A rooted physical device is the most powerful environment for Android pentesting. Root access gives full control over the OS, allows system-level modifications, bypasses restrictions found in emulators, and lets you test real hardware features. Magisk is the industry-standard rooting solution because it provides systemless root, modules, Zygisk hooks, and easy toggling of root detection bypasses. This chapter explains full practical rooting, Magisk installation, verifying root, system modifications, file extraction, Frida setup, and pentesting workflows on real devices.

Preparing the Device for Rooting

A physical device must support:

Bootloader unlocking
Custom recovery installation
Fastboot mode
OEM unlock toggle

Enable developer options:

Settings → About Phone
Tap Build Number seven times
Go back → Developer Options
Enable OEM Unlocking
Enable USB Debugging

Test ADB connection:

adb devices

Reboot to bootloader:

adb reboot bootloader

Unlock bootloader:

fastboot oem unlock

(or)

fastboot flashing unlock

Unlocking wipes data. After reboot, re-enable USB debugging.

Installing Magisk (Root Method)

Extract the device boot image

Download the device firmware from OEM website. Extract boot.img.

Push the boot image to device storage:

adb push boot.img /sdcard/

Patch boot image with Magisk

Install Magisk app (APK) on device:

adb install Magisk.apk

Open Magisk → Select "Install" → Choose "Select and Patch a File" → Select boot.img.
Magisk creates a patched file:

/sdcard/Download/magisk_patched.img

Pull patched image to PC:

adb pull /sdcard/Download/magisk_patched.img

Flash patched boot image

Reboot to bootloader:

adb reboot bootloader

Flash patched image:

fastboot flash boot magisk_patched.img
fastboot reboot

Device boots with Magisk root installed.

Verifying Root Access

Check root access:

adb shell
su

If prompt switches to #, device is rooted.

Verify with Magisk app:

Magisk should show “Installed”
Zygisk should be ON

Root is required for bypassing protections and modifying system files.

Installing Magisk Modules for Pentesting

Important modules:

Zygisk – LSPosed → Runtime hooking
SafetyNet Fix → Helps bypass basic root detection
MagiskHide Props → Change device properties
ADB & Fastboot modules → Useful for system debugging
Modules for SSL pinning bypass (via Zygisk)

Install a module:

Magisk → Modules
Install from storage
Reboot device

Modules extend pentesting capabilities drastically.

Installing Burp CA Certificate (System-Level)

Export Burp certificate as DER (cacert.der):

Push to device:

adb push cacert.der /sdcard/

Mount system partition:

adb shell
su
mount -o remount,rw /system

Move certificate:

mv /sdcard/cacert.der /system/etc/security/cacerts/9a5ba575.0
chmod 644 /system/etc/security/cacerts/9a5ba575.0

Reboot:

adb reboot

Now HTTPS traffic is MITM-ready on a real device.

Installing and Running Frida Server on Rooted Device

Download correct Frida server build and push to device:

adb push frida-server-android /data/local/tmp/
adb shell "chmod 755 /data/local/tmp/frida-server-android"

Start server:

adb shell
su
/data/local/tmp/frida-server-android &

Test connection:

frida-ps -U

Frida enables:

SSL pinning bypass
Root detection bypass
Hooking sensitive APIs
Extracting runtime secrets

Inspecting /data/data on Rooted Device

Most critical app data is stored in private directories.

List packages:

adb shell pm list packages

Inspect directory:

adb shell
su
ls /data/data/<package>/

Pull SharedPreferences:

adb pull /data/data/<pkg>/shared_prefs/ .

Pull databases:

adb pull /data/data/<pkg>/databases/ .

Look for:

Tokens
API keys
JWTs
PII
Logs
Cryptographic keys

This is one of the biggest advantages of a rooted device.

Editing /etc/hosts (Real Device API Redirection)

Redirect domains using hosts file.

adb shell
su
mount -o remount,rw /system
echo "192.168.1.10 api.target.com" >> /system/etc/hosts

Used for:

Redirecting endpoints
Testing fake APIs
Controlling server responses

Installing Custom Certificates via Magisk Module (Alternative)

Use “Move Certificate” Magisk module to install CA without manually editing system files.

Steps:

Install module
Place CA file into /sdcard/Download/
Module moves it to system CA store
Reboot

This method avoids manually touching the system partition.

Manipulating System Properties for Pentesting

Use MagiskHide Props to spoof:

Device model
Android version
Security patch level
SafetyNet values
CTS profile

This allows evading app integrity checks.

Example:

adb shell
su
resetprop ro.build.version.release 10

Using LSPosed / Zygisk for Runtime Hooking

With LSPosed installed, load modules like:

Hide My Applist
Just Trust Me (SSL pinning bypass)
RootCloak

These bypass many common protections used in financial apps and hardened apps.

Using ADB to Control Permissions on Rooted Devices

Revoke permissions:

adb shell pm revoke com.app android.permission.CAMERA

Grant permissions:

adb shell pm grant com.app android.permission.READ_CONTACTS

This helps test behavior under permission changes.

Full Dynamic Pentesting Workflow on a Rooted Device

Unlock bootloader
Install Magisk
Enable Zygisk + modules
Set up Burp proxy + install system CA
Install Frida server
Install target APK
Pull data from /data/data
Intercept traffic via Burp
Hook SSL pinning and root checks
Modify /etc/hosts for API redirection
Manipulate permissions
Analyze logs with adb logcat
Inject Frida scripts for runtime analysis
Test sensors, GPS, keystore behavior
Map vulnerabilities and construct exploit chains

This offers the strongest testing environment short of kernel-level attack development.

Intel Dump

Magisk provides systemless root with Zygisk and modules
Rooted devices allow extracting app data and modifying system files
Burp CA installation enables full HTTPS interception
Frida server enables SSL pinning and root detection bypass
Magisk modules enhance analysis and spoof device characteristics
/data/data access reveals tokens, keys, databases, and sensitive storage
Editing hosts file allows controlled API manipulation
Physical rooted devices expose real hardware surfaces not available on emulators