Android 14 beta has been released!

Access internal web services from Android devices running in the cloud using adb reverse

It can be pretty common for your project to have some security and confidentiality problematics?. In some cases, your application may need to access an internal web service:

  • It is a private business application accessing confidential internal information.
  • It is an application accessing some web services currently under development and those services must remain private until finished.

 

Accessing those private backends while automating your tests in the cloud can be tricky. You could do it with a VPN, but it can be cumbersome. Adb reverse is another solution, easier to set up. Luckily for you, we managed to make it work with Genymotion Cloud ?. Let’s dig in and see how it works!

In this article, we study the case of an app running automated tests from Genymotion Cloud, but accessing web services running on a private network.

 

TL;DR

1. On your CI server, run a local proxy (such as Squid, running on port 3128).

2. Start a Genymotion Cloud device using the gmsaas CLI:
uuid=$(gmsaas instances start 143eb44a-1d3a-4f27-bcac-3c40124e2836 pixel3)
gmsaas instances adbconnect $uuid

This gives you access to the device through ADB.

3. Configure the proxy settings in the device using ADB: adb shell settings put global http_proxy localhost:3333

4. Bind your local proxy to the device proxy configuration using command: adb reverse tcp:3333 tcp:3128

5. Make sure your app handles Proxy System Settings.

6. Run your tests as usual.

You can also go further by using different URLs depending on the build type… Everything is explained below ?


Let’s start with a diagram of the situation:

ADB tunnel Genymotion Cloud

You can see a Genymotion Cloud device located on our datacenter launched by a continuous integration server running on your internal network. This is done through gmsaas,  the Genymotion command line tool. An ADB tunnel is created between the server and the virtual device, allowing to use `adb` on the device, as if it was running locally. On the other hand, your internal web service is not exposed and therefore cannot be accessed from the virtual device.

How to overcome this, without exposing your internal web service to the Internet? ADB reverse to the rescue! ?

 

Accessing the infrastructure

Run a local proxy on your CI server

This piece of software is aimed to expose your internal web service located in your infrastructure to a local network connection occurring on your CI server. ADB is running on your CI server, and it is the only one that will connect to the proxy. You must run a single proxy server for all the devices needing access to your internal web service.

There are plenty of ways to start a proxy on your server. Here is for example how to launch a Squid proxy using docker :

First, make sure folder /opt/squid/cache is created.

Also, you must set up a configuration file /opt/squid/squid.conf. You can use this simple configuration:

# Squid proxy port declaration
http_port 3128
# Allow local connections, including Docker’s host
acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
http_access allow localnet
http_access allow localhost
http_access deny all

Then run the following docker command:

docker run --name squid \
 --publish 127.0.0.1:3128:3128 \
 --volume /opt/squid/squid.conf:/etc/squid3/squid.conf \
 --volume /opt/squid/cache:/var/spool/squid3 \
 --volume /opt/squid/cache:/var/log/squid3 \
 sameersbn/squid:3.3.8-12

 

Start the virtual device

Before each test run, the CI server starts one or several cloud devices using gmsaas. Start a device using:
uuid=$(gmsaas instances start 143eb44a-1d3a-4f27-bcac-3c40124e2836 pixel3)
This command starts a new Pie virtual device on Genymotion Cloud. Once this command is finished, connect to the device with adb : gmsaas instances adbconnect $uuid, you can interact with it using `adb` commands, through the ADB tunnel.

Configure the device to use a proxy

Today, Genymotion Cloud virtual devices are disposable. It means they are deleted when you stop them and all their configuration and files are lost. You must configure them each time you start them.

You can set the proxy configuration from the command line :

adb shell settings put global http_proxy localhost:3333

Note: If you need a more precise configuration (configuring the proxy exclusion list for example), we recommend configuring a Genymotion Cloud virtual device through the Wifi Settings application and to share it on Genymotion Cloud with all your team as explained in the documentation.

Bind the device’s configuration to your CI server’s proxy

Now on one side, we have a Squid proxy running on the CI server bound to local port 3128 and on the other side, we have a device looking for a proxy server on its own local port 3333.

ADB allows us to bind those two remote ports thanks to the `adb reverse` command.

Run command: adb reverse tcp:3333 tcp:3128

This command redirects all the network traffic inside the device going to localhost:3333 to your computer localhost:3128.

Once everything is set up, here is how your infrastructure behaves:

ADB Tunnel Genymotion Cloud

All the network traffic of the cloud device goes through the ADBtunnel, arrives to the ADB server running on your CI computer and is redirected to the Squid proxy, exposing your internal web service to the remote virtual device. Your internal web service is then accessible from your app, as soon as you make sure it observes the proxy system settings.

Note: The `adb reverse` command is supported on Android since Android 5.0 only, so make sure you select the right version.

 

Use the proxy system settings in your app

You must be careful that your HTTP client observes the proxy settings that have been set up.

If you are using OKHttp library, this is handled directly by the client, there is nothing to do from your part. If not using OKHttp library, you must set the proxy from your app source code, depending on your HTTP client.

 

Conclusion

You did it! A simple setup where you decide to allow cloud devices to securely access an internal web service. Now you can launch your tests through Gradle or any other testing framework.?

As you can see, with Genymotion Cloud, you don’t need to set up a VPN, there is no port to open, and you have access to a seamless and very fast ADB experience.?

Eyal Lezmy.

Genymotion Device Image for Cloud providers
- Private Offer -

Genymotion Desktop for Business
- Get a Quote -

Genymotion SaaS
- Increase Maximum Simultaneous devices -

Personal Use - Free

Genymotion Desktop for personal use is not suitable for trial or POC: you will not get any assistance and some features will be disabled. If you have already selected “personal use” and wish to get a trial license, please contact our Sales at [email protected].

Technical support is not available with Genymotion Desktop free edition for personal use. For more details, please refer to Genymotion conditions of use (Personal Use).

The following features are not available in personal use mode:

Follow these steps to get Genymotion Desktop and activate personal use mode:

  1. Go to the Download page and get the latest version for your system.
  2. Follow the instructions from Genymotion Desktop quickstart guide to install Genymotion Desktop.
  3. Launch Genymotion and click CREATE to create an account. You should receive an activation email within an hour. If not, make sure to check your spam.
  4. After activating your account, return to Genymotion and log in with your credentials.
  5. Select personal use when prompted.
  6. Read Genymotion Desktop quickstart guide carefully to setup Genymotion for your needs.