Android Pentesting Setup — lbyte.id

A proper Android pentesting environment takes about an hour to set up correctly. This guide walks through everything: emulator vs physical device, ADB, Burp Suite proxy configuration, cert installation, and the core toolchain you’ll use on every engagement.

Device Options

Rooted Physical Device

Pros: Real hardware, real cellular stack, actual sensor data, performance.

Cons: Requires a device with an unlockable bootloader (Pixel is the standard choice), risk of bricking, warranty void.

Best device: Google Pixel (any generation) — easiest bootloader unlock, good Magisk support.

Android Emulator (Recommended for Starting Out)

Option 1: Android Studio AVD (no root)

Good for non-root testing. Supports API interception but no Magisk.

Option 2: Genymotion

Fast x86 emulation, easy to reset to snapshots, root available.

Option 3: AVD with AOSP image (best for root)

# Create AVD with Google APIs image (NOT Google Play — that one can't be rooted)
# In AVD Manager: select "x86_64" image, API 29-33, without "(Google Play)" tag

# Start with writable system partition
emulator -avd Pixel_4_API_30 -writable-system

---

ADB Setup

# Install platform-tools (macOS)
brew install android-platform-tools

# Linux
sudo apt install adb

# Verify device connected
adb devices

# Shell access
adb shell

# Root shell on rooted device
adb root
adb shell

# File transfer
adb push local_file.apk /data/local/tmp/
adb pull /data/data/com.target.app/databases/app.db .

# Install APK
adb install target.apk
adb install-multiple split_apk/*.apk

# Logcat (filter by app)
adb logcat | grep com.target.app
adb logcat -s "MyApp:D *:S"

# TCP port forwarding (for Burp on localhost)
adb forward tcp:8080 tcp:8080

---

Burp Suite Proxy Setup

Step 1 — Configure Burp listener

In Burp → Proxy → Options → Add a listener on 0.0.0.0:8080.

Step 2 — Configure device proxy

On the Android device/emulator:

Settings → WiFi → Long-press connected network → Modify Network
→ Advanced → Proxy: Manual
Host: <your machine's LAN IP>   (or 10.0.2.2 for AVD)
Port: 8080

For emulator via ADB:

adb shell settings put global http_proxy <your_ip>:8080
# Remove proxy:
adb shell settings delete global http_proxy

Step 3 — Install Burp CA Certificate

Android ≤ 6 (API ≤ 23): User certs are trusted by apps by default.

Android 7+ (API 24+): Apps must explicitly opt in to user certificates.

System cert installation (requires root):

# Export Burp cert from Proxy → Options → CA Certificate → DER format
# Convert to PEM
openssl x509 -inform der -in burp.der -out burp.pem

# Get the cert hash
HASH=$(openssl x509 -inform PEM -subject_hash_old -in burp.pem | head -1)
cp burp.pem $HASH.0

# Push to system trust store
adb root
adb remount
adb push $HASH.0 /system/etc/security/cacerts/
adb shell chmod 644 /system/etc/security/cacerts/$HASH.0
adb reboot

Magisk module alternative: MagiskTrustUserCerts — automatically moves user certs to system store.

---

Core Tools

Frida

Dynamic instrumentation framework — hook Java methods, bypass SSL pinning, modify runtime behavior.

# Install Frida server on device
# Download matching version from github.com/frida/frida/releases
adb push frida-server-16.x.x-android-x86 /data/local/tmp/frida-server
adb shell chmod +x /data/local/tmp/frida-server
adb shell "/data/local/tmp/frida-server &"

# Install Python client
pip install frida-tools

# List running apps
frida-ps -Uai

# Attach to app
frida -U -n "com.target.app" -l script.js

# Spawn app
frida -U -f com.target.app -l script.js --no-pause

Objection

Runtime mobile exploration — wraps Frida for easy use.

pip install objection

# Launch app with objection
objection -g com.target.app explore

# Inside objection REPL
android hooking list classes
android hooking list activities
android hooking watch class com.target.app.LoginActivity
android sslpinning disable
android root disable
memory dump all /tmp/dump.dex

jadx

Decompile APK to readable Java.

# GUI
jadx-gui target.apk

# CLI
jadx -d output/ target.apk
jadx -d output/ --no-res target.apk   # faster, no resources

apktool

Decompile, modify, recompile APKs.

apktool d target.apk -o output/
# Modify smali or resources
apktool b output/ -o modified.apk

MobSF

Automated mobile security assessment.

# Docker
docker run -it --rm -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest

# Upload APK via web UI at http://localhost:8000

drozer

Android security assessment framework.

# Start drozer server on device
adb forward tcp:31415 tcp:31415
# Run the drozer agent APK, start server

# Connect
drozer console connect

# List attack surface
run app.package.attacksurface com.target.app
run app.activity.info -a com.target.app
run app.provider.info -a com.target.app

---

Network Traffic Analysis

HTTP traffic — Burp Suite (see above)

Non-HTTP traffic

# tcpdump on device
adb shell tcpdump -i any -w /sdcard/capture.pcap
adb pull /sdcard/capture.pcap .
# Open in Wireshark

# or use tPacketCapture app for non-root

gRPC / Protobuf

# Burp extension: Protobuf Decoder
# Or use grpcui as a proxy

---

Emulator Detection Bypass

Some apps detect emulators and refuse to run. Quick bypass:

// Frida script to spoof build properties
Java.perform(function() {
    var Build = Java.use('android.os.Build');
    Build.FINGERPRINT.value = 'google/walleye/walleye:8.1.0/OPM1.171019.011/4448085:user/release-keys';
    Build.MODEL.value = 'Pixel 2';
    Build.MANUFACTURER.value = 'Google';
    Build.BRAND.value = 'google';
    Build.DEVICE.value = 'walleye';
    Build.PRODUCT.value = 'walleye';
});

---

Environment Checklist

• Rooted device or AOSP emulator
• ADB installed and adb devices shows device
• Burp listener on 0.0.0.0:8080
• Device proxy pointing to Burp
• Burp CA cert in system trust store
• Frida server running on device
• jadx, apktool, MobSF installed
• Objection installed and working
• Can intercept HTTPS traffic in Burp