Android pentesting requires a dedicated environment which provides access to a rooted android device and let us see how to setup easily by using free tools.
Android Virtual Device
We will be using AVD which is the default emulator provided by the android studio. Download and perform default installation, once you arrive at this screen, select more actions and click on AVD Manager.
In avd manager, select the device and android version 10 i.e. api 29 and create the device and close the android studio and emulator.
In terminal, run ~/Android/Sdk/emulator/emulator @Android_10 -writable-system -selinux permissive -qemu -enable-kvm to launch the device.
In new tab, run the below commands to root the device.
adb root
git clone https://github.com/0xFireball/root_avd
cd root_avd
adb shell "mount -t tmpfs -o size=15M tmpfs /system/xbin"
adb shell "cat /proc/mounts | grep /system/xbin"
cd SuperSU/x86
adb push chattr chattr.pie libsupol.so su supolicy /system/xbin/
cd ../../
adb install SuperSU/common/Superuser.apk
adb shell "nohup /system/xbin/su 0 su --daemon &"
adb shell "ps -ef | grep daemonsu"Supersu will be installed in the device to manage root access, if you would like to know why we need to run the above commands check this detailed blog.
Genymotion
When starting out learning, android emulators are the great way to get experience with a variety of devices having different API levels without costing much and Genymotion provides exactly that with great User Experience and easy to configure nature for free.
Note: VirtualBox is used as a core by genymotion to virtualize Android operating systems. So please install VirtualBox in your system in order to proceed: link
Genymotion requires user registration to use its dashboard and for that first you need to create an account: link
After completing your registration process download its installer from here and install it in your host computer.
#make it executable
chmod +x genymotion-3.2.X-linux_x64.bin#specify installation path
./genymotion-3.2.X-linux_x64.bin -d <Genymotion_install_path>
cd <Genymotion_install_path>#run from the installed path
./genymotion
Once Genymotion is installed, you can sign in using your credentials specified in the registration process.
you can install a new device by clicking on plus icon at the top right corner and selecting your desired template and keep network mode Bridged
If some app contains ARM native code, then Genymotion will not be able to run the app as it consists of x86 (32-bit) architecture and will throw an error. You can avoid this problem by installing ARM translation library into emulated device: link
Note: At this point of time this library only supports up to android version 8.0 so download right package according to your emulated device’s specifications.
Once the device is started, select wifi from genymotion options and select wifi to enable network emulation.
select OpenGapps to install Google apps Or in the case of Archive Error download gapps file manually from their official site to your PC.
Before downloading, check the architecture of mobile, in the terminal run:
sudo apt update
sudo apt install adb
adb shell
getprop | grep abi#architecture can be found in []
Download the exact gapps for the architecture from their site and extract the files in your system and then drag and drop the files to the device.
Burp Suite
Open Burpsuite and navigate to Proxy -> Options. In proxy listeners section, click on add and in Binding section give the binding port and set bind to address to “all interfaces” and click ok.
goto proxy and export the certificate as shown
#check if device is connected
adb devices -l#check for ip address
ip a
In Android device, Go to Settings → Network & Internet → WiFi and then Click on gear icon next to AndroidWifi. Now, Click on Edit button → Advanced Options → Proxy → Manual.
Add your system ip address in proxy hostname and bind port as port number and Save.
Traditional way of installing burp cert wont work in recent android versions.
So we need to install the burp cert as system level cert to work.
APKTool
A tool for reverse engineering 3rd party, closed, binary Android apps. It can decode resources to nearly original form and rebuild them after making some modifications. It also makes working with an app easier because of the project like file structure and automation of some repetitive tasks like building apk, etc.
- Download Linux wrapper script (Right click, Save Link As
apktool) - Download apktool-2 (find newest here)
- Rename downloaded jar to
apktool.jar - Move both files (
apktool.jar&apktool) to/usr/local/bin(root needed) - Make sure both files are executable (
chmod +x) - Try running apktool via cli
APKSigner
sudo apt install -y apksignerJadx
Command line and GUI tools for producing Java source code from Android Dex and Apk files
git clone https://github.com/skylot/jadx.git
cd jadx
./gradlew dist
alias jadx-gui="~/jadx/build/jadx/bin/jadx-gui"PID Cat
Process ID (PID) Cat is a logcat script which only shows log entries for processes from a specific application package.
Installing PID Cat:
#Download pidcat & make it executable
sudo wget -O /usr/local/bin/pidcat https://raw.githubusercontent.com/JakeWharton/pidcat/master/pidcat.py && sudo chmod +x /usr/local/bin/pidcatCheck out Insecure Data Storage: Hardcoded secrets
