In the first post about mobile audits, we explained the creation and configuration of a pentesting testing environment using Android Studio software. While it’s true that it’s possible to create emulated devices that are already rooted, as those of you who have worked with them know, they often present a series of problems or inconveniences that can complicate the device configuration and working with it.
If you’ve taken a look at my latest post about configuring physical devices using Magisk, you’ll have seen how comfortable and manageable it is to have our Android set up with that structure for work. Therefore, on this occasion, we’re going to merge both parts to obtain an Android emulator for conducting pentesting tests with the convenience that Magisk provides us.
- About Android Studio
- Creation and Configuration of the Emulated Device
- Before Starting: Adding adb Tool to Path
- Tool for Installing Magisk: rootAVD
- Installing Burp Suite Certificate Through Magisk
- Frida Through Magisk
- Conclusion
- References
About Android Studio
I imagine if you’re here, it’s because you already have Android Studio software installed and configured on your computer, but if not, you can find the complete explanation here. If you already have it installed, I’m going to recommend that you update it to the latest version as follows:
- Open Android Studio → Settings wheel in the lower left corner → Check for updates
We’ll need to know the path where we have Android SDK (software development kit) installed, a set of tools used by the program. To do this:
- Android Studio → More actions → SDK Manager → Android SDK Location
ATTENTION!! In case you haven’t installed Android Studio yet, there will be a moment when it asks us in what path we want to install Android SDK. By default, the path is C:\Users\\AppData\Local\Android\Sdk. Unless you have an exceptional need to install it in another path, keep the default one, as we’ll use a tool later that searches by default in that defined path.
Creation and Configuration of the Emulated Device
Well, if you’ve clicked on the link I put above talking about creating the environment in Android Studio, you’ll have remembered the procedure for creating an emulated device (if you haven’t done it, check out our guide on creating an Android pentesting work environment). Making a brief summary, the steps to follow are:
- Android Studio → More actions → Virtual Device Manager → Create Device
For this post, I’ve chosen a Pixel 7 device with Android version 11.0 (API 30) that contains Google Play. I remind you that with this configuration, the environment will be similar to a production one, so the device by default is not rooted (which makes sense if what we want is to use Magisk to achieve that root):
As a personal recommendation, never use the latest Android versions for your emulators as some tools or applications may give errors or simply not work due to the short adaptation period they may have had.
On this occasion, we’re also going to install the Root Checker application to verify and validate that currently the device is not rooted but will be later:
We install the application by dragging it onto the emulator or by executing the command adb install :
If we remember, to be able to install Magisk on our physical device and become superuser, we had to enable developer options to unlock USB debugging as well as unlock the OEM. Can we replicate the procedure used in that scenario for an emulated device? Let’s check it out and find out.
- Settings → About emulated device → Tap 7 times on Build number
- Settings → System → Developer options
In case anyone was wondering, indeed USB debugging on emulated devices is enabled by default, and that’s why tools like adb can be used from the device’s creation without having to enable these options:
However, no matter how much we search for the option to disable OEM unlocking, I’ll tell you right now that you won’t find it. On emulated devices, this option doesn’t exist and it makes perfect sense: that option allows, among other things, the modification of the Android operating system, but in Android Studio if you don’t like the device you’ve emulated, you create another one. There’s no Recovery mode, so there’s no bootloader to unlock. In fact, you can check for yourselves that if you execute the command adb reboot bootloader nothing happens.
But don’t worry, we have a much faster and simpler way to root the device with Magisk than the one used on physical phones.
Before Starting: Adding adb Tool to Path
You may already have it correctly configured, but just in case, we’re going to explain how to add the adb tool to the Windows path so you can execute it from any directory, which will be necessary for performing the procedure without setbacks.
To do this, we’ll do the following:
- System → Advanced system settings → Environment variables
- System variables → Path → Edit
- New → Add the path to the folder where we have adb (platform-tools)
REMEMBER: When downloading Android Studio and installing the SDK Tools, the platform-tools folder with adb is by default in the directory:
- C:\Users\\AppData\Local\Android\Sdk\platform-tools
Tool for Installing Magisk: rootAVD
The description of the rootAVD tool literally says it’s a script to root AVDs running with the QEMU emulator from Android Studio. Using my words, it’s a tool that roots an emulated device based on QEMU (processor emulator based on dynamic binary translation) from the Android Studio software. You can find the tool on GitHub, but in that repository they say that where it’s updated is on GitLab, so I’ll leave you both links but use the latter:
To download it, we have two options: we can execute the git clone command along with the repository link from PowerShell if we have Git installed on our computer (Download Git for Windows) or if we wanted to download it on a Linux machine (although you already know that for mobile audits we work on Windows). You can also download it from the GitLab repository from the Code tab in zip format as you can see below:
Once downloaded (and decompressed if necessary), we can access the tool’s folder. If we look, inside it we find the Magisk tool compressed in zip format ready for installation in the emulator’s system, but if we pay attention to the version, we’ll see that the one ready to install is v26.4. However, the latest version available in its official repository is v.28.0 (as of the writing of this post). This is due, from what I’ve been able to read and deduce (since they don’t specify it in the repository itself), to the fact that they’re incorporating versions based on patches and stability they obtain during development. Let’s not forget that working in virtualized environments is not the same as doing it on physical devices. Likewise, during the installation process we’ll have the option to install version v.27 (which is the latest official stable version) instead of what is considered the local stable version.
Once this is clarified, we have everything ready to execute the tool. If we review the repository, we can observe the steps to follow in the process, even several small videos of its execution on different operating systems. I’ll leave you the Windows one so you have it handy:
Before launching the tool, we’re going to execute the following command from the console to configure the environment variables for its operation:
set PATH=%LOCALAPPDATA%\Android\Sdk\platform-tools;%PATH% system-images\android-$API\google_apis_playstore\x86_64\Once this is done, we can now execute the tool following the following steps:
1. From the rootAVD folder, we execute rootAVD.bat:
2. We list all virtual machines with the ListAllAVDs parameter:
3. We select the emulator we’re using, which can be differentiated by the API version (30 for Android 11.0) and the image used (x86):
4. Now we need to be attentive because during the process there will be an interruption in which we’ll have to choose the version we want to install. By default, if we don’t touch anything, the version that appears downloaded in the folder will be installed, but we’re interested in installing the most recent stable version, which as we said earlier is v.27.0. Therefore, we’ll write a 2 and press Enter at this point:
After this, we’ll let the process finish automatically, which will cause the emulated device to close automatically, so don’t worry, it’s normal. Once this is done, we’ll start the device in Cold Boot mode, which will restart our Android completely:
Once we have the emulator operational and access the Magisk application, it will ask us that it needs to make an additional configuration and reboot again:
At this point, we have the application correctly installed and the device is rooted:
To check it, we’ll open our cmd to open a shell on the device using adb shell and then execute the su command. A window will appear on the device with which we’ll have to grant superuser permissions to the console as shown below:
We can check where we grant superuser permissions in the Superuser tab of the Magisk application:
At this point, if we run the Root Checker application again, the box to grant permission to this application will appear again and it will indicate that we are root:
IMPORTANT: A great advantage of using Magisk is that we can revoke superuser rights at any time from any application to which we’ve previously granted them. This would allow us to run applications that have detection of these permissions. As an example, below is shown how we can revert the root detection of the previous application:
Installing Burp Suite Certificate Through Magisk
Although we’ve seen this process on previous occasions, I think this post deserves to review the explanation (it’s necessary that we have Burp Suite installed). We open this software with the Android emulator running as we had left it previously. We configure both parts to tunnel traffic as follows:
- Burp Suite:
- Proxy → Proxy Settings → Add → We add the IP of our Windows machine
- Android Emulator:
- Settings → Network & interfaces → Wifi → Network Details → Edit → Proxy → Manual → Add the same IP and port as in Burp Suite
Depending on the device model you’ve emulated, the previous steps may vary a bit, but the essence is the same. It’s important that you disable data and only have wifi working on the emulator for what we’re doing to make sense.
If everything went well and the configuration is correct, you won’t be able to browse the Internet from the emulator’s browser:
Where we will be able to access is the http://burpsuite path from where we’ll download and install its CA certificate by modifying the extension under the name cacert.cer. It’s possible that you’ll have to install the certificate from Settings if it doesn’t let you do it automatically:
Once we have the certificate installed, we’re going to download the Magisk module that allows us to move the certificate we just downloaded to the system so that http traffic can be intercepted. To do this, we’ll have to download it on Windows and move the file to our Android since the emulator’s proxy doesn’t allow us Internet traffic (or disable the proxy, download it and re-enable it, but that’s more hassle).
Having the file on Android, we’ll access the Magisk application and in the Modules tab we’ll select the Install from storage option, and we’ll choose the module’s zip file that will be in the Downloads folder:
It will ask for a device reboot after which the process will have been completed successfully. We can verify it by reviewing the system’s trusted certificates:
Now we can browse and verify that our traffic is going through Burp Suite:
Frida Through Magisk
Surely after seeing the Magisk module for installing the Burp Suite certificate, many of you have wondered if this tool also has a module related to Frida. Indeed, it does. If you’ve investigated a bit about Magisk, you may have found several official websites where they talk about the modules you can find. Some examples are:
I remind you that if you haven’t installed Frida yet or have any doubts about it, you can find all the necessary information in our guide on SSL Pinning bypass in Android applications.
To verify that there are indeed some http requests that we cannot intercept due to ssl pinning, we’re going to download and install an application designed for testing called AndroGoat:
Once installed, we’ll open it and click on the first option called Network Intercepting:
In this section, we find 3 buttons. With Burp Suite open and with the proxy configuration performed previously, we’re going to click on the https button to verify that it works correctly:
However, when clicking on the Certificate Pinning button, nothing happens, as expected:
Once this check is done, we’re going to install the Frida module that will allow us to use the tool to bypass ssl pinning. What this module will do is install and run the frida-server inside the Android emulator. It’s located at the following link:
To guarantee its operation, we have to make sure that the version of Frida installed on our computer is the same as the version of the module we’re going to install on the device. Since the version we’re downloading is the latest, what we’ll do is update Frida from the console with the following command:
pip3 install --upgrade frida
In case you get any error, update the frida-tools using pip install frida-tools or by selecting the versions you want to install manually as follows:
pip install frida==16.5.9 frida-tools==13.6.0Once we have everything in sync, we proceed to install the module in the same way we did with the previous one. From the modules tab of Magisk we choose the zip file we’ve previously introduced in the device:
To check that everything has worked correctly, from our console we can open a terminal in the emulator with adb shell and being root execute the command netstat -tupln where we can quickly visualize that there’s a frida-server process running on port 27042:
Knowing that the frida-server is running, we can now execute Frida to bypass ssl pinning. We open AndroGoat again so that Frida and Objection can find it and we’re going to execute the following commands:
- Frida-ps -Uai → We list the running applications on the emulator.
- Objection -g explore → We execute Objection indicating the PID of the application to operate with it (you can also do it with the name but this one has many spaces and hyphens and may give an error).
- Android ssl pinning disabled → Command to bypass ssl pinning.
Now that we have everything ready, we click the Certificate Pinning button of the application again and we intercept the request perfectly:
Additionally, we can corroborate this bypass from Objection since the calls to the functions that have been manipulated to intercept traffic appear in the console:
Conclusion
To be honest, this new virtualized environment configuration using Magisk and its modules is much more comfortable and easier to configure than the standard way we had seen previously in other posts. I highly recommend you try it, although it may seem long, it’s a super fast process that doesn’t give any kind of errors.
I hope you liked it and that it helps you work comfortably if you don’t have a physical device. Do you like Magisk? Have you used it before? Share your experience with me!
Thanks for being on the other side! Cheers! 🙂