My Android Pentesting Setup

31/05/2024 - 3 minutes

android hacking mobile sslpininng_bypass

Table of contents

Install Waydroid

paru -Sy wadroid

Initialise waydroid and allow it to download the latest Lineage os SDK + GAPPS (Google servies)

waydroid init -s GAPPS
sudo systemctl enable --now waydroid-container

Install waydroid-extras

https://github.com/casualsnek/waydroid_script

paru -Sy waydroid-script-git

Activate google services in Waydroid

Start waydroid as any desktop application

waydroid-extras google

Copy the returned numeric ID, then openĀ "https://google.com/android/uncertified/?pli=1". Enter the ID and register it. Wait 10-20 minutes for device to get registered. Then clear Google Play Service's cache and try logging in!

Install Magisk Delta (Kitsune Mask)

sudo waydroid-extras install magisk

Once the device reboots enable zygisk in magisk settings

Install libndk (translation layer for arm apks since this is a 64 bit device)

sudo waydroid-extras install libndk

Magisk modules

magisk-frida Used to start the latest frida server automatically on boot MagiskTrustUserCerts Used to trust all user certificates For sslpining we will use LSPosed_mod (Download the zygisk version, since we enabled zygisk a moment ago)

Downlod all the modules and push them to Downloads

adb push MagiskFrida-*.zip /sdcard/Download
adb push AlwaysTrustUserCerts.zip /sdcard/Download
adb push LSPosed-*-zygisk-release.zip /sdcard/Download

Install all of them in magisk

Reboot the device with (Don't use the reboot button in Magisk)

sudo systemctl restart waydroid-container

Check if the LSPosed app is installed in the app drawer, if not install it manually by extracting the apk from the zip and installing it with

unzip LSPosed-*-zygisk-release.zip -d LSPosed
waydroid app install LSPosed/manager.apk

Verify that LSPosed is activated

Setting up Burp as proxy and SSL pinning bypass

The LSPosed module I will be using is unfortunately quite old JustTrustMe. Basically it still receives some maintenance but there is no release since 2016! Hence we will have to build it ourselves or use this fork

git clone https://github.com/Fuzion24/JustTrustMe
cd JustTrustMe
./gradlew assembleRelease
./gradlew installRelease

Verify that the module is installed and enable it

Start burp and set it to listen to all interfaces Verify that it can be reached through the android device by visiting the waydroid tun interface

Our target interface is waydroid0

Thus IP: 192.168.240.1 in the above example, lets verify that it can be reached from a browser(I recommend installing Kiwi browser instead of the default btw) in the android device. Remember to use your burp port If you see the Welcome page then you are good to go

Thus using adb we will now tell the android device to use burp as a proxy by proxying all traffic through that interface

Before we do that lets install our burp certificate on the device Export the certificate and convert the certificate to pem format

openssl x509 -inform DER -in cert.der -out cert.pem

Push it to the device

adb push cert.pem /sdcard/Download

Go to settings -> Encryption & Credentials -> Install a certificate -> CA Certificate -> Install anyway and select the cert.pem file

Normally this method wouldn't work for all apps, but since we installed AlwaysTrustUserCerts module, all certificates are now trusted as if they were system certificates

Reboot the device with

sudo systemctl restart waydroid-container

Now let's tell our device to use the proxy we have setup

waydroid_tun=$(\ip route | grep waydroid | awk '{print $9}')
echo "Proxying through $waydroid_tun:$BURP_PORT"
adb shell settings put global http_proxy "$waydroid_tun:$BURP_PORT"
echo "proxy started"

To do this quickly I have setup the above as a small shell function for my shell have a look here and here in case you are interested in something similar

Wooohoo! Now you can intercept all traffic from your android device

To disable the proxy without needing to restart the emulator run

adb shell settings put global http_proxy :0
adb reverse --remove-all
echo "proxy stopped"