Hello everyone , I will be creating a series of posts for android penetration which will cover how to setup your lab environment for testing apks , setting up rooted emulators , I will be using gennymotion as an emulator which is a virtual machine you can use on either windows or linux but I will setup this on windows you can do the same for linux and it’s much easier on that.
Setting up Gennymotion
Gennymotion is a virutalbox based android emulator that is used for testing mobile application , so download the version that comes with virtualbox
After registering an account on gennymotion , login and you’ll be presented on this screen
Now it doesn’t matter which android device you select to work you only just need to select the android with which you are comfortable with or the one the your application supports like most applications are now not running on android 7 so just go with android 10.
On the top right you’ll see a plus button to add virtual device
I just selected Moto X and it will show the settings for this device , the memory ,processor , resolution and the android version you want to give
I changed the version and the memory allocation for this device , you can keep the default settings if you want to
Then click on install and it will download the android api and set up the device
Once it’s done launch the machine
Now next thing to setup is ADB
which is android debug bridge that can be helpful for getting a shell on the device and transferring files , installing apks and flashing which will be used when we’ll install magisk , EdXposed (for anroid 8.0 +or Xposed (supported till android 7.0)
Setting up ADB
Download adb tools from here , make sure it’s the as issues can up if your using old version of adb tools and the sdk version of the device is at higher version.
After downloading the tools , you can navigate to where ever you saved it and run command adb devices
Some important commands that we’ll be using mostly are
adb shell
that will give a shell on the deviceadb install filename.apk
this will install apk on the deviceadb push file /data/local/tmp
this will copy files onto android device and usually /data/local/tmp path is used
So running adb shell we can get a shell on the device as a root user because these emulators are already rooted
Installing Magisk & EdXposed
This isn’t really necessary to install but some applications might not run on android emulators or on rooted devices to so bypass root detection if you’re feeling lazy to go through the source code and use other methods to bypass root detection you can use modules that comes with these applications.
To install these , first install magisk and EdXposed apks through adb , and then flash the magisk zip file to properly install it , for EdXposed we need to flash both the edxposed and riru archive but to do that we’ll use both magisk manager and the adb shell, you can download these files from here
Grant root privileges to magisk manager
You can see that it’s shows magisk isn’t installed
Same with EdXposed app
To flash magisk archive , move the archive to /data/local/tmp and then run the command adb shell /system/bin/flash-archive.sh /data/local/tmp/Magisk_rebuilt_1c8ebfac_x86.zip
, where flash-archive.sh
is a bash script for flashing archive which is available by default in gennymotion emulators
Reboot your emulator (shutdown and turn it on again) , if for some reason the magisk doesn’t show that it isn’t installed try to install it from the magisk manager app by moving the archive to /sdcard/Download
Now moving riru archive which is required by EdXposed adb shell /system/bin/flash-archive.sh /data/local/tmp/riru-v25.4.4-release.zip
This will show an error when flashing the archive but it’s normal and not to worry about it
From the magisk manager go to modules and install then the Riru archive again
Now when you’ll reboot and open EdXposed it will be installed
You can then install modules for hiding root detecting and ssl pinning
Installing Drozer ,Frida & Objection
Frida is a dynamic instrumentation tool which is used for injecting scripts for bypassing root detection and ssl pinning during run time , it usually bypasses root detection from the universal scripts or you can create your own script by understanding what logic is being used by apk to detect root , frida scripts are written in javascript
You’ll need python 3.7
inorder to work with frida , if python version is lower or greater than 3.7 than this will cause issues when running this tool , this can be installed through pip3. I have already installed these tools so it would just show me that requirement is satisfied
These are the commands for installing frida
pip3 install frida
pip3 install frida-tools
pip3 install objection
Objection is another collection of tools that runs during runtime and it requires frida to work with it
You’ll also need frida-server
which will allow you to connect to the device and run scripts , make sure to download the latest frida-server version for android device , in this scenario we’ll be using 32bit version (x86) since the gennymotion device is 32bit
After transferring it to android emulator make it executable , run it and then on your host machine run frida-ps -U
to list running processes on the android emulator
Now that it’s setup moving on to installing drozer , which is a command line tool which connects to drozer agent on the android device that has a bunch of modules for getting information of the apk and also can get a shell with which we can run comamnds , to install drozer you’ll need to have python 2 installed , run the command pip install drozer
and it will be installed in C:\Python27\scripts
next install the drozer apk on the device
Then launch the drozer application and run the server which is on port 31415
This port is listening locally , we need port forward it so that we can access this port , to do that we can use adb to do port forwarding
Run the command py -2 drozer console connect
You can use the command list
which will show the modules that you can use
And we can list the packages or applications that installed on the emulator , we can do much more stuff with this which I will cover in bypassing root detection , ssl pinning and checking for intents
So these are common tools that are used for android pentesting , there are some other tools for decompiling apks for doing static analysis , I will try to cover them in the next post when showing root detection and ssl pinning bypass also to note that I installed these on windows you can pretty much install them on linux as well without running into issues as in windows I faced a lot issues.