USB debugging

Chances are if you're a serious Android developer you keep your Android SDK updated on a regular basis. But there are many of us who need it just for basic command-line work and don't bother with regular updates. Nothing really wrong with that. 

But Android 4.2.2 brings about a new security feature in regards to USB debugging. Whereas before all you had to do was plug in your phone and go (and maybe deal with drivers if you're a Windows user), now there's a gatekeeper on the phone side that you have to acknowledge before any connection can be made. That's what you see above. You have to accept the RSA key on your phone or tablet before anything can flow between the device via the ADB (the Android Debug Bridge). That's an added layer of security, and it's a good thing.

The idea is that keeps someone from just plugging in your phone, turning on USB debugging and having their way with it -- provided they're able to unlock the device in the first place. So you still should use some actual lock screen security, either a pin code or gesture or whatever. That onus is still on you.

Back to us tinkerers, and using the command line with a device running Android 4.2.2: You need to have adb version 1.0.31 installed on your computer. That's part of SDK Platform-tools r16.0.1. And if you haven't updated your SDK in a while because you really had no reason to do so, you're going to run into a brick wall. Specifically, the device will show that it's attached, but it'll be listed as offline.

adb

The fix is easy: Update your SDK, accept the RSA key on your phone, and all will be right in the world.

Forget how to update your SDK? Fire up to /platform-tools/android.

More at the Android Developers site (scroll up from this link)

 

Reader comments

Semi-pro tip: With Android 4.2.2 here, your Android SDK might need updating

24 Comments

Hey, believe it or not...Macs are really nice computers. Especially to us (meaning me) people in the audio and post production world. Sorry that it hurts you so much that AC editors use 'em too. Perhaps you can find another Android blog whose editors only use Ubuntu rigs? I mean, if it will make your hurt feel better and all.

I'm sorry, but you were lied to.

Also, it doesn't bother me. I don't have to use it, thankfully. I just pity anyone who has been disillusioned enough to buy/use one.

At least get some ppc ubuntu dual booted, Phil!

I didn't buy one, but my work got me a Macbook Pro 15-inch with flash HDD and a retina display two weeks ago. After using it for learning iOS development and getting used to Mac OS, I prefer it over any computer I have ever used. It is lightning fast, has a beautiful display, and I love the gestures I can use on the trackpad - twist two fingers around in a circle to rotate images, pinch to zoom, two fingers to the left and right to go back/forth or scroll, two fingers up/down to scroll vertically, three fingers to the left or right to swap between full-screen apps, three fingers up to see the launchpad or whatever they call it, etc.. I LOVE it! I was just like you before I tried one - seriously.

My wife has an iPhone and an iPad her work gave her - they suck compared to Android tablets/phones. But dang, Apple knows how to make a laptop.

You sir obviously don't know anything about computers calling a Solid State Drive a "Flash HDD". Oh and about your gestures... yeah windows has that too. I have a macbook, used it several times, but is nothing compared to my Samsung Series 9 laptop. Now thats a fast laptop, and super thin

Macs are content consumption devices for hipsters, they have limited software, most users end up booting to Windows to do real work, which further asks, why bother....

Not fair, man. Macs are serious devices, and there are many great Android developers out there using them for production. With the proper tools, a Mac is no less powerful than an Ubuntu machine.
I'd probably never buy one myself, but Macs are not just for hipsters and content consumption.

I would consider using a Mac if they weren't so overpriced. But that's where I draw the line. iOS is garbage that I never want to want to lay fingers on again.

If you can afford one, Macs are great computers for lots of people. If a 13-inch MacBook Air sold for $200 less and had a better experience on Windows 7 (I need Windows for what I do), I would have seriously considered getting one instead of the Lenovo Ultrabook I ended up buying. Unlike iOS, OS X isn't static and limited, and the hardware is spectacular. I only wish I had a trackpad as good as the ones Apple uses.

Bottom line: Phil is perfectly justified in using a MacBook Air, as he has explained before.

Mac's are just fine... They are really nice laptops, although a bit expensive, so that's a valid reason to not buy one. No Apple fanboy at all, but I love my Macbook and using it to develop Android apps (and other stuff, although not for iOS ironically) myself.

(Bashing on a brand is as bad as being a fanboy of one, imho)

lol, who cares what desktop OS he chooses? He's not the head editor of Ubuntucentral.com

It wouldn't be my choice, but each to their own!

I updated on Tuesday as after 4.2.2, I was getting the offline message, and figured it was time to upgrade my SDK.

Unless this would tie the ABD bridge on the device to one computer (one RSA key), this is one of the rare times that Phil just doesn't understand what he is reporting on. If I got past your lock screen, I can accept another RSA key, just as easily as I would have to go into settings to turn on USB debugging in the first place on most devices that I could theoretically steal and want to get data off of. (The majority of users don't turn USB debugging on)

So the "hacker" needs to update his SDK and tap on the screen of the device one more time to allow the connection, wow, that's going to stop him!

All this would stop is malware on the computer from accessing the device over ADB and pulling off data to send to the cloud, and that is only if you have already turned on USB debugging in the first place, and then connect to a computer that you didn't already check off to allow to always allow connections from.

On my dev device, and dev machine, I'm not going to leave the option to always allow from this computer off, and have to hit OK 10 times a day!

So what am I missing? Does this tie the device to one RSA key and therefor one computer to access it over ADB? And therefor does that mean it doesn't add any additional protection unless the user ties the bridge to his personal computer when he first gets the device?

I think you are correct and what Phil stated is not quite right. Jerry probably should have handled this one. If someone gets past your lockscreen or if you have no lockscreen they still should be able to approved the adb connection for any computer they want. I think the goal of this is to stop someone from stealing your locked phone and connecting it to adb on a computer you have not authorized. I think previous to 4.2.2 a phone with USB debugging turned on is accessible via adb even from the lockscreen. So basically, if you always have USB debugging turned on and you have a lockscreen code, 4.2.2 is more secure.

Phil mentions 

The idea is that keeps someone from just plugging in your phone, turning on USB debugging and having their way with it -- provided they're able to unlock the device in the first place. So you still should use some actual lock screen security, either a pin code or gesture or whatever. That onus is still on you.

Emphasis mine. 

If you lock your phone, now you can keep USB debugging on and someone else can't use adb to steal your data. He got it right :)

Thanks Jerry. Phil did have it right. I guess I was having trouble with my basic reading skills this morning. Sorry Phil.

Seems almost just as easy as turning on USB debugging to me, except now you have to actually click to allow it. I suppose this extra step is what makes it more secure as long as you're using a lock screen which I am not so it will be an annoyance to me.

Having USB debugging disabled would be just as secure though wouldn't it?

So you would have crack flashers and developers be constantly toggling USB debugging? That sounds incredibly annoying.

Btw, I would encourage you to consider using a screen lock. Even Face Unlock is more secure than None/Slide, and entering a pattern/PIN isn't that slow.

Thanks, Phil. . . I ran into this about 90 minutes before you posted your article. All is right in the world now :)

Life is crazy when you're livin' on the bleeding edge :)

For anyone going mad about this same issue but with Flash Builder 4.6+ the same fix applies. Flash Builder won't talk to 4.2.2 devices. Grab a copy of the relevant files eg. all the ADB files and the android.jar form the SDK newest Android SDK and replace this in the Air SDK folder in Flash Builder now you can debug again, and public release builds straight to 4.2.2 devices. No more device offline error. Adobe needs to address this as well as pricing :)