My Android Pentesting Setup

31/05/2024 - 3 minutes

android hacking mobile sslpininng_bypass
  1. 1 Install Waydroid
  2. 2 Install waydroid-extras
  3. 3 Activate google services in Waydroid
  4. 4 Install Magisk Delta (Kitsune Mask)
  5. 5 Libndk
  6. 6 Magisk modules
  7. 7 Setting up Burp as proxy and SSL pinning bypass

# Install Waydroid

paru -Sy wadroid

Initialize waydroid and allow it to download the latest Lineage OS SDK + GAPPS (Google services)

waydroid init -s GAPPS
sudo systemctl enable --now waydroid-container

# Install waydroid-extras

https://github.com/casualsnek/waydroid_script

paru -Sy waydroid-script-git

# Activate google services in Waydroid

Start waydroid as any desktop application

waydroid-extras google

Copy the returned numeric ID, then openĀ "https://google.com/android/uncertified/?pli=1". Enter the ID and register it. Wait 10-20 minutes for device to get registered. Then clear Google Play Service's cache and try logging in!

# Install Magisk Delta (Kitsune Mask)

sudo waydroid-extras install magisk

Once the device reboots enable zygisk in magisk settings

# Libndk

Libndk is a translation layer for arm apks (since this is a 64 bit device) We can install it using the below command

sudo waydroid-extras install libndk

# Magisk modules

magisk-frida Used to start the latest Frida server automatically on boot, though you might prefer magisk-strongR-frida, which is a fork that uses an alternative Frida version to avoid detections (can be found here) MagiskTrustUserCerts Used to trust all user certificates For sslpining we will use LSPosed_mod (Download the Zygisk version, since we enabled Zygisk a moment ago)

Download all the modules and push them to Downloads

adb push MagiskFrida-*.zip /sdcard/Download
adb push AlwaysTrustUserCerts.zip /sdcard/Download
adb push LSPosed-*-zygisk-release.zip /sdcard/Download

Install all of them in Magisk

Reboot the device with (Don't use the reboot button in Magisk)

sudo systemctl restart waydroid-container

Check if the LSPosed app is installed in the app drawer, if not install it manually by extracting the apk from the zip and installing it with

unzip LSPosed-*-zygisk-release.zip -d LSPosed
waydroid app install LSPosed/manager.apk

Verify that LSPosed is activated

# Setting up Burp as proxy and SSL pinning bypass

The LSPosed module I will be using is unfortunately quite old JustTrustMe. Basically it still receives some maintenance but there is no release since 2016! Hence we will have to build it ourselves or use this fork

git clone https://github.com/Fuzion24/JustTrustMe
cd JustTrustMe
./gradlew assembleRelease
./gradlew installRelease

Verify that the module is installed and enable it

Start Burp and set it to listen to all interfaces Verify that it can be reached through the android device by visiting the waydroid tun interface

Our target interface is waydroid0

Thus IP: 192.168.240.1 in the above example, lets verify that it can be reached from a browser(I recommend installing Kiwi browser instead of the default btw) in the android device. Remember to use your burp port If you see the Welcome page then you are good to go

Thus using adb we will now tell the android device to use burp as a proxy by proxying all traffic through that interface

Before we do that lets install our burp certificate on the device Export the certificate and convert the certificate to pem format

openssl x509 -inform DER -in cert.der -out cert.pem

Push it to the device

adb push cert.pem /sdcard/Download

Go to settings -> Encryption & Credentials -> Install a certificate -> CA Certificate -> Install anyway and select the cert.pem file

Normally this method wouldn't work for all apps, but since we installed AlwaysTrustUserCerts module, all certificates are now trusted as if they were system certificates

Reboot the device with

sudo systemctl restart waydroid-container

Now let's tell our device to use the proxy we have setup. Most people here use some way to configure android's proxy settings and set burp suite as a system-wide proxy. I avoid that since if an app developer chooses to make a request with the NO_PROXY flag, it will bypass the proxy. Instead I use the following VPN app rethink-app and configure it like below:

  1. Click on configure

  2. Set up burp as the proxy

  3. Don't route private IPs through the proxy, since this will break adb connections!

  4. Configure DNS servers to be the default

Wooohoo! Now you can intercept all traffic from your android device