Skip to content
  • Home
  • OWASP Top 10
  • Bug bounty hunting
  • About
  • Contact
  • How to support
android-hacking-lab-guide

How to easily setup a hacking lab for Android apps using Genymotion in 5 steps

July 24, 2022 by thehackerish

Introduction: Why is an Android hacking lab necessary?

In this article, I will show you how you can easily set up you own Android hacking lab that is ready to start learning, practicing and testing Android applications of your customers.

With the huge market of mobile applications, knowing how to test Android applications for security vulnerabilities is a crucial skill any penetration tester or ethical hacker should have. However, Android hacking is not as easy as opening your web browser and configuring your web proxy. The entry barrier is certainly higher.

Towards the end, I will share some tips to overcome some known issues you might encounter during the setup process.

Step 1 – Setting up VirtualBox

I am sure most of you use either VirtualBox or VMware, but for those who don’t know, VirtualBox is a software that allows you to run a virtual machines on your physical computer. Genymotion requires it to be bale to run properly.

To start using VirtualBox, you need to download and install it. In the following steps, we will show you how to do this.

  1. First, go to the VirtualBox website and download the latest version of your operating system from their downloads section at https://www.virtualbox.org/wiki/Downloads.
  2. Choose and download your desired version of Virtualbox. There are versions for most used Operating Systems.
  3. The installation file should now be downloaded onto your computer.
  4. Open up the installation file and follow through with any prompts during installation.

If you want to see it in action, head to this article.

Step 2 – Setting up Genymotion

Genymotion is a powerful Android emulator that allows users to test their apps on an Android emulator, without the need for any physical devices. It’s great for penetration testers who want to look for security vulnerabilities, but don’t have access to a physical device for testing purposes.

Although it is a paid software, you can use it for free for personal work, which is ideal for those who want to start learning Android hacking. Here are the steps you need to follow:

  1. Go to https://www.genymotion.com/download/ and download Genymotion Desktop for your OS. There are versions for both Windows, Linux and MacOS.
  2. Install and run Genymotion Desktop.
  3. Create an account if you don’t have one yet.
  4. Log in to Genymotion Desktop and choose Personal use when prompted.

Step 3 – Creating an configuring an Android emulator

Now that you have Genymotion installed, this section will teach you how to create an Android Emulator in Genymotion.

  1. Open Genymotion you have just installed, and select ‘Add Virtual Device’ by clicking on the + button in the upper-right corner. You can also hit Ctrl+N as a keyboard shortcut.
  2. Choose a device from the list. There is plenty to choose from. You can also narrow your search by applying filters.
  3. Give your Virtual Android device a name. For the most part, you can go with the default configuration settings.
  4. Click the button Install. Genymotion will automatically download and configure your device.
  5. Once done, simply click on the three dotted button on the right of the emulator and then hit the start button.
Adding a new emulator to your Android hacking lab
Adding a new emulator to your Android hacking lab

Step 4 – Downloading and importing the Android app

There are two ways to install the App.

Download the Android app from the Google Play Store

The Android app is available in the Play Store and can be easily downloaded and installed. You just have to click on the “Install Open Gapps” and follow the steps to install the packages on the emulator. Once done, you can open the Google Play Store and download the application you want, like you would normally do in a physical Android device.

Open Gapps button to install Play services in the Android emulator
Open Gapps button to install Play services in the Android emulator

Getting Android apps from third-party websites

You can also download APK files from third-party websites which provide their own version of the app. However, you should note that downloading APKs from these sources may not be safe. Besides, you have no guarantee that you are downloading the exact Android application, or a variation that might be including some kind of malware. For this reason, never install applications from these websites on your real Android smartphone.

Once you have the APK package of the Android app you want to hack, simply drag and drop it onto the emulator. After a few seconds, your app should be installed.

Step 5 – Configure your web proxy

In order to test your application at runtime, you need a web proxy to inspect the traffic traveling the wire. Here are the steps you need to follow for Burp Suite, which is one of the famous web proxies used by security professionals.

You can download and install the Burp Suite community edition, which is the free.

Configure the proxy using Genymotion’s preferences

This is the easiest way to configure your web proxy.

  1. Open Genymotion and go to Genymotion > Preferences from the top menu.
  2. Choose “Network” and set the IP and port of the machine running the Burp Suite proxy, as shown below.
Genymotion network configuration for the Android hacking lab
Genymotion network configuration for the Android hacking lab

Configure the proxy from within the Android emulator

If the first proxy configuration did not work for you, you can always configure the Android emulator directly.

  1. From the Wi-Fi networks list shown by your Android emulator, choose the one you are connected to.
  2. Tap the gear button next to it, then choose Advanced > Proxy > Manual
  3. Enter the IP address of the computer that is running Burp Suite in the “Host” field.
  4. Enter the port number of the computer that is running Burp Suite in the “Port” field.
  5. Save your configuration

Now, when you navigate to a website from the Android emulator, you should see some traffic going through Burp Suite. If SSL pinning is not configured in your target Android app, you will be able to capture live traffic on your Burp Suite instance as well.

Conclusion and Resources

In this blog post, you learned how to easily set up your own Android hacking lab environment to start learning Android hacking skills. Now it is time to find a mobile application and start experimenting.

For further reading, here are some useful resources.

https://github.com/B3nac/Android-Reports-and-Resources

https://github.com/tanprathan/MobileApp-Pentest-Cheatsheet

https://github.com/randorisec/MobileHackingCheatSheet

Post navigation

Previous Post:

Top Red Team training to boost your Cybersecurity career

Next Post:

Easy and free Active Directory lab setup

Get you Free hacking lab VM.

free-hacking-lab-vm
Click on the image and get all you need to kickstart your journey in Web Hacking!

Overcome your struggles and become a successful bug bounty hunter!

Bug bounty hunting journey book
Click on the image and grab your own copy NOW!

Listen to the Hack for Fun and Profit Podcast

Support my work!

Categories

  • burp suite
  • Hacking
    • bug bounty
    • Penetration testing
    • red team
  • OWASP
    • OWASP juice shop
    • OWASP Top 10
      • OWASP Top 10 training
      • OWASP Top 10 vulnerabilities
    • OWASP WebGoat
    • OWASP ZAP
  • Secure coding
  • Uncategorized

Overcome your struggles and become a successful bug bounty hunter!

Get you Free hacking lab VM

free-hacking-lab-vm
free-hacking-lab-vm
© 2023 thehackerish | Built using WordPress and SuperbThemes