Overview:
This article gives you an extensive view on how to perform the penetration testing on the Android application and how to install all dependencies.
Android penetration testing involves assessing an application’s security by identifying vulnerabilities in its source code, binary files, and network traffic. There are two main approaches:
- Static Analysis — Reviewing an application’s code and configuration files without executing it.
- Dynamic Analysis: Running the application to monitor its behaviour and interactions in real time.
In this article, we will set up a dynamic testing lab using:
- A Rooted Android Emulator
- Frida Server
- Burp Suite
We need an Android emulator to run the target application for dynamic testing. We’ll use Android Studio to set up the emulator.
Download and install Android Studio from the official website: Android Studio. https://developer.android.com/studio
Once it is setup, open the android studio application, you will enter the dashboard
Open Android Studio and navigate to the Virtual Device Manager by clicking More > Virtual Device Manager.
Once inside the Virtual Device Manager, you will see a blank screen, as shown in the screenshot below.
Click the “+” icon in the top-left corner and select a device. (Example: Pixel 7a).
Select an Android version for your emulator. (Example: Android Q (API 29)). Download the system image if required.
Name your emulator and complete the setup.
Run the emulator and verify that it boots successfully.
Open Command Prompt and navigate to:
cd C:\Users\\AppData\Local\Android\Sdk\platform-tools
Check if the emulator is detected by running:
adb devices
You should see a connected device (e.g.,emulator-5554
.
Download RootAVD from GitHub (works for API 30). https://github.com/newbit1/rootAVD
Change directory and run the following command to root your emulator:
rootAVD.bat
rootAVD.bat system-images\android-30\default\x86_64\ramdisk.img
Upon reboot, you should see the Magisk app installed, confirming the device is rooted.
Open Magisk, and when prompted, click OK to reboot.
Once rebooted, verify root access by running:
adb shell
su
Open Magisk, and when prompted, click Grant.
Once rebooted, verify root access by running:
whoami
Output should beroot
, confirming successful rooting.
Open Burp Suite, navigate to Proxy Settings, and:
- Edit the listener to listen on all interfaces.
- Ensure port 8080 is selected
In the settings, edit the listener, set it to all listeners, and click OK.
ensure that *:8080 is set.
On the emulator, go to Wi-Fi settings:
Click Edit on your Wi-Fi network.
- Select Manual Proxy.
- Set the Proxy Hostname to your system’s IP address.
- Set the Port to 8080.
- Click Save.
Verify the connection: Open Chrome on the emulator and navigate to
http://burp
Download the Burp CA Certificate ().cacert.crt
Go to Settings > Install Certificates and installcacert.crt
.
Click on Install Certificates
Select cacert.crt
Name the certificate and confirm the installation.
Open Chrome and visit any HTTPS website. The page should load without errors.
Go back to Burp Suite and check the HTTP request logs. You should see the captured requests.
Your rooted Android emulator is now configured to intercept traffic using Burp Suite. You can open applications and start intercepting network traffic. However, if the APK is signed with an SSL certificate, you will need to bypass SSL pinning to capture encrypted requests.
Step 4: Bypassing SSL Pinning with Frida
Install Frida on Your Host Machine. Run the following command:
pip3 install frida
frida --version
Ensure Frida is installed by verifying its version.
Go to GitHub Frida Releases and select the version that matches the one installed on your host machine. Locate the frida-server
file and download the version corresponding to your emulator’s architecture (e.g., android-x86_64
).
To find the archive, go to your device manager; there it will be mentioned.
Once it is downloaded, extract the file; you should see the file frida-server-16.6.1-android-x86_64
Push Frida Server to the emulator:
adb push frida-server /data/local/tmp/
Access the emulator shell
adb shell
su
cd /data/local/tmp/
chmod 777 frida-server
./frida-server
Change the file permissions chmod 777 frida-server and Run Frida server using “./frida-server”; this will run the Frida server in background.
Frida Server should now be running in the background.
Now it’s time to install the application and begin intercepting data.
Download the required APK file from APKCombo or install it directly from the Play Store.
adb install
If downloaded on your phone, locate it in the Downloads folder and install it manually.
Now its time to install the application and intercept the data.
Once installed, open the terminal and run the following command to find the application’s package name:
adb shell pm list packages | findstr ""
Copy the full package name for further use.
Download an SSL bypass script (ssl.js
) from GitHub.
Run Frida with the script:
frida -U -n -l ssl.js --no-pause
Once the command is executed, the application will automatically launch in your emulator.
The application should launch automatically with SSL Pinning disabled.
Open the target application and perform some actions. In Burp Suite, check if the HTTPS requests appear. If intercepted, SSL Pinning has been successfully bypassed!
You have successfully:
1. Set up an Android Emulator for pentesting.
2. Rooted the emulator using Magisk.
3. Configured Burp Suite to intercept traffic.
4. Installed and used Frida to bypass SSL Pinning.
Now, you can perform dynamic application security testing and analyse network traffic for vulnerabilities.