# Android PenTest Setup ## Install Android Studio * Since I'm using Apple M3, I downloaded Android Studio ARM version from the Downloads Page since it uses native emulation with qemu resulting in faster performance. * Select Pixel 8 API 35 (Android 15, arm64-v8a) device from Virtual Device Manager. * Select "Cold Boot" from Advanced Settings > Emulated Performance. * Export SDK Platform-tools and emulator to PATH variable. {% code overflow="wrap" %} ```bash vi .zshrc export PATH="$PATH:/Users/sid/Library/Android/sdk/platform-tools:/Users/sid/Library/Android/sdk/emulator" source zshrc ``` {% endcode %} * List the devices ```bash emulator -list-avds Pixel_8_API_35 ``` * Start the device ```bash emulator -avd Pixel_8_API_35 ``` * The device should boot up and we can start a Android Debug Bridge (ADB) to start a shell on the device. ```bash adb shell ``` * If we try switching the user to root, we can't. ```bash su ``` ## Rooting the Device ### Installing RootAVD Using Magisk (Magic Mask) and RootAVD, we'll root the device. Magisk provides an environment that allows us to run as root on Android. RootAVD uses Magisk to root a running AVD. ```bash git clone https://gitlab.com/newbit/rootAVD.git ./rootAVD.sh ``` This should show us helpful commands that can be run. Running the first example command should give us root access. It will shut down the emulator once the device is rooted. ```bash ./rootAVD.sh system-images/android-35/google_apis_playstore/arm64-v8a/ramdisk.img ``` Restart the device and check root access through ADB shell. Your device would prompt you to grant access, click on grant. ```bash emulator -avd Pixel_8_API_35 adb shell su ``` ## Setting up Burp Proxy **Configure Burp Suite to Intercept Android Traffic:** * Default Burp Proxy is on `localhost:8080`. To capture traffic from an Android device, modify the listener: * Navigate to **Settings > Tools > Proxy > Proxy Listeners**. * Click "Edit" and change "Bind to address" to **“all interfaces”**. * This allows Burp to intercept requests from the Android device. **2. Download Burp's CA Certificate:** * Run: `curl -s -L http://localhost:8080/cert -o burp.der`. * Convert to PEM format using OpenSSL: `openssl x509 -inform der -in burp.der -out burp.pem`. **3. Certificate Naming and Android 14 Changes:** * Many guides suggest renaming the PEM to a hashed name like `9a5ba575.0`. * **Note:** On Android 14, injecting certificates into `/system/etc/security/cacerts` does **not** work because certs are now in a read-only location: `/apex/com.android.conscrypt/cacerts`. **4. Workaround Using Magisk and NCC Module:** * **Magisk**: A tool that allows running custom modules on rooted devices. * **Module Needed**: `ConscryptTrustUserCerts` by NCC Group, which helps install the Burp certificate in the system trust store. * Download it {% code overflow="wrap" %} ```bash curl -s -L https://github.com/nccgroup/ConscryptTrustUserCerts/releases/download/v0.1/ConscryptTrustUserCerts.zip -o ConscryptTrustUserCerts.zip ``` {% endcode %} **5. Transfer Files to Android Device:** * Upload `burp.pem` and `ConscryptTrustUserCerts.zip` to the device using ADB: * `adb push burp.pem /sdcard/Download` * `adb push ConscryptTrustUserCerts.zip /sdcard/Download` **6. Install Burp CA Certificate:** * Open **Settings** on the Android device. * Go to **Encryption & credentials** > **Install a certificate** > **CA certificate**. * Navigate to **Downloads**, select `burp.pem`, and install. * Verify under **Trusted Credentials > User Tab**. **7. Install the Magisk Module:** * Launch **Magisk** on the device. * Update if needed and install Magisk components. * Reboot the device. * Open Magisk again, navigate to **Modules**, and click **Install from storage**. * Select `ConscryptTrustUserCerts.zip` and confirm installation. * Reboot again to apply changes. **8. Verify CA Certificate in System Store:** * Check in **Settings > Trusted Credentials** to confirm Burp CA is in both User and System stores. **9. Configure Proxy on Android:** * Open **Settings > Network & internet > Internet**. * Select your Wi-Fi network, click the pencil icon to edit, and choose **Proxy: Manual**. * Enter the **IP of Burp Suite host** and **Port: 8080**. * Save the settings. **10. Test Setup:** * Open an app (e.g., YouTube Shorts) and check Burp Suite’s Proxy History to see intercepted traffic. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://playbook.sidthoviti.com/mobile-pentesting/android/android-pentest-setup.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.