Unlock the power of Android pen testing on Macbooks M1 and M2 with our comprehensive, step-by-step setup guide for practical success.

Hello, Infosec Community!

Embarking on my journey into Android pen testing, I initially relied on the Genymotion emulator, as suggested by many online resources, which worked pretty well on my Windows device. However, with Gennymotion, we soon encountered limitations—several crashes, a few tools not working as expected, its x86-based architecture restricted testing of x64-based apps, and Flutter apps boasted built-in SSL pinning security.

Transitioning to a Macbook M2 for full-time Android pen-testing posed a new challenge: M1 and M2 chips lacked virtualization support, rendering VirtualBox unusable, while VMware Fusion started smoothly working nowadays.

After diligent research, I, along with my friend Vikas Srivastava, discovered a superior alternative: Android Studio. With its native virtual devices, Android Studio became our go-to solution. Installing it was a breeze, thanks to the straightforward guides available on YouTube. Now, with Android Studio, we present you with an equipped tool to tackle Android pen testing with unparalleled efficiency and effectiveness.

Knowledgeable in ADB, the Magisk program, decompiling and recompiling APKs, SSL certificates, Android, and APK signing; also familiar with BurpSuite proxy and basic Android pen testing.

Let's start our journey with the MacBook Android Security Setup and its security testing.

1. Install all of the essential Android platform tools on your Mac with the following command:

brew install android-platform-tools

2. Install Android studio and open it once downloaded. Check “Virtual Device Manager” in the settings, and then click the “Create Device” button.

3. Select Phone > Pixel 3 and click next.

4. You will be prompted to pick “System Image,” where you need to download “S” API 31. Once downloaded, choose it and click the Next button.

5. Verify your settings once, and then click the finish button. You’ll have your Android device ready.

6. Now is the time to begin configuring the security tools required to evade SSL pinning, root detection checks, and system-wide installation of the Burp Suite certificate.

7. First, we install the rootAVD zip file from its GitHub repository, Once you download the zip file, unzip the zip file and open the terminal inside the rootAVD folder.

8. Run the rootAVD.sh file on the terminal.

./rootAVD.sh 

9. Run the ramdisk.img command as shown after running the rootAVD script.

./rootAVD.sh system-images/android-31/google_apis_playstore/arm64-v8a/ramdisk.img

10. Turn off your mobile device and select “Cold Boot Now.”

11. Once the cold boot is complete and the device has booted, open Magisk to confirm it is correctly installed. If not, select the manual installation option and follow the instructions.

12. Once Magisk has been correctly installed, it will look like this:

13. If the problem remains after following the steps above, please erase everything in this folder: /Library/Android/sdk/system-images/ and then repeat the procedures above. It should address the problem; if not, you may need to look into the issues you’re having and remedy them utilizing the web resources and references listed below in this blog.

14. So by now, we have successfully installed Magisk on our Android device. We will now download the LSPosed zip from its GitHub repository.

15. Once downloaded, drag and drop the LSPosed zip file onto the device. Now select Magisk > Modules > Install from Storage and double-click the LSPosed zip file. Once installed, restart the device.

16. After installing the LSPosed module, the Magisk module will have LSPosed enabled. Once that is done, return to the LSPosed zip file and unzip it. When you open the LSPosed folder, you will find a file named “manager.apk”. Drag and drag that app into your Android device.

17. Now restart the device to ensure a seamless installation of everything we’ve done so far.

18. Now we will download the AlwaysTrustUserCerts module, which is a Magisk module that automatically adds user certificates to the system root CA store. It was not required previously, but it appears that newer Android devices do not install user certificates into the system root CA. So, this module will perform the work for us.

19. Once downloaded, drag and drop the zip file to your Android device. Open your Android device and navigate to Magisk > Modules > Install from Storage. Install AlwaysTrustUserCerts by selecting the zip file. Now, restart the device again.

20. We are going to set up a burp proxy using your internal IP address and assign a certain port to listen to all requests that come to that port.

For example, 192.168.12.113:1337 is where you're listening from burpsuite

21. To export your burp certificate, select the DER format and save it as a cert.cer file, as Android recognizes it as a certificate installation file.

22. Drag and drop the cert.cer file exported from Burpsuite onto the Android smartphone.

23. Now open your phone’s settings.
Navigate to Security > Encryption and Credentials > Install a certificate (SD Card) > CA Certificate. Click Install anyhow. Now, in downloads, navigate to cert.cer or wherever it was saved in the Android file system. The certificate will be installed on your PC.

24. We will now configure our WiFi settings and include your Burp Suite proxy IP and port. To do this, navigate to Settings> Network & Internet > Internet. You will see a Wi-Fi labeled “AndroidWifi” > Click the Edit Settings button. Select Proxy > Manual > Enter your burp suite proxy IP and port, then save.

25. Now, open the Chrome browser to see if the internet works on your Android device.

26. Now we are ready to intercept and execute penetration testing on programmes that do not require us to overcome the SSL.

27. But examine whether your application requires you to avoid SSL. There are numerous methods for accomplishing this, which are determined by the SSL mechanism of each application. Here we’ll look at one of its methods for bypassing SSL checks and intercepting all in-app queries directly into your burpsuite so we can experiment with the APIs.

28. First, we will download the SSLUnpinning — Xposed Module APK file to bypass SSL certificate validation. Once installed, drag and drop the SSLUnpinning APK file onto the Android device.

29. Now, open the SSLUnpinning app and choose the APK for which you wish to unpin the SSL. Also, to unpin the SSL, go to the SSLupin app’s settings and choose the target APK again.

30. Consider restarting your device and enjoying squashing those bugs!

To all my fellow hackers,

Stay safe and keep up the great work!

./Happy hunting!

You can DM me on LinkedIn, or Twitter for more such insights!

• https://karthikeyanh4ck0r.medium.com/rooting-emulator-and-installing-magisk-c3cbd34ec436
• https://guptashubham.com/blog/lab-setup-for-android-pentesting-on-android-emulator-m1-macbook
• https://payatu.com/blog/android-pentesting-lab/
• https://kishorbalan.medium.com/its-all-about-android-ssl-pinning-bypass-and-intercepting-proxy-unaware-applications-91689c0763d8
• https://www.xda-developers.com/install-adb-windows-macos-linux/