Continuing with the Mobile Pentesting 101 series, this article gives an idea about how your Android pentesting environment should look like. What tools should I use? Do I really need a physical device? Do I need a rooted device to pentest an application? I will try to answer all these questions and others in the following lines.
- Debate: Physical device vs Emulator
- Setting up your Android Device
- Preparing your device
- Preparing your pentest station
Debate: Physical device vs Emulator
There’s a huge debate on the Internet regarding what a pentester should use: physical or emulated device. I won’t say that you should stick with only one option because it is not always the case. You might encounter some situations where an emulator is useless and some cases where a physical device could not simply do the job. I will give you some pros and cons for each, and you can choose afterward what suits you best.
- Most Android devices come with ARM CPUs;
- Not relying on laptop specifications;
- You cannot change de Android API level to fit your needs;
- Rooting can brick your phone, thus it is hard to replace;
- Some device models do not have a rooting method yet.
- You can freely choose your Android APIs and switch between them;
- You can always pop up a new emulator in case of failure;
- Easy to root or already rooted.
- Some applications might crash due to a lack of specifications;
- It consumes the laptop’s resources;
- Some emulators lack biometric authentication which is crucial for today’s applications.
Setting up your Android Device
As most of the following are applicable to both physical and emulated devices, I will present only the aspects used for an emulated device. So, when it comes to emulators, there are plenty of free options when setting up your Android environment. The most common are Android Virtual Device (AVD), Genymotion, and NoxPlayer. Genymotion is rooted by default, NoxPlayer has the option to enable root, and with AVD, root can be obtained easily.
Android Virtual Device
Let’s start by creating a new virtual device using Android Studio. Here are some remarks that need to be made:
- If you choose to create a device without the Google Play services, the device is rooted by default, but it can be difficult to install the services after.
- If you need the Play services, then the device is not rooted by default and you might want to root it.
Now, if you use an emulator without the Google APIs installed, you can skip this part.
How to root your AVD – Magisk
Thanks to the XDA community, we now have a script that instantly roots your AVD and installs Magisk on your emulator. The tool is called rootAVD and can be found on GitHub.
The next command is the one that I used to root my AVD and it works every single time, so you should give it a try.
You can download Genymotion from their official site. Once you do that, in order to create the emulators, you will need to create an account. With an account created and logged in, the next step is to create the device, again, I am using the Google Pixel 3.
As I mentioned earlier, the Genymotion emulator is rooted by default, thus you won’t have to do it by yourself.
Preparing your device
Regardless of the type of device you are using, you need some tools installed on your device to exploit the applications and discover vulnerabilities. Two of the most important are Drozer and Frida.
Drozer is a good tool for simulating a rogue application. F-Secure stopped its development, but it still can be used in your penetration test without any problems. From their GitHub page, there is an APK that should be installed on the device. The command is
$ adb install drozer-agent-2.3.4.apk
Frida is a dynamic instrumentation toolkit for developers, reverse engineers, and security researchers. The following steps can be followed to install the Frida server on the device:
- Download the specific version from https://github.com/frida/frida/releases
- Unzip it using:
$ xz -d ~/Downloads/frida-server-16.0.2-android-x86.xz
- Now push it on the device using the:
$ adb push frida-server-16.0.2-android-x86 /data/local/tmp/frida-server
$ adb shell chmod +x /data/local/tmp/frida-server
$ adb shell su /data/local/tmp/frida-server
What’s interesting about Frida is that you don’t need a rooted device to run it. You can easily patch the application to include the Frida-gadget library and install the new signed application on the device. There’s an interesting article that shows you two methods to attach the gadget to an application. There’s also a third solution: objection patchapk. It is a command that basically wraps around several other system commands, automating the patching process as far as possible.
Install BurpSuite’s certificate
To be able to intercept the traffic the application is sending to the backend servers, you need to install the Burp certificate on the device and use a proxy server. There are plenty of resources out there that offer you a solution, but I recommend following PortSwigger’s documentation found here.
TIP: Magisk SafetyNet attestation
SafetyNet provides a set of services and APIs that help protect your app against security threats, including device tampering, bad URLs, potentially harmful apps, and fake users. It sounds like the tampered device era comes to an end, but as with any other client-side validation, with enough time, you can finally bypass it. There is a Magisk module available, developed by kdrag0n, and can be found on his GitHub page.
Preparing your pentest station
When it comes to setting up your pentesting environment, it can be difficult sometimes to install all the required tools due to different issues. To solve that problem, the Enciphers guys developed a virtual machine that contains all the necessary tools and can be immediately used without any trouble. You can find more details here.
If you still need only a couple of tools installed on your pentest station, I will give you a brief introduction to the topmost tools that I use in almost all engagements that I have. All the tools and installation methods described below are for Ubuntu, but you can find the Windows details in their documentation.
Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis, and security assessment framework capable of performing static and dynamic analysis. More details can be found on their GitHub page, but an easy installation on Ubuntu contains the following 3 steps:
git clone https://github.com/MobSF/Mobile-Security-Framework-MobSF.git cd Mobile-Security-Framework-MobSF ./setup.sh
Is a tool for reverse engineering 3rd party, closed, binary Android apps. It can decode resources to almost their original form and rebuild them after making some modifications. You can find more details here, but the installation is as easy as
wget https://raw.githubusercontent.com/iBotPeaches/Apktool/master/scripts/linux/apktool wget https://bitbucket.org/iBotPeaches/apktool/downloads/apktool_2.7.0.jar -O apktool.jar mv apktool /usr/local/bin/ mv apktool.jar /usr/local/bin/ chmod +x /usr/local/bin/apktool chmod +x /usr/local/bin/apktool.jar apktool -v
Command-line and GUI tools for producing Java source code from Android Dex and apk files. Decompile Dalvik bytecode to java classes from APK, dex, aar, aab, and zip files. Decode AndroidManifest.xml and other resources. Deobfuscator included. More details can be found on the application’s GitHub here.
Drozer allows you to search for security vulnerabilities in apps and devices by assuming the role of an app and interacting with the Dalvik VM, other apps’ IPC endpoints, and the underlying OS. Even though it is decommissioned and out of development, I still use it as a go-to tool when it comes to mobile pentesting. More details can be found on their GitHub.
wget https://github.com/WithSecureLabs/drozer/releases/download/2.4.4/drozer_2.4.4.deb sudo dpkg -i drozer-2.4.4.deb
python3 -m pip install frida-tools
Once you installed Frida on your hacking station, you can easily search for already crafted scripts on https://codeshare.frida.re/, or you can create your own. Furthermore, you can use the scripts using either of the following commands:
frida -U -f com.android.example -l Frida_Scripts/bypass_ssl_pinning_various_methods.js frida -U -f com.android.example --codeshare sowdust/universal-android-ssl-pinning-bypass-2
Objection is a runtime mobile exploration toolkit, powered by Frida, built to help you assess the security posture of your mobile applications, without needing a jailbreak. It can help you bypass fingerprint, SSL pinning, and many more.
You can install it using python’s pip as easily as:
python3 -m pip install objection
Runtime Mobile Security (RMS)
I wrote an entire article dedicated to this tool, so you should check it out here. To install it, just use the following:
npm install -g rms-runtime-mobile-security
I hope this article helped you create your mobile pentesting environment or refine your existing one. With the industry changing that fast, some tools might be decommissioned, and some new tools might pop up, but the methodology does not change. Stay tuned for the next article: Mobile Pentesting 101 – How to set up your iOS Environment.
Saaweeet dude ! This is awesome and really hit home as I have been thinking about Android emulation all week trying to remember what I used 10+ years ago! I’ve always just went with physical device without even thinking of emulation untill admittedly just recently. So I’m excited to get another lab set up and running! Kudos,Cheers,Gratzie,Arigato,Danka, Gracias, Miigwetch,Padamya, and of course Thank You. 🙂
LikeLiked by 1 person
Glad that you enjoyed the article! It is a nice thing to be able to use emulators some times, saves you a lot of pain 😁
This is awesome article. waiting for “Pentesting 101 – How to set up your iOS Environment”