tunnel appstraction
Broadcasting: Intent { act=com.wireguard.android.action.SET_TUNNEL_UP flg=0x400000 cmp=com.wireguard.android/.model.TunnelManager$IntentReceiver (has extras) }
cmd: Failure calling service activity: Broken pipe (32)
    at makeError (/home/benni/coding/JS/tweasel/experiments/cert-pinning-bypass/node_modules/execa/lib/error.js:59:11)
    at handlePromise (/home/benni/coding/JS/tweasel/experiments/cert-pinning-bypass/node_modules/execa/index.js:124:26)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at Object.setProxy (/home/benni/coding/JS/tweasel/experiments/cert-pinning-bypass/node_modules/appstraction/dist/index.js:1026:17) {
  shortMessage: "Command failed with exit code 224: /home/benni/.cache/andromatic/platform-tools/adb shell am broadcast -a com.wireguard.android.action.SET_TUNNEL_UP -n 'com.wireguard.android/.model.TunnelManager$IntentReceiver' -e tunnel appstraction",
  command: "/home/benni/.cache/andromatic/platform-tools/adb shell am broadcast -a com.wireguard.android.action.SET_TUNNEL_UP -n 'com.wireguard.android/.model.TunnelManager$IntentReceiver' -e tunnel appstraction",
  escapedCommand: `"/home/benni/.cache/andromatic/platform-tools/adb" shell am broadcast -a com.wireguard.android.action.SET_TUNNEL_UP -n "'com.wireguard.android/.model.TunnelManager$IntentReceiver'" -e tunnel appstraction`,
  exitCode: 224,
  signal: undefined,
  signalDescription: undefined,
  stdout: 'Broadcasting: Intent { act=com.wireguard.android.action.SET_TUNNEL_UP flg=0x400000 cmp=com.wireguard.android/.model.TunnelManager$IntentReceiver (has extras) }\n' +
    'cmd: Failure calling service activity: Broken pipe (32)',
  stderr: '',
  failed: true,
  timedOut: false,
  isCanceled: false,
  killed: false
}

The phone (physical device, Android 13, Lineage OS) actually crashes and reboots, so I'm assuming that the broadcast isn't actually what causes the problem but rather only the first call that fails afterwards because the phone hasn't finished rebooting yet. I'm pretty sure that it always fails at this point, though.

Restarting the analysis after the phone has finished rebooting doesn't work. It hangs forever and never gets into the for (const app of apps) loop.

The problem is in ensureFrida(). adb shell /data/local/tmp/frida-server --version works and returns the correct version. However, frida-ps -U just hangs indefinitely. Running ps on the phone, I can see that there is a frida process running still:

ocean:/ # ps -A | grep frida                                                                                                                    
root          5052     1 10891416 53248 0                   0 R frida-server

If I kill -9 that, everything works again.

[baltpeter]

So, there's two things to tackle in this issue:

• I'm not sure whether we'll be able to fix or even properly investigate the actual crash. The fact that it occurs so infrequently makes this very annoying and in all likelihood, it's not in our code.
• However, I think it wouldn't be asking too much for ensureFrida() to recover from suck a stuck frida process automatically.

[zner0L]

I agree. I also think that running frida-ps -U on the hist is not enough to determine frida is running correctly. Rather we should also check on the device if there is a frida process running. I also ran into this bug with a stuck frida process on Android during manual testing.