Lain with phone

# Bug hunting on Android apps

2 min read
android frida
Table of Contents

This guide provides a concise cheatsheet to set up the Android Emulator on Linux (and possibly macOS), gain root access, and configure Frida to bypass SSL pinning of an Android application.

Install frida-tool

Terminal window
pip install --upgrade frida-tools frida

Setting up Emulator

  1. Download and install Android studio, run it and navigate to AVD to create an emulator. I prefer using Pixel 5. Select the minimum SDK version (Google Play or Open Source) required for your APK:
Terminal window
aapt dump badging com.app.android.apk | grep sdkVersion
  1. Choose either x86 or x86_64 - one might work for a particular application, while the other might not. Same for SDK versions. Do not expect any application to run successfully.

If the emulator won’t run, try:

Terminal window
sudo modprobe kvm_intel kvm kvm_amd

Warning

Pay attention to which SDK version and arch you use in the next commands

1) Rooting Emulator

  1. Run in your terminal:
Terminal window
git clone https://gitlab.com/newbit/rootAVD.git/ && cd rootAVD
./rootAVD.sh | grep 30
./rootAVD.sh system-images/android-30/google_apis/x86/ramdisk.img
  1. Run Emulator again
  2. Open Magisk, allow notifications and click Ok to reboot
  3. Run Magisk again and update it if asked

2) Install frida on Emulator

  1. Check frida version on your system:
Terminal window
frida --version
16.7.14
  1. Download corresponding version of magisk-frida from https://github.com/ViRb3/magisk-frida/releases/
  2. Transfer zip file to the device:
Terminal window
adb push ~/Downloads/MagiskFrida-16.7.14-1.zip /sdcard/
  1. Open Magisk on Emulator, click Module and select Install from Storage, navigate to sdk_hphone64_x86_64 and select the archive
  2. Wait and click Reboot
  3. Disable protection (not sure if it’s necessary):
Terminal window
adb shell su -c setenforce 0
  1. Import Burp cert from proxy options and upload to the device:
Terminal window
adb push ~/cert-der.crt /data/local/tmp/cert-der.crt
  1. Ensure frida-server is running:
Terminal window
adb shell
ps -A | grep frida
  1. Check if it’s working on host machine:
Terminal window
frida-ps -U

Installing and running apk file

  1. Set up Burp proxy listener on 0.0.0.0:8081
  2. Run Emulator with proxy:
Terminal window
emulator -avd "Pixel_5" -writable-system -http-proxy 127.0.0.1:8081
  1. Install your apk which you downloaded from APK Pure or APK Mirror:
Terminal window
adb install ./com.name.apk
# or if its unpacked .xapk
adb install-multiple ./com.name.apk config.arm64_v8a.apk config.xxxhdpi.apk
  1. Start your App
  2. Run frida-script on host machine:
Terminal window
frida -U --codeshare sowdust/universal-android-ssl-pinning-bypass-2 -n <app name from frida-ps list>

Another frida scripts if the previous fails:

Terminal window
frida -U --codeshare pcipolloni/universal-android-ssl-pinning-bypass-with-frida -n AppName
frida -U --codeshare akabe1/frida-multiple-unpinning -n AppName
Everyone is connected

No matter where you are, everyone is always connected