Skip to content

Latest commit

 

History

History
305 lines (211 loc) · 14.4 KB

avd-android-virtual-device.md

File metadata and controls

305 lines (211 loc) · 14.4 KB
Raw

AVD - Android Virtual Device

☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥

Thank you very much to @offsecjay for his help while creating this content.

What is

Android Studio allows to run virtual machines of Android that you can use to test APKs. In order to use them you will need:

In Windows (in my case) after installing Android Studio I had the SDK Tools installed in: C:\Users\<UserName>\AppData\Local\Android\Sdk\tools

In mac you can download the SDK tools and have them in the PATH running:

brew tap homebrew/cask
brew install --cask android-sdk

Or from Android Studio GUI as indicated in https://stackoverflow.com/questions/46402772/failed-to-install-android-sdk-java-lang-noclassdeffounderror-javax-xml-bind-a which will install them in ~/Library/Android/sdk/cmdline-tools/latest/bin/ and ~/Library/Android/sdk/platform-tools/ and ~/Library/Android/sdk/emulator/

For the Java problems: 

export JAVA_HOME=/Applications/Android\ Studio.app/Contents/jbr/Contents/Home

GUI

Prepare Virtual Machine

If you installed Android Studio, you can just open the main project view and access: Tools --> AVD Manager.

Then, click on Create Virtual Device

select the phone you want to use and click on Next.

{% hint style="warning" %} If you need a phone with Play Store installed select one with the Play Store icon on it!

{% endhint %}

In the current view you are going to be able to select and download the Android image that the phone is going to run:

So, select it and if it isn't downloaded click on the Download symbol next to the name (now wait until the image is downloaded).
Once the image is downloaded, just select Next and Finish.

The virtual machine will be created. Now every time that you access AVD manager it will be present.

Run Virtual Machine

In order to run it just press the Start button.

Command Line tool

First of all you need to decide which phone you want to use, in order to see the list of possible phones execute:

C:\Users\<UserName>\AppData\Local\Android\Sdk\tools\bin\avdmanager.bat list device

d: 0 or "automotive_1024p_landscape"
    Name: Automotive (1024p landscape)
    OEM : Google
    Tag : android-automotive-playstore
---------
id: 1 or "Galaxy Nexus"
    Name: Galaxy Nexus
    OEM : Google
---------
id: 2 or "desktop_large"
    Name: Large Desktop
    OEM : Google
    Tag : android-desktop
---------
id: 3 or "desktop_medium"
    Name: Medium Desktop
    OEM : Google
    Tag : android-desktop
---------
id: 4 or "Nexus 10"
    Name: Nexus 10
    OEM : Google
[...]

Once you have decide the name of the device you want to use, you need to decide which Android image you want to run in this device.
You can list all the options using sdkmanager:

C:\Users\<UserName>\AppData\Local\Android\Sdk\tools\bin\sdkmanager.bat --list

And download the one (or all) you want to use with:

{% code overflow="wrap" %}

C:\Users\<UserName>\AppData\Local\Android\Sdk\tools\bin\sdkmanager.bat "platforms;android-28" "system-images;android-28;google_apis;x86_64"

{% endcode %}

Once you have downloaded the Android image you want to use you can list all the downloaded Android images with:

C:\Users\<UserName>\AppData\Local\Android\Sdk\tools\bin\avdmanager.bat list target
----------
id: 1 or "android-28"
     Name: Android API 28
     Type: Platform
     API level: 28
     Revision: 6
----------
id: 2 or "android-29"
     Name: Android API 29
     Type: Platform
     API level: 29
     Revision: 4

At this moment you have decided the device you want to use and you have downloaded the Android image, so you can create the virtual machine using:

{% code overflow="wrap" %}

C:\Users\<UserName>\AppData\Local\Android\Sdk\tools\bin\avdmanager.bat -v create avd -k "system-images;android-28;google_apis;x86_64" -n "AVD9" -d "Nexus 5X"

{% endcode %}

In the last command I created a VM named "AVD9" using the device "Nexus 5X" and the Android image "system-images;android-28;google_apis;x86_64".
Now you can list the virtual machines you have created with:

C:\Users\<UserName>\AppData\Local\Android\Sdk\tools\bin\avdmanager.bat list avd

 Name: AVD9
  Device: Nexus 5X (Google)
    Path: C:\Users\cpolo\.android\avd\AVD9.avd
  Target: Google APIs (Google Inc.)
          Based on: Android API 28 Tag/ABI: google_apis/x86_64

The following Android Virtual Devices could not be loaded:
    Name: Pixel_2_API_27
    Path: C:\Users\cpolo\.android\avd\Pixel_2_API_27_1.avd
   Error: Google pixel_2 no longer exists as a device

Run Virtual Machine

We have already seen how you can list the created virtual machines, but you can also list them using:

C:\Users\<UserName>\AppData\Local\Android\Sdk\tools\emulator.exe -list-avds
AVD9
Pixel_2_API_27

You can simply run any virtual machine created using:

{% code overflow="wrap" %}

C:\Users\<UserName>\AppData\Local\Android\Sdk\tools\emulator.exe -avd "VirtualMachineName"
C:\Users\<UserName>\AppData\Local\Android\Sdk\tools\emulator.exe -avd "AVD9"

{% endcode %}

Or using more advance options you can run a virtual machine like:

{% code overflow="wrap" %}

C:\Users\<UserName>\AppData\Local\Android\Sdk\tools\emulator.exe -avd "AVD9" -http-proxy 192.168.1.12:8080 -writable-system

{% endcode %}

Command line options

However there are a lot of different command line useful options that you can use to initiate a virtual machine. Below you can find some interesting options but can find a complete list here

Boot

  • -snapshot name : Start VM snapshot
  • -snapshot-list -snapstorage ~/.android/avd/Nexus_5X_API_23.avd/snapshots-test.img : List all the snapshots recorded

Network

  • -dns-server 192.0.2.0, 192.0.2.255 : Allow to indicate comma separated the DNS servers to the VM.
  • -http-proxy 192.168.1.12:8080 : Allow to indicate an HTTP proxy to use (very useful to capture the traffic using Burp)
  • -port 5556 : Set the TCP port number that's used for the console and adb.
  • -ports 5556,5559 : Set the TCP ports used for the console and adb.
  • -tcpdump /path/dumpfile.cap : Capture all the traffic in a file

System

  • -selinux {disabled|permissive} : Set the Security-Enhanced Linux security module to either disabled or permissive mode on a Linux operating system.
  • -timezone Europe/Paris : Set the timezone for the virtual device
  • -screen {touch(default)|multi-touch|o-touch} : Set emulated touch screen mode.
  • -writable-system : Use this option to have a writable system image during your emulation session. You will need also to run adb root; adb remount. This is very useful to install a new certificate in the system.

Rooting a Play Store device

If you downloaded a device with Play Store you are not going to be able to get root directly, and you will get this error message

$ adb root
adbd cannot run as root in production builds

Using rootAVD with Magisk I was able to root it (follow for example this video or this one).

Install Burp certificate on a Virtual Machine

First of all you need to download the Der certificate from Burp. You can do this in Proxy --> Options --> Import / Export CA certificate

Export the certificate in Der format and lets transform it to a form that Android is going to be able to understand. Note that in order to configure the burp certificate on the Android machine in AVD you need to run this machine with the -writable-system option.
For example you can run it like:

{% code overflow="wrap" %}

C:\Users\<UserName>\AppData\Local\Android\Sdk\tools\emulator.exe -avd "AVD9" -http-proxy 192.168.1.12:8080 -writable-system

{% endcode %}

Then, to configure burps certificate do:

{% code overflow="wrap" %}

openssl x509 -inform DER -in burp_cacert.der -out burp_cacert.pem
CERTHASHNAME="`openssl x509 -inform PEM -subject_hash_old -in burp_cacert.pem | head -1`.0"
mv burp_cacert.pem $CERTHASHNAME #Correct name
adb root && sleep 2 && adb remount #Allow to write on /syste
adb push $CERTHASHNAME /sdcard/ #Upload certificate
adb shell mv /sdcard/$CERTHASHNAME /system/etc/security/cacerts/ #Move to correct location
adb shell chmod 644 /system/etc/security/cacerts/$CERTHASHNAME #Assign privileges
adb reboot #Now, reboot the machine

{% endcode %}

Once the machine finish rebooting the burp certificate will be in use by it!

Install Burp Certificate with Magisc

If you rooted your device with Magisc (maybe an emulator), and you can't follow the previous steps to install the Burp cert because the filesystem is read-only and you cannot remount it writable, there is another way.

Explained in this video you need to:

  1. Install a CA certificate: Just drag&drop the DER Burp certificate changing the extension to .crt in the mobile so it's stored in the Downloads folder and go to Install a certificate -> CA certificate

  • Check that the certificate was correctly stored going to Trusted credentials -> USER

  1. Make it System trusted: Download the Magisc module MagiskTrustUserCerts (a .zip file), drag&drop it in the phone, go to the Magics app in the phone to the Modules section, click on Install from storage, select the .zip module and once installed reboot the phone:

  • After rebooting, go to Trusted credentials -> SYSTEM and check the Postswigger cert is there

Nice AVD Options

Take a Snapshot

You can use the GUI to take a snapshot of the VM at any time:

☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥