Tag Archives: Ubuntu

Android, Chromebook, Linux

Howto: Android Development on Chromebook

18 Comments

Background

One the primary reasons I got the Chromebook was to support a broad range of development options on a Linux platform. The risk is that since it is a Chromebook, it is most definitely not a general purpose Linux environment – and some things may not be practical. Even inside a chroot jail, there are weirdnesses since it inherits the kernel and devices from the platform OS – ChromeOS.

In any case the following is a process I developed to implement an Android application development environment. There are many equally valid solutions, and perhaps better solutions, but this is a working / tested example of how to get from point A to point B.

Approach

Since the base platform I am using is a Chromebook 14 – with a x86 Haswell (64bit), Intel binaries will work fine – making life a quite a bit simpler. Unfortunately, it is not possible to install anything like Eclipse or Debian packages directly to the ChromeOS since the developers have (purposefully) not included most of the traditional shared libraries used in Linux. This minimalist approach to the ChromeOS means that it has a minimal attack surface for malware, but minimal opportunity for us to hack the OS.  As a point of trivia, ChromeOS appears to be based on a Gentoo build model – but it has been scrubbed clean of anything extraneous to the ChromeOS function.

However, since we are lucky enough to have a relatively polished / low pain solution to installing a chroot jail version of Ubuntu – Crouton, our system level approach will be:

  1. Switch the Chromebook to developer mode
  2. Install a Crouton based chroot jail version of Ubuntu on the SD-Card
  3. Install Oracle Java in the chroot jail (along with all of the rest of the pieces)
  4. Install BitTorrent sync to create a shared workspace for Android Studio
  5. Install adb and fastboot and verify operation with an Android device.
  6. Install Android Studio / test with Android device.

Note: All of the instructions below are based on name of my user (joeuser), the name of my SD-Card (chrome-32), and particular versions of the install packages. You will need to modify for your respective names / versions.

Step 1 – Developer Mode

Developer mode is a way to unlock your Chromebook a bit. Of course it is much less secure than the default ChromeOS mode, and setting developer mode means everything on the platform is erased – except the SD-Card . Additionally, switching it back to default mode will also clear everything (again). So any files you want to be persistent should be stored up in the Google drive or on the SD card. After you have mentally prepared yourself for that, take a shot at developer mode – it really is much more interesting than lockdown mode. The details are on my Chromebook Cookbook page. While you are there, spend some time and figure out how to switch between virtual terminals and set the password for ‘chronos’.

Step 2 – Ubuntu on Crouton Chroot

The default Crouton install installs the Crouton tools in /usr/local/bin and the chroot jail in /usr/local/chroots. With a 16GB internal hard drive, it is not practical to risk using most/all of the available local space for a chroot jail – so we should plan to store it off to the SD-Card. There are two basic approaches we can use to accomplish this. The first is to use command line arguments with the Crouton tools to point it at /media/removable/chrome-32 (which happens to be the name of my card). Another option is to symbolically map these directories to corresponding directories on the SD-Card. The first approach means that every time the crouton scripts are used, the command line arguments are needed, and the second approach means it is done one time up front (I recommend the second approach as the less stupid approach).

Open a chrosh (chrome shell – ctl-alt-t), and enter (with corrections for your sd-card name):

shell
cd /media/removable/chrome-32
sudo mkdir bin chroots
cd /usr/opt
sudo ln -s /media/removable/chrome-32/bin/ bin
sudo ln -s /media/removable/chrome-32/chroots/ chroots
ls -al

The last instruction should show the local directories with the symbolic mapping to the sd-card locations. This ensures that both the crouton tools and the chroot jail is installed to the SD-Card enabling a much easier restore if you somehow clear your system (it happens to me at least once a week).

FYI – If that happens, the Crouton install can be restored by recreating the symbolic links above. That’s it.

From here install a crouton chroot jail ubuntu with the following:

sudo sh -e ~/Downloads/crouton -r raring -t unity
sudo startunity

Note that in most cases I recommend Precise due to its stability, but in this case I went with Raring since it has support for ADB and Fastboot in the Ubuntu repository (and Precise does not). From inside the Ubuntu install, open a terminal and enter:

sudo apt-get install ubuntu-standard
sudo apt-get install ubuntu-desktop
sudo apt-get install ia32-libs
sudo apt-get install synaptic

Shutdown the Ubuntu chroot jail. You now have a fairly complete and clean Ubuntu Raring install, and this would be a good point to make a backup. Instructions are on the Crouton Cookbook page. Once again – when the backup is done, move it to Google Drive or the SD-Card for safekeeping.

Step 3 – Install Oracle Java

From the ChromeOS interface (VT1), you can download the  Java 7 JDK for 64 bit Linux – grab the tar.gz package from Oracle (not the RPM). It will download into the Downloads directory, which incidentally is mapped to the Downloads directory inside the Crouton chroot jail.

After the download is complete, switch over the Ubuntu interface on VT3, open a file manager and copy the Java 7 tar.gz package from Downloads to the home directory. Right click and extract. It should create a directory name something like ‘jdk1.7.0_45’ in the home directory. Open an editor and open ‘.bashrc’ and append the following:

PATH=${PATH}:/home/joeuser/jdk1.7.0_45/bin
JAVA_HOME=/home/joeuser/jdk1.7.0_45

This will make it easier for *some* apps to find the JDK. The JDK tar.gz file in the homedir can safely be deleted after this is done.

Step 4 – BitTorrent Sync

On the ChromeOS interface (VT1) download the Linux/64bit install package for BitTorrent Sync from http://www.bittorrent.com/sync/downloads. Open a terminal with <ctrl-alt-T> and enter:

cd /media/removable/chrome-32
sudu mkdir btsync
sudo chmod 777 btsync
cd btsync
mkdir android-studio

This creates a target sync directory that is readable / writable / executable to everybody for syncing. We will use it later.

When the download is complete, copy the tgz file to the user home directory(from the Ubuntu interface) . Extract the files in the home directory. This will create a directory that looks like ‘~/btsync_glibc23_x65’. On the Unity Desktop, click on the gear in the upper right corner and select ‘Startup Applications’. Under Command, browse to the btsync directory and select the ‘btsync’ app. The will configure the app to startup when the chroot is started – similar enough to a service for our purposes. After this is done, the tgz file in the homedir can also be deleted.

Start the app by double clicking from the file manager or reboot the chroot jail to force the app startup (and validate that it is configured correctly). On either the ChromeOS or Ubuntu interface, open a browser with URL ‘localhost:8888/gui’ to confirm that Bit Torrent sync is running. Configure according to directions – using the ‘bysync’ directory (on the SD-Card) we created above as the target. You will also want to create another endpoint to this share on a desktop, server, or other laptop to ensure your data is offloaded from your Chromebook.

Step 5 – ADB and Fastboot

ADB and Fastboot are really a make or break part of effectively using the Chromebook for Android development. Note that in Precise, the adb and fastboot packages need to be retrieved manually from the Debian repository. For details refer to the Ubuntu Cookbook page. In Raring, we can use the easier method shown below.

From the chroot Ubuntu interface on VT3, and open a terminal. Enter the following:

sudo apt-get install android-tools-adb
sudo apt-get install android-tools-fastboot
adb version
fastboot help

The last two lines confirm that both adb and fastboot are operational. The true test is to now plug in an Android test device and enter (this may take a couple of tries):

adb devices

If everything if functional the adb server should start and the attached device will be identified. Note that if the Android device is reasonably current, it will require onscreen approval before it connects to adb.

Step 6 – Android Studio

The last piece in this puzzle is Android Studio. From the ChromeOS interface, download the Linux/64bit install package from http://developer.android.com/sdk/installing/studio.html.

From the chroot jail (VT3) open a file manager and copy the Android Studio tgz file to the user home directory. Right click on the file and extract the files in the home directory. This will create a directory that looks like ‘~/android-studio’ with an ‘bin’ subdirectory. Once again, after this is complete the tgz file in the homedir can be deleted.

In order to make the launch script easier to find, we will put it on the PATH system variable. In the user home directory, edit ‘.bashrc’ and append the following:

PATH=${PATH}:/home/joeuser/android-studio/bin

In some cases, I discovered that the launch script did not seem to be picking up on the .bashrc updates, so it was necessary to define the JDK_HOME more explicitly. Use your favorite editor to open ‘~/andoid-studio/bin/studio.sh’. Right below the ‘#!/bin/sh’ line add the following:

JAVA_HOME=/home/joeuser/jdk1.7.0_45″

Open a terminal and enter ‘studio.sh’ to confirm that Android Studio was found and executed. If / when prompted, select the directory for the Oracle Java JDK. Android Studio should launch.

As a test we are going to create a new project (mostly with the defaults), except for project location. For the location, navigate to ‘media/removable/chrome-32/btsync/android-studio’. This will put the project files in the sync directory, which will then synchronize the project to your others systems on share. This is all part of that concept that everything should be stored in some “cloud” or at least off device.

At the project screen, create a new project and when it comes up on the screen, click the green arrow button at the top of the screen. The connected Android device should show up as an option, select it and go. Alternatively, you can create an emulator and use it. The app should install, run and show ‘Hello World’ on the interface.

Version Note: As part of my testing, I noticed that my initial version of Android Studio had functioning menu drop downs, but after I updated to the current version (0.32) the menus would no longer drop down. I confirmed this with both Precise and Raring on Unity. It may be worth testing Gnome as some point, or it may be fixed in some upcoming update to Android Studio. Overall – it did not prevent me from doing most activities since the control bar was fully functional.

Lastly – go to another node on your BitTorrent Sync share and confirm that the project was created and migrated to that system.

Wrapup / Notes

Overall the Android Studio IDE is fairly functional and well structured. I was able to test on both an external device and the emulator without any issues.  From a practical perspective, I am actually surprised at how easily this came together on a Chromebook. As far as the menu issues, this appears to be an Android Studio / Unity issue which could be resolved by using Eclipse/Android ADT tools or switching to a different window manager.

In Summary – This Chromebook Android Environment provides me with a very slick and portable Android Development environment without a lot of compromises.

Pentesting

Installing / Using W3af

Leave a comment

Background

W3af is a vulnerability scanner for web applications. Arbitrarily scanning random webpages / sites without permission from the site owners could get you a visit from law enforcement of the cyber type (FBI in the US). I recently had the opportunity to scan some customer sites with this tool.

Increasing complexity is the nature of life on the Internet, and increasing complexity leads to increased flaws and security vulnerabilities. In order to “harden” their systems Internet companies often have their systems penetration tested (ie pentested). Pentesting is a multistep process that loosely follows these steps:

  1. Networking mapping: from the entry point, map (to the greatest degree possible) map out everything beyond the entry point that may be accessible to the outside attacker.
  2. Discovery / Auditing : Based on this mapping, push and probe each system for known vulnerabilities and weaknesses.
  3. Exploitation: Based on the identified weaknesses / vulnerabilities, structure an attack to exploit to validate / confirm the exposure.

W3af is a tool that automates steps 1 and 2 of this process, enabling a much more thorough scan in a short period of time. Of course like any automation, the results from the tool need to be reviewed and analyzed, since many of the results will be false positives (not real vulnerabilities).

Installation

My first attempt to install W3AF was from the Ubuntu software center, and did not have much luck with it. The current version in the repository for 12.04LTS would crash on scan every time for me. Based on reports from around the web, this is very common and can vary – but was fixable with some effort. Not wanting to create some configuration Frankenstein, I decided a better and faster way to resolution may be to go to the source. So at the W3AF homepage, the following directions were provided.

    git clone https://github.com/andresriancho/w3af.git
    cd w3af
    ./w3af_gui

Which was fairly painless worked well. however it was not complete. There were a number of dependencies identified with the first run of the gui, and a pointer to a script to install them. After setting the execute flag on the script, this worked really well, and I was able to launch the w3af gui. I ran the app from a terminal window, and was able to monitor the scrolling messages and on my first scan, a message appeared indicating that there was a failed dependancy – Python-Webkit.

Usage Notes

After installation of this, i discovered that the app would generate a nice graphical map of the website beneath the URL being scanned. Nice. In any case, like many open source projects, it can be very functional – but it has more than a few non-obvious gotchas. Of note:

  • If you setup for a number of consecutive scans, the clear data function does not appear to be 100% effective. I noticed that after two or three, the scrolling log display would sometimes stop displaying. Or the scrolling time graph on the log page would simply not be drawn, leaving a large blank space in the lower right corner. For the most part, exiting the W3AF gui app and restarting after each run seem to clear out whatever cruft was laying around.
  • In my attempt to be productive, i was configuring multiple scan configs for different targets – while it was running a long scan on a current configuration. It basically trashed the current run and no useful results were produced. So once again, exiting and restarting the app resolved whatever state it thought it was in.
  • Check your reporting / output plugin. Essentially nothing is enabled. I created a ~/w3af/reports directory to contain the results, enabled the xml, csv and html reports to point to that directory. Note – even with verbose turned off, there is a lot of data.
  • Although the app can produce a nice pictoral graph of the network (look under results / URLs tab), it does not save or provide a method to save. Use ‘screenshot’ to capture / save a region.
  • After a run is complete, save your reports off to a directory that matches the scan config – consecutive runs will overwrite the files.
  • In order to filter results in the HTML report, open it and search for “Severity: low” , “Severity: medium” or “Severity: high” to count / find issues.

Summary – W3af is fairly solid as a webapp mapper / scanner, and installs easily per the directions on w3af homepage in less than 30 minutes. It is not well suited for targeting multiple targets concurrently.

Links W3AF homepage

Linux

Ubuntu Wubi (not dead yet – but close)

Leave a comment

Ubuntu Wubi is a Windows based installer that dual boots your Windows system with the least amount of effort. It really is (was?) my favorite way to keep a backup Ubuntu image handy. The idea was that the Wubi installer would run under windows, download and install a fairly generic configuration to your system with only about three configuration decisions. It took about 30 minutes in the background and after that a reboot, and automagically it was a boot option.

However recently issues have been creeping into the mix. These currently include:

  • Ubuntu does not support Wubi past 12.04 LTS
  • Wubi does not support Windows 8
  • Trying to upgrade past 12.04 inside the image may not work (it did not for me), requiring a scrub and re-build of my install

Remember – Wubi enabled me to install a dual boot Ubuntu image in the background in about 30 minutes – so I could be doing something useful the entire time. What alternative gives me that?

Much like Google Reader, it is really disappointing to see something really useful fade away.

Wubi Installer Link