Home > Android Pentesting

Lab Setup for Android Pentesting

A fully prepared Android pentesting lab requires the right hardware, software, network configuration, debugging tools, interception tools, decompilers, and runtime instrumentation frameworks. The goal is to create a controlled, stable environment where APKs can be analyzed, modified, intercepted, and exploited safely.

Hardware Requirements

Using a physical device improves testing accuracy because many protections fail on emulators. A dedicated test phone prevents accidental exposure of personal data.

Recommended device setup:

  • Android 9 or later

  • Unlocked bootloader if rooting is needed

  • Sufficient storage for APKs, logs, and tools

  • USB cable for ADB connection

  • Separate Wi-Fi access point for interception

Physical devices give access to features such as sensors, biometrics, hardware-backed keystores, and system logs.

Emulator Setup

Emulators are useful for rapid testing. A common setup uses Android Studio’s emulator.

Steps:

  1. Install Android Studio

  2. Open Virtual Device Manager

  3. Create a new device using Google APIs image

  4. Enable root mode if available

  5. Install the APK using ADB

Emulators allow snapshots, fast resets, and flexible network routing.

Configuring ADB

ADB provides access to device debugging, file system navigation, log monitoring, and shell commands.

Enable ADB on device:

  1. Open Settings

  2. Tap About Phone

  3. Tap Build Number seven times

  4. Go to Developer Options

  5. Enable USB Debugging

Connect device:

adb devices

Grant authorization on the phone when prompted.

Useful commands:

adb install app.apk
adb shell
adb logcat
adb pull /data/data/<package>/

ADB is essential for static data extraction and runtime analysis.

Rooting the Test Device

Rooting expands access during pentesting. It allows modifying protected files, inspecting app data, bypassing protections, and running low-level tools.

Common methods:

  • Magisk for systemless root

  • Custom recovery flashing

  • Manufacturer-specific unlock processes

Root access should be limited to the lab device only.

Setting Up Network Interception

All traffic must pass through an interception proxy. This setup makes it possible to view and manipulate API calls.

Steps:

  1. Install Burp Suite

  2. Create a custom Wi-Fi network

  3. Set proxy IP and port on Android

  4. Install Burp CA certificate on device

  5. Move certificate to system trust store if the app restricts user-added CAs

Commands for certificate installation on rooted device:

adb push cacert.der /sdcard/
adb shell
su
cp /sdcard/cacert.der /system/etc/security/cacerts/
chmod 644 /system/etc/security/cacerts/cacert.der

Many apps use SSL pinning, so interception requires bypassing defenses through Frida or patching.

Installing Core Tools on PC

A complete workstation includes essential tools for reverse engineering, static analysis, and instrumentation.

Install the following:

  • apktool for decoding resources

  • JADX for decompiling source

  • MobSF for automated scans

  • Frida for runtime instrumentation

  • Objection for quick hooks

  • mitmproxy as an alternative proxy

  • drozer for component testing

  • dex2jar for bytecode conversion

  • Ghidra for native binary analysis

These tools cover all phases of analysis and exploitation.

APK Extraction Methods

APK files can be pulled directly from a rooted device.

Commands:

adb shell pm list packages
adb shell pm path <package>
adb pull <apk_path>

If root access is not available, use third-party APK extractor tools installed on the device.

Setting Up Frida

Frida enables runtime hooking and bypassing various protections.

Install Frida:

pip install frida-tools

Push Frida server to device:

adb push frida-server /data/local/tmp/
adb shell
chmod 755 /data/local/tmp/frida-server
./data/local/tmp/frida-server &

Test connection:

frida-ps -U

Frida is necessary for bypassing SSL pinning, root detection, certificate checks, and runtime logic.

Setting Up Objection

Objection simplifies common Frida tasks.

Install:

pip install objection

Run against target app:

objection -g <package> explore

Objection adds commands for disabling pinning, listing storage, hooking functions, and inspecting memory.

Emulator Certificate Installation

Emulators require CA certificate installation for HTTPS interception.

Steps:

  1. Download Burp certificate

  2. Rename certificate to .cer

  3. Drag into emulator

  4. Install under user certificate storage

For apps using network security configuration, emulator interception works without extra patching.

File System Access

On rooted devices, full file system access is available.

Commands:

adb shell
su
cd /data/data/<package>/
ls -la

Files of interest:

  • SharedPreferences

  • Databases

  • Cache

  • Logs

  • External storage folders

  • Temp files

This access is critical for analyzing insecure storage.

Setting Up a Staging Environment

A safe testing environment prevents interference with production.

Staging includes:

  • Mirrored backend endpoints

  • Test API keys

  • Sample user accounts

  • Non-production data

This avoids triggering alerts, notifications, or irreversible actions.

Setting Up Reverse Engineering Environment

Decompilation tools need proper configuration.

Recommended setup:

  • JADX GUI for browsing code

  • Bytecode viewer for smali

  • apktool for resource rebuilding

  • Ghidra for native library analysis

Commands for decoding resources:

apktool d app.apk -o output/

Commands for rebuilding:

apktool b output/ -o new.apk

This environment is essential for modifying APKs and analyzing native code.

Certificate Pinning Bypass Preparation

Many apps implement pinning. Prepare Frida scripts for bypassing.

Common script example:

frida -U -f <package> -l bypass.js --no-pause

This enables network interception for apps with strict SSL rules.

Logging and Monitoring Setup

Monitoring device behavior helps identify leaks and vulnerabilities.

Useful logs:

adb logcat
logcat | grep <package>

Logcat reveals backend URLs, sensitive data leaks, debugging messages, and exceptions during testing.

Optional Tools

Additional useful apps:

  • HTTPToolkit for mobile debugging

  • Inspeckage for device-side analysis

  • XPosed framework modules for hooking

  • SQLite browser for database viewing

  • File explorers with root access

These tools simplify common tasks and extend analysis capabilities.

Intel Dump

  • Set up a dedicated test device with debugging enabled

  • Configure ADB for communication and APK installation

  • Root device if deeper inspection is needed

  • Use Burp Suite for proxy interception and certificate installation

  • Install tools such as apktool, JADX, Frida, objection, and MobSF

  • Extract APKs using ADB or extraction tools

  • Set up Frida server and objection for runtime instrumentation

  • Use a controlled Wi-Fi network for traffic redirection

  • Configure emulator for quick testing

  • Analyze file system using root access

  • Prepare staging environment for safe backend testing

  • Use reverse engineering tools for decompilation and smali analysis

  • Prepare scripts for SSL pinning bypass

  • Monitor device logs using logcat

HOME LEARN COMMUNITY DASHBOARD