Set up and use a complete Android app penetration testing environment in Android Studio with root, Magisk, Xposed, and traffic interception tools
---
name: android-app-pentest-environment
description: Set up and use a complete Android app penetration testing environment in Android Studio with root, Magisk, Xposed, and traffic interception tools
triggers:
- set up android pentest environment
- configure android studio for app security testing
- install magisk and xposed on android emulator
- how do i test android app security
- intercept android app traffic with burp
- root android emulator for penetration testing
- bypass ssl pinning on android apps
- configure android app testing with frida
---
# Android App Penetration Testing Environment
> Skill by [ara.so](https://ara.so) — Security Skills collection.
This skill enables AI agents to help developers set up a complete Android application penetration testing environment using Android Studio emulators with root access, Magisk modules, SSL certificate management, and traffic interception capabilities.
## What This Project Provides
A comprehensive guide and toolset for creating a 2026-ready Android app security testing environment including:
- Rooted Android emulator (API 36 / Android 16)
- Magisk (面具) for root management and module support
- SSL/TLS certificate bypasses for traffic interception
- Xposed framework integration
- Frida dynamic instrumentation setup
- BurpSuite/Charles proxy configuration
## Prerequisites
### Install Android Studio and SDK
```bash
# Download Android Studio from official site
# https://developer.android.google.cn/studio?hl=zh-cn
# After installation, configure proxy if needed (for faster downloads)
# Settings → Appearance & Behavior → System Settings → HTTP Proxy
# Example: 127.0.0.1:7890 for ClashX
# SDK will auto-install at:
# macOS: /Users/$USER/Library/Android/sdk
# Windows: C:\Users\$USER\AppData\Local\Android\Sdk
# Linux: ~/Android/Sdk
```
### Configure Environment Variables
**macOS/Linux (bash):**
```bash
# Edit ~/.bash_profile or ~/.zshrc
export ANDROID_HOME=$HOME/Library/Android/sdk
export PATH=$PATH:$ANDROID_HOME/platform-tools
export PATH=$PATH:$ANDROID_HOME/tools
export PATH=$PATH:$ANDROID_HOME/tools/bin
export PATH=$PATH:$ANDROID_HOME/emulator
# Apply changes
source ~/.bash_profile # or ~/.zshrc
```
**Windows (PowerShell):**
```powershell
# Add to system environment variables
setx ANDROID_HOME "C:\Users\$env:USERNAME\AppData\Local\Android\Sdk"
setx PATH "$env:PATH;$env:ANDROID_HOME\platform-tools;$env:ANDROID_HOME\emulator"
```
### Verify ADB Installation
```bash
# Test ADB is accessible
adb version
# Output: Android Debug Bridge version 1.0.41
```
## Create Android Emulator
### Recommended Configuration
```bash
# Launch Android Studio → More Actions → Virtual Device Manager → Create Device
# Recommended specs:
# Device: Pixel 9 Pro
# System Image: API 36 (Android 16), Google APIs, arm64-v8a
# ⚠️ Use Google APIs (NOT Google Play - allows root)
# Advanced settings:
# - Boot option: Cold Boot
# - Internal Storage: 16 GB
# - SD Card: 4 GB
# - RAM: 4096 MB (minimum)
# - VM Heap: 512 MB
```
### Launch Emulator via CLI
```bash
# List available AVDs
emulator -list-avds
# Start specific AVD
emulator -avd Pixel_9_Pro_API_36 &
# Start with writable system (for manual modifications)
emulator -avd Pixel_9_Pro_API_36 -writable-system &
```
## Install Magisk (Root Framework)
### Method A: rootAVD (Recommended - Automated)
```bash
# Clone rootAVD tool (migrated to GitLab)
git clone https://gitlab.com/newbit/rootAVD.git
cd rootAVD
# Download latest Magisk APK
# From: https://github.com/topjohnwu/Magisk/releases
# Rename to Magisk.zip and place in rootAVD directory
curl -L -o Magisk.zip https://github.com/topjohnwu/Magisk/releases/download/v28.1/Magisk-v28.1.apk
# List all AVD ramdisk images
./rootAVD.sh ListAllAVDs
# Root the specific system image
./rootAVD.sh system-images/android-36.1/google_apis/arm64-v8a/ramdisk.img
# Restart emulator (cold boot)
adb reboot
```
### Method B: Manual Magisk Patching
```bash
# Start emulator with writable system
emulator -avd Pixel_9_Pro_API_36 -writable-system &
# Get root access
adb root
# Install Magisk APK
adb install Magisk-v28.1.apk
# Push ramdisk to device
adb push $ANDROID_HOME/system-images/android-36.1/google_apis/arm64-v8a/ramdisk.img /sdcard/Download/
# Open Magisk app on emulator → Install → Select and Patch File
# Choose /sdcard/Download/ramdisk.img
# Patched file saved to /sdcard/Download/magisk_patched_*.img
# Pull patched ramdisk
adb pull /sdcard/Download/magisk_patched_*.img ./
# Replace original ramdisk
cp magisk_patched_*.img $ANDROID_HOME/system-images/android-36.1/google_apis/arm64-v8a/ramdisk.img
# Restart emulator
adb reboot
```
### Verify Root Access
```bash
# Check root in ADB
adb root
adb shell su -c "id"
# Output: uid=0(root) gid=0(root)
# Open Magisk app on emulator - should show:
# - Magisk: Installed (28.1)
# - Ramdisk: Yes
```
### Configure Magisk
```bash
# Enable Zygisk (via Magisk app Settings)
# Settings → Zygisk → Enable → Reboot
# Hide Magisk app (anti-detection)
# Settings → Hide Magisk App → Randomize package name
# Configure MagiskHide (if targeting specific apps)
adb shell su -c "magiskhide enable"
adb shell su -c "magiskhide add <package.name>"
```
## Install Magisk Modules
### LSPosed (Xposed Framework)
```bash
# Download LSPosed Zygisk release
# https://github.com/LSPosed/LSPosed/releases
curl -L -o LSPosed.zip https://github.com/LSPosed/LSPosed/releases/download/v1.9.2/LSPosed-v1.9.2-7024-zygisk-release.zip
# Install via Magisk app
adb push LSPosed.zip /sdcard/Download/
# Magisk → Modules → Install from storage → Select LSPosed.zip
# Reboot emulator
adb reboot
```
### SSL Certificate Unpinning Modules
**JustTrustMe:**
```bash
# Download from Xposed repo or GitHub
adb push JustTrustMe.apk /sdcard/Download/
adb install /sdcard/Download/JustTrustMe.apk
# Enable in LSPosed:
# LSPosed → Modules → JustTrustMe → Enable → Select target apps
```
**TrustMeAlready:**
```bash
# Magisk module for system-wide certificate trust
adb push TrustMeAlready.zip /sdcard/Download/
# Magisk → Modules → Install → TrustMeAlready.zip → Reboot
```
### MagiskTrustUserCerts
```bash
# Auto-trust user certificates as system certs
# Download: https://github.com/NVISOsecurity/MagiskTrustUserCerts
adb push MagiskTrustUserCerts.zip /sdcard/Download/
# Magisk → Modules → Install → MagiskTrustUserCerts.zip → Reboot
```
## SSL Certificate Installation
### Install BurpSuite/Charles Certificate
```bash
# Export certificate from Burp/Charles as DER format: cacert.der
# Convert to PEM and get hash
openssl x509 -inform DER -in cacert.der -out cacert.pem
HASH=$(openssl x509 -inform PEM -subject_hash_old -in cacert.pem | head -1)
# Rename certificate
cp cacert.pem ${HASH}.0
# Push to emulator
adb root
adb remount
adb push ${HASH}.0 /system/etc/security/cacerts/
adb shell chmod 644 /system/etc/security/cacerts/${HASH}.0
adb reboot
```
### Verify Certificate Installation
```bash
# Check installed certificates
adb shell ls -la /system/etc/security/cacerts/ | grep $(openssl x509 -inform PEM -subject_hash_old -in cacert.pem | head -1)
# Or via Settings on emulator:
# Settings → Security → Encryption & credentials → Trusted credentials → System
```
## Traffic Interception Setup
### Configure Proxy
```bash
# Set WiFi proxy on emulator
# Settings → Network & Internet → WiFi → AndroidWifi → Proxy → Manual
# Hostname: 10.0.2.2 (host loopback for emulator)
# Port: 8080 (BurpSuite default)
# Or via ADB:
adb shell settings put global http_proxy 10.0.2.2:8080
# Remove proxy:
adb shell settings put global http_proxy :0
```
### BurpSuite Configuration
```bash
# Proxy → Options → Proxy Listeners
# Add: 0.0.0.0:8080
# Enable "Support invisible proxying"
# Ensure firewall allows incoming on 8080
```
### Test Traffic Capture
```bash
# Install test app
adb install target_app.apk
# Launch app and verify traffic in Burp
# If no traffic appears:
# 1. Check proxy settings
# 2. Verify certificate installed
# 3. Enable JustTrustMe module for app
# 4. Check app doesn't use proxy detection
```
## Install Frida for Dynamic Analysis
### Install Frida Server
```bash
# Download Frida server for Android
# https://github.com/frida/frida/releases
# Choose: frida-server-*-android-arm64
curl -L -o frida-server https://github.com/frida/frida/releases/download/16.5.9/frida-server-16.5.9-android-arm64.xz
unxz frida-server-16.5.9-android-arm64.xz
# Push to device
adb push frida-server /data/local/tmp/
adb shell chmod 755 /data/local/tmp/frida-server
# Run Frida server
adb shell "/data/local/tmp/frida-server &"
```
### Install Frida Tools (Host)
```bash
# Install via pip
pip3 install frida-tools
# Verify connection
frida-ps -U
# Should list running processes on emulator
```
### Basic Frida Usage
```python
# example_frida_hook.py
import frida
import sys
def on_message(message, data):
print(f"[*] {message}")
# Attach to app
device = frida.get_usb_device()
session = device.attach("com.target.app")
# Hook script
script_code = """
Java.perform(function() {
var MainActivity = Java.use('com.target.app.MainActivity');
MainActivity.secretMethod.implementation = function() {
console.log('[*] secretMethod called');
return this.secretMethod();
};
});
"""
script = session.create_script(script_code)
script.on('message', on_message)
script.load()
sys.stdin.read()
```
```bash
# Run Frida script
python3 example_frida_hook.py
```
## Common Commands Reference
### ADB Essentials
```bash
# List devices
adb devices
# Install APK
adb install app.apk
adb install -r app.apk # reinstall
# Uninstall app
adb uninstall com.package.name
# List installed packages
adb shell pm list packages
adb shell pm list packages -3 # third-party only
# Pull APK from device
adb shell pm path com.package.name
adb pull /data/app/~~hash/com.package.name-hash/base.apk
# Get app data directory
adb shell run-as com.package.name
# (only works for debuggable apps)
# Logcat (filter by app)
adb logcat | grep "com.package.name"
adb logcat -c # clear log
# Screen capture
adb exec-out screencap -p > screenshot.png
# Screen record
adb shell screenrecord /sdcard/demo.mp4
adb pull /sdcard/demo.mp4
```
### File System Access
```bash
# Mount system as writable
adb root
adb remount
# Push/pull files
adb push local_file /sdcard/
adb pull /sdcard/remote_file ./
# Browse file system
adb shell
cd /data/data/com.package.name
ls -la
```
### Process and App Management
```bash
# Start activity
adb shell am start -n com.package.name/.MainActivity
# Stop app
adb shell am force-stop com.package.name
# Clear app data
adb shell pm clear com.package.name
# Get running processes
adb shell ps | grep package.name
```
## Troubleshooting
### Emulator Won't Boot After Magisk
```bash
# Restore from snapshot (if created)
# Android Studio → Device Manager → AVD → Show on Disk → snapshots/
# Or recreate ramdisk:
cd $ANDROID_HOME/system-images/android-36.1/google_apis/arm64-v8a/
# Delete ramdisk.img and re-run Android Studio setup to redownload
```
### ADB Not Detecting Emulator
```bash
# Kill and restart ADB server
adb kill-server
adb start-server
# Check emulator is in list
adb devices
# If still not showing:
# - Restart emulator
# - Check $ANDROID_HOME/platform-tools is in PATH
```
### SSL Pinning Still Active
```bash
# Ensure MagiskTrustUserCerts is installed
# Verify JustTrustMe is enabled for specific app in LSPosed
# Try alternative modules:
# - SSLUnpinning
# - TrustMeAlready
# - Use Frida script for runtime bypass:
# frida_ssl_bypass.js
Java.perform(function() {
var CertificatePinner = Java.use('okhttp3.CertificatePinner');
CertificatePinner.check.overload('java.lang.String', 'java.util.List').implementation = function() {
console.log('[*] SSL Pinning bypassed');
};
});
# Run: frida -U -f com.target.app -l frida_ssl_bypass.js
```
### Magisk Modules Not Working
```bash
# Check Zygisk is enabled
adb shell su -c "magisk --denylist status"
# Ensure app is not in denylist
adb shell su -c "magisk --denylist rm com.package.name"
# Reinstall module
# Magisk → Modules → Remove → Reinstall → Reboot
```
### App Detects Emulator/Root
```bash
# Hide Magisk package name (Settings → Hide Magisk App)
# Use MagiskHide (deprecated but sometimes works)
adb shell su -c "magiskhide enable"
adb shell su -c "magiskhide add com.package.name"
# Install Shamiko module (Zygisk-based hiding)
# Download: https://github.com/LSPosed/LSPosed.github.io/releases
# Modify build.prop to appear as physical device
adb shell su -c "mount -o rw,remount /system"
adb shell su -c "sed -i 's/ro.build.fingerprint=.*/ro.build.fingerprint=google\/redfin\/redfin:13\/TP1A.220624.021\/8877034:user\/release-keys/' /system/build.prop"
```
### Traffic Not Appearing in Proxy
```bash
# Verify proxy settings
adb shell settings get global http_proxy
# Output: 10.0.2.2:8080
# Check certificate hash
adb shell ls /system/etc/security/cacerts/ | grep $(openssl x509 -inform PEM -subject_hash_old -in cacert.pem | head -1)
# Ensure BurpSuite listening on all interfaces
# Proxy → Options → Edit → Bind to address: All interfaces
# Test with curl
adb shell curl -x http://10.0.2.2:8080 https://www.google.com
```
## Advanced Patterns
### Automated APK Analysis Script
```bash
#!/bin/bash
# analyze_apk.sh
APK=$1
PACKAGE=$(aapt dump badging "$APK" | grep package | awk '{print $2}' | sed "s/name='\(.*\)'/\1/")
echo "[*] Installing $APK..."
adb install "$APK"
echo "[*] Starting Frida..."
frida -U -f "$PACKAGE" --no-pause -l ssl_bypass.js
echo "[*] Proxy configured. Monitor Burp for traffic."
adb shell settings put global http_proxy 10.0.2.2:8080
echo "[*] Press Enter to stop and cleanup..."
read
adb uninstall "$PACKAGE"
adb shell settings put global http_proxy :0
```
### Certificate Rotation Script
```bash
#!/bin/bash
# update_cert.sh
CERT_DER=$1
openssl x509 -inform DER -in "$CERT_DER" -out /tmp/cacert.pem
HASH=$(openssl x509 -inform PEM -subject_hash_old -in /tmp/cacert.pem | head -1)
adb root
adb remount
adb shell rm -f /system/etc/security/cacerts/${HASH}.0
adb push /tmp/cacert.pem /system/etc/security/cacerts/${HASH}.0
adb shell chmod 644 /system/etc/security/cacerts/${HASH}.0
adb reboot
echo "[*] Certificate updated: ${HASH}.0"
```
## Environment Variables
```bash
# All tools should use these environment references:
export ANDROID_HOME=$HOME/Library/Android/sdk # or appropriate path
export BURP_PROXY="10.0.2.2:8080"
export FRIDA_SERVER_PORT=27042
export ADB_PORT=5037
```
## Security Considerations
- This environment is for **legal penetration testing only**
- Always obtain proper authorization before testing applications
- Do not use these techniques on apps without permission
- Some techniques may violate app terms of service
- Keep tools updated to avoid detection by modern anti-root/emulator checks
## Further Resources
- Magisk Documentation: https://topjohnwu.github.io/Magisk/
- LSPosed Wiki: https://github.com/LSPosed/LSPosed/wiki
- Frida Handbook: https://frida.re/docs/home/
- Android Security Testing Guide: https://mobile-security.gitbook.io/mobile-security-testing-guide/
Creator's repository · aradotso/security-skills