Home > Android Pentesting

Android Studio Emulator

Android Studio Emulator

The Android Studio Emulator is one of the most important tools for Android pentesting. It allows fast testing, easy resets, controlled networking, and frictionless static/dynamic analysis. This chapter focuses on practical setup, rooting, certificate installation, network interception, and pentesting-specific configuration.

Installing Android Studio

Download and install Android Studio based on your OS. Once installed:

  1. Launch Android Studio

  2. Open Device Manager

  3. Click Create Device

  4. Choose a Pixel device (Pixel 4 / Pixel 5 recommended)

  5. Select a system image with Google APIs

  6. Finish setup

Google APIs images provide:

  • Full debugging support

  • ADB root in many builds

  • Ability to bypass some restrictions easily

Enabling Root Access on the Emulator

Start the emulator:

emulator -avd <emulator_name>

Enable root:

adb root
adb remount

If successful, you can now access system directories.

Verify:

adb shell
su

If adb root fails, create a different system image:

  • Use Android 11 or earlier

  • Use x86_64 images with Google APIs

Root access is required for:

  • SSL certificate install

  • File system inspection

  • Data extraction from /data/data

  • Testing insecure storage

Installing an APK on Emulator

Install using ADB:

adb install app.apk

Install an updated version:

adb install -r app.apk

Install over existing signature mismatch:

adb install -r -d app.apk

This helps when modifying and repackaging apps for testing.

Setting Up Burp Suite Proxy

Change emulator connection to manual proxy:

  1. Open Settings

  2. Go to Network & Internet

  3. Select your active network

  4. Choose Advanced

  5. Set proxy to Manual

  6. Host: your PC IP

  7. Port: 8080

Test:

adb shell ping <your_pc_ip>

You should receive responses.

Installing Burp’s Certificate on the Emulator

Export Burp certificate as DER:

  1. Open Burp → Proxy → Options

  2. Export certificate → cacert.der

Push certificate to emulator:

adb push cacert.der /sdcard/

Install certificate:

adb shell "mv /sdcard/cacert.der /system/etc/security/cacerts/"
adb shell "chmod 644 /system/etc/security/cacerts/cacert.der"

Reboot:

adb reboot

Now HTTPS traffic becomes interceptable.

Bypassing SSL Pinning on Emulator

Most modern apps use SSL pinning. Use Frida for bypass.

Push Frida server:

adb push frida-server /data/local/tmp/
adb shell "chmod 755 /data/local/tmp/frida-server"

Start it:

adb shell "/data/local/tmp/frida-server &"

Check connection:

frida-ps -U

Load SSL pinning bypass:

frida -U -f com.app -l ssl_bypass.js --no-pause

This restores interception functionality even for hardened apps.

Enabling Device File System Access

On rooted emulators you can access app private directories.

List installed packages:

adb shell pm list packages

Find app data location:

adb shell ls /data/data/<package_name>/

Pull files for offline analysis:

adb pull /data/data/<package_name>/shared_prefs/ .

Inspect:

  • SharedPreferences

  • Databases

  • Cache files

  • Logs

This helps identify insecure data storage issues instantly.

Setting Custom DNS and Host Redirection

Edit /etc/hosts for API redirection:

adb shell
su
echo "10.0.2.2 api.app.com" >> /etc/hosts

10.0.2.2 = host machine when using emulator.

Useful for:

  • Redirecting traffic

  • Testing staging servers

  • Injecting controlled responses

Enabling Network Debugging Mode

Run:

adb tcpip 5555
adb connect <emulator_ip>:5555

This allows wireless ADB for multi-device testing.

Using Snapshots for Fast Testing

Snapshots allow instant restore to clean state.

  1. Open Device Manager

  2. Enable Cold Boot

  3. Create snapshot after setup

  4. Whenever testing breaks the emulator → restore snapshot

This saves hours during pentesting.

Practical Pentester Emulator Workflow

  1. Create emulator with Google APIs

  2. Enable root with adb root

  3. Set Burp proxy and install CA cert

  4. Push and start Frida server

  5. Install target APK

  6. Decompile and analyze APK

  7. Inspect app data via /data/data

  8. Intercept network traffic

  9. Bypass SSL pinning

  10. Refresh emulator using snapshots

This provides the complete mobile app testing environment.

Intel Dump

  • Create emulator with Google APIs for pentesting

  • Enable adb root and remount system

  • Install APKs using adb commands

  • Route Android emulator traffic through Burp Suite

  • Install Burp certificate in system CA store

  • Start Frida server for runtime instrumentation

  • Inspect app private directories using adb

  • Modify hosts file for traffic redirection

  • Use snapshots for quick clean states

HOME LEARN COMMUNITY DASHBOARD