Android Pentesting-Setting up lab

ARZ101
8 min readJan 12, 2022

Hello everyone , I will be creating a series of posts for android penetration which will cover how to setup your lab environment for testing apks , setting up rooted emulators , I will be using gennymotion as an emulator which is a virtual machine you can use on either windows or linux but I will setup this on windows you can do the same for linux and it’s much easier on that.

Setting up Gennymotion

Gennymotion is a virutalbox based android emulator that is used for testing mobile application , so download the version that comes with virtualbox

After registering an account on gennymotion , login and you’ll be presented on this screen

Now it doesn’t matter which android device you select to work you only just need to select the android with which you are comfortable with or the one the your application supports like most applications are now not running on android 7 so just go with android 10.

On the top right you’ll see a plus button to add virtual device

I just selected Moto X and it will show the settings for this device , the memory ,processor , resolution and the android version you want to give

I changed the version and the memory allocation for this device , you can keep the default settings if you want to

Then click on install and it will download the android api and set up the device

Once it’s done launch the machine

Now next thing to setup is ADB which is android debug bridge that can be helpful for getting a shell on the device and transferring files , installing apks and flashing which will be used when we’ll install magisk , EdXposed (for anroid 8.0 +or Xposed (supported till android 7.0)

Setting up ADB

Download adb tools from here , make sure it’s the as issues can up if your using old version of adb tools and the sdk version of the device is at higher version.

After downloading the tools , you can navigate to where ever you saved it and run command adb devices

Some important commands that we’ll be using mostly are

  • adb shell that will give a shell on the device
  • adb install filename.apk this will install apk on the device
  • adb push file /data/local/tmp this will copy files onto android device and usually /data/local/tmp path is used

So running adb shell we can get a shell on the device as a root user because these emulators are already rooted

Installing Magisk & EdXposed

This isn’t really necessary to install but some applications might not run on android emulators or on rooted devices to so bypass root detection if you’re feeling lazy to go through the source code and use other methods to bypass root detection you can use modules that comes with these applications.

To install these , first install magisk and EdXposed apks through adb , and then flash the magisk zip file to properly install it , for EdXposed we need to flash both the edxposed and riru archive but to do that we’ll use both magisk manager and the adb shell, you can download these files from here

Grant root privileges to magisk manager

You can see that it’s shows magisk isn’t installed

Same with EdXposed app

To flash magisk archive , move the archive to /data/local/tmp and then run the command adb shell /system/bin/flash-archive.sh /data/local/tmp/Magisk_rebuilt_1c8ebfac_x86.zip , where flash-archive.sh is a bash script for flashing archive which is available by default in gennymotion emulators

Reboot your emulator (shutdown and turn it on again) , if for some reason the magisk doesn’t show that it isn’t installed try to install it from the magisk manager app by moving the archive to /sdcard/Download

Now moving riru archive which is required by EdXposed adb shell /system/bin/flash-archive.sh /data/local/tmp/riru-v25.4.4-release.zip

This will show an error when flashing the archive but it’s normal and not to worry about it

From the magisk manager go to modules and install then the Riru archive again

Now when you’ll reboot and open EdXposed it will be installed

You can then install modules for hiding root detecting and ssl pinning

Installing Drozer ,Frida & Objection

Frida is a dynamic instrumentation tool which is used for injecting scripts for bypassing root detection and ssl pinning during run time , it usually bypasses root detection from the universal scripts or you can create your own script by understanding what logic is being used by apk to detect root , frida scripts are written in javascript

You’ll need python 3.7 inorder to work with frida , if python version is lower or greater than 3.7 than this will cause issues when running this tool , this can be installed through pip3. I have already installed these tools so it would just show me that requirement is satisfied

These are the commands for installing frida

  • pip3 install frida
  • pip3 install frida-tools
  • pip3 install objection

Objection is another collection of tools that runs during runtime and it requires frida to work with it

You’ll also need frida-serverwhich will allow you to connect to the device and run scripts , make sure to download the latest frida-server version for android device , in this scenario we’ll be using 32bit version (x86) since the gennymotion device is 32bit

After transferring it to android emulator make it executable , run it and then on your host machine run frida-ps -U to list running processes on the android emulator

Now that it’s setup moving on to installing drozer , which is a command line tool which connects to drozer agent on the android device that has a bunch of modules for getting information of the apk and also can get a shell with which we can run comamnds , to install drozer you’ll need to have python 2 installed , run the command pip install drozer and it will be installed in C:\Python27\scripts next install the drozer apk on the device

Then launch the drozer application and run the server which is on port 31415

This port is listening locally , we need port forward it so that we can access this port , to do that we can use adb to do port forwarding

Run the command py -2 drozer console connect

You can use the command list which will show the modules that you can use

And we can list the packages or applications that installed on the emulator , we can do much more stuff with this which I will cover in bypassing root detection , ssl pinning and checking for intents

So these are common tools that are used for android pentesting , there are some other tools for decompiling apks for doing static analysis , I will try to cover them in the next post when showing root detection and ssl pinning bypass also to note that I installed these on windows you can pretty much install them on linux as well without running into issues as in windows I faced a lot issues.

References

--

--