How to setup Android Pentesting Lab [100% Free]


Ethical hacking

Reviewer: Deepak Prasad

Hello learners, in our previous guide, we learnt how we can set up a penetration testing lab on our computer using open source and free tools. In this guide, I will be showing you how to set up an android pentesting lab using freely available tools.

Creating an android pentesting lab is a significant starting step to learning about mobile security. This guide's goal is to give users the key components they need to set up an android pentesting lab and begin studying how to analyze mobile applications for known vulnerabilities before they cause harm to the users.

 

Requirements

  1. An active internet connection.
  2. Android Studio.
  3. Android Platform -Tools.
  4. Damn Vulnerable Banking Application.
  5. Frida-server.
  6. Python3.
  7. Frida client.
  8. Frida-tools.
  9. Objection.
  10. ADB Drivers(for Windows users).

 

Installing android studio

To install android studio on the system we first need to download the zip containing the installation files from the android studio website and extract them to our desired folder. After extraction is complete, we can navigate into the “android-studio/bin” folder where we give studio.sh file the required permission for it to run using the command.

chmod +x studio.sh

We can then run android studio using the command.

./studio.sh

When running the android studio for the first time, a fast internet connection is required since the android studio has to install the required files and tools.

 

Setting up an emulator

After we are through with the android studio installation, the next step is to install the emulator from which we will be running our applications in the android penetration lab. We create a new project and choose the “no activity” template to start with as shown in the image below.

android pentesting

 

The next step is to provide the name and other minor details for the project we created as shown in the image below.

android pentesting

 

In the next step, we need to install an android operating system in the emulator. It is from the android operating system running on the emulator where we will have the android pentesting lab. To install an android operating system we launch the AVD Manager on the tab shown in the image below.

android pentesting

 

When running the android studio for the first time, there will be no devices on the Device Manager tab. To create a new device we click “Create device”. In the next screen, we have to choose the kind of device to use for the android pentesting lab as shown in the image below.

android pentesting

 

In the next step, we have to select the version of the android system to use in the android pentesting lab. In our case, we will be using android version 12 as shown in the image below.

android pentesting

 

We click next and provide the name we want to call the virtual device we will be using for the android pentesting lab, click on “Finish” and wait for the virtual device files to download. Having a fast and stable internet is recommended for this step since the android OS is large. We can sit back and wait for the installation to complete. Once the downloading completes, we can use the “play” button to start the virtual device for the android pentesting lab as shown in the image below.

android pentesting

 

Installing an app in the android pentesting lab

The virtual device is now ready to start pentesting. Our next step will be to install the app we want to perform penetration testing on. We will use the ADB to install the target application on our android penetration testing lab. First, we check if our virtual device is online by running the below command.

androdi pentesting

 

There are two ways we can use to install apps on our android pentesting lab. First, we can download the target application from the play store or install the application using a local file. To install, we run the below command.

android pentesting

 

After the installation is complete we can be able to view and access the installed app on our android pentesting lab as shown in the image below.

android pentesting

 

Installing android pentesting tools in our labs

Once we have our android pentesting lab running and the target app in the lab, we need also to install penetration testing tools for android.

 

Frida tools installation

Frida is a framework for dynamic testing used by reverse engineers and security researchers. Using Frida in your android pentesting lab, you can analyze private application code, spy on cryptographic APIs, and hook any function by injecting your custom scripts into application processes.

Moreover, it allows you to modify the injection script and examine the effects immediately. You are able to circumvent root detection, certificate pinning, memory dumps, etc. with the help of Frida.

To install Frida, we download the Frida server tools from Frida’s release repository but you should ensure you download the one with a similar architecture as your android pentesting lab virtual device. To check the architecture you can use the command.

adb shell getprop ro.product.cpu.abi

Once downloaded, we extract the zipped file and push the files to the virtual device using the command.

adb push/Desktop/frida-core-devkit-16.0.7-android-arm64 /data/local/tmp/frida-server

We then modify the permissions of the Frida-server to allow it to run using the command.

adb shell “chmod 755 /data/local/tmp/frida-server”

And we finally allow root access, navigate to the folder and finally run the server.

The next step is to install the Frida client which matches the server version that is running on our android pentesting lab. To install this we run the command.

pip3 install frida==” corresponding server version”

and

pip3 install frida-tools

which is a set of command line tools that we can use to interact with the AVD for functions such as showing and killing the running processes.

We can use the ADB shell to provide root access to tmp directory and run the server using the below commands.

$ adb shell

[emulator]$ su

[emulator]$ cd /data/local/tmp

[emulator]$ ./frida-server &

 

Hooking the DamnVulnerableBank

We can now hook the application we installed earlier on the android pentesting lab to Frida using the command.

frida -U  DamnVulnerableBank

android pentesting

Once hooked, we can now start the pentesting. Objection is a tool with pre-built scripts which are useful when performing penetration testing.

 

Objection installation

installing objection is as easy as installing a python package. To run the installation we just need to run.

pip install objection

After installation is complete we can be able to start analyzing our target application running on our android pentesting lab directly from the command line. Using objection you can be able to view useful information related to the target application such as the environment of the app.

 

 Summary

In the above guide, we have used freely available tools to set up an android pentesting lab that can be used to test the security of android applications. Within this lab, you can be able to perform penetration tests on your Android application without the fear of going against the law. The android pentest lab is also recommended when analyzing malicious applications since it minimizes the risk while running these applications.

 

Kennedy Muthii

Kennedy Muthii

He is an accomplished professional proficient in Python, ethical hacking, Linux, cybersecurity, and OSINT. With a track record including winning a national cybersecurity contest, launching a startup in Kenya, and holding a degree in information science, he is currently engaged in cutting-edge research in ethical hacking. You can connect with him on his LinkedIn profile.

Can't find what you're searching for? Let us assist you.

Enter your query below, and we'll provide instant results tailored to your needs.

If my articles on GoLinuxCloud has helped you, kindly consider buying me a coffee as a token of appreciation.

Buy GoLinuxCloud a Coffee

For any other feedbacks or questions you can send mail to admin@golinuxcloud.com

Thank You for your support!!

Leave a Comment