Android PenTest Setup

Install Android Studio

• Since I'm using Apple M3, I downloaded Android Studio ARM version from the Downloads Page since it uses native emulation with qemu resulting in faster performance.

• Select Pixel 8 API 35 (Android 15, arm64-v8a) device from Virtual Device Manager.

• Select "Cold Boot" from Advanced Settings > Emulated Performance.

• Export SDK Platform-tools and emulator to PATH variable.

vi .zshrc
export PATH="$PATH:/Users/sid/Library/Android/sdk/platform-tools:/Users/sid/Library/Android/sdk/emulator"
source zshrc

• List the devices

emulator -list-avds

Pixel_8_API_35

• Start the device

emulator -avd Pixel_8_API_35

• The device should boot up and we can start a Android Debug Bridge (ADB) to start a shell on the device.

adb shell

• If we try switching the user to root, we can't.

su

Rooting the Device

Installing RootAVD

Using Magisk (Magic Mask) and RootAVD, we'll root the device.

Magisk provides an environment that allows us to run as root on Android.

RootAVD uses Magisk to root a running AVD.

git clone https://gitlab.com/newbit/rootAVD.git

./rootAVD.sh

This should show us helpful commands that can be run. Running the first example command should give us root access. It will shut down the emulator once the device is rooted.

./rootAVD.sh system-images/android-35/google_apis_playstore/arm64-v8a/ramdisk.img

Restart the device and check root access through ADB shell. Your device would prompt you to grant access, click on grant.

emulator -avd Pixel_8_API_35

adb shell
su

Setting up Burp Proxy

Configure Burp Suite to Intercept Android Traffic:

• Default Burp Proxy is on localhost:8080. To capture traffic from an Android device, modify the listener:

  • Navigate to Settings > Tools > Proxy > Proxy Listeners.

  • Click "Edit" and change "Bind to address" to “all interfaces”.

• This allows Burp to intercept requests from the Android device.

2. Download Burp's CA Certificate:

• Run: curl -s -L http://localhost:8080/cert -o burp.der.

• Convert to PEM format using OpenSSL:

openssl x509 -inform der -in burp.der -out burp.pem.

3. Certificate Naming and Android 14 Changes:

• Many guides suggest renaming the PEM to a hashed name like 9a5ba575.0.

• Note: On Android 14, injecting certificates into /system/etc/security/cacerts does not work because certs are now in a read-only location: /apex/com.android.conscrypt/cacerts.

4. Workaround Using Magisk and NCC Module:

• Magisk: A tool that allows running custom modules on rooted devices.

• Module Needed: ConscryptTrustUserCerts by NCC Group, which helps install the Burp certificate in the system trust store.

• Download it

curl -s -L https://github.com/nccgroup/ConscryptTrustUserCerts/releases/download/v0.1/ConscryptTrustUserCerts.zip -o ConscryptTrustUserCerts.zip

5. Transfer Files to Android Device:

• Upload burp.pem and ConscryptTrustUserCerts.zip to the device using ADB:

  • adb push burp.pem /sdcard/Download

  • adb push ConscryptTrustUserCerts.zip /sdcard/Download

6. Install Burp CA Certificate:

• Open Settings on the Android device.

• Go to Encryption & credentials > Install a certificate > CA certificate.

• Navigate to Downloads, select burp.pem, and install.

• Verify under Trusted Credentials > User Tab.

7. Install the Magisk Module:

• Launch Magisk on the device.

• Update if needed and install Magisk components.

• Reboot the device.

• Open Magisk again, navigate to Modules, and click Install from storage.

• Select ConscryptTrustUserCerts.zip and confirm installation.

• Reboot again to apply changes.

8. Verify CA Certificate in System Store:

• Check in Settings > Trusted Credentials to confirm Burp CA is in both User and System stores.

9. Configure Proxy on Android:

• Open Settings > Network & internet > Internet.

• Select your Wi-Fi network, click the pencil icon to edit, and choose Proxy: Manual.

• Enter the IP of Burp Suite host and Port: 8080.

• Save the settings.

10. Test Setup:

• Open an app (e.g., YouTube Shorts) and check Burp Suite’s Proxy History to see intercepted traffic.