Setup an Android pentest environment

Introduction

In this post, I’ll guide you through the process of setting up a phone and proxify its requests to Burp, and maybe have a little bit of fun in the end. The method used in this post bypass some SSL pinning methods (that’s an additional protection used to verify if the SSL certificate is the one intended), but not all of them, unfortunately :(
This post requires a minimal knowledge about your OS, Android and Burp.
DISCLAIMER: I am in no way responsible of what you do with this knowkedge, nor I am responsible if you break your device trying to setup this.

Prerequisite

For this post, I highly suggest that you buy a cheap Android phone, or use an old one, as you’ll be installing some nasty mods that you really shouldn’t have on your daily driver, and if you do something wrong you can break it.
I’ll be using a Huawei P8 Lite 2016, but don’t buy an Huawei nor an Honor phone for a pentest purpose, as they don’t let you unlock your OEM (more on that later), and you’ll end up paying some obscure software to unlock it (:

If you buy a phone, verify that you can indeed install LineageOS on it beforehand.

Preparation

Once you have a phone ready to be defaced, you need to enable developper mode. To do so, you only have to tap 7 times on the Build number option in the About phone tab.
Then go into the developer options and enable Android debugging or USB debugging, something like that. While you’re there you can enable OEM unlock, this option allows you to install another ROM on your device. If it is not in this menu, look on Google how to OEM unlock your device.
Once this is done, plug your phone into your computer (yeah you also need a computer), and it is ready.

On said computer you’ll need adb and fastboot, for Windows you should be able to get it here but I don’t have any windows machine, so I wish you luck.
For MacOS’s users I red that the following line should work, I don’t have a Mac neither to testify that.

brew cask install android-platform-tools

On debian based distros you can do the following, but again I’m not on debian, but it’s supposed to work

sudo apt-get install android-tools-adb android-tools-fastboot

For other distros, or even OS, do your things :)

You can test your adb installation by running the following

sudo adb devices

It should shows a prompt on your phone asking you if you want to allow your computer to access it. Click accept.
If the list is empty, and you didn’t get the pop up, check that your phone is plugged in, if it is, try every USB port of your computer. If it stills doesnt work, it can come from multiple things, like the USB cable. I can’t help you any further with that part.

Install TWRP

Now that you can control your smartphone from your computer, we will change the ROM to a more vanilla experience. To do so, we will need TWRP.
What TWRP is, you may ask, and the answer is in their about section.

A custom recovery used for installing custom software.

With TWRP, you can install another ROM on your smartphone, and do pretty much anything you want starting from there.

Start by finding your device in their list, then downlaod the .img in the Download links section.

Once your pretty .img is downloaded, you can reboot your phone to the bootloader, by doing so

sudo adb reboot bootloader

If everything went smooooothly, your phone should display an ugly screen. Check that your computer can still access it by running

sudo fastboot devices

Now you just have to run

sudo fastboot flash recovery twrp.img
sudo fastboot reboot

When your phone shuts down, hold down the power button and the volume down key, to boot into recovery. You should now see a TWRP logo, and after a while a fancy menu. Click on Wipe, Advanced wipe and tick the following

• Dalvik / ART Cache
• Cache
• System

Now do a swipe, and your previous ROM will be gone. Smash the back button until you’re back to the main menu.

Install LineageOS

Now let’s install LineageOS to have a fresh stock Android, without any Google wonderfull app. Start by checking if your device is officially supported on their download page, if it’s not, look up "your device" lineageos on Google, and there more than most likely is an unofficial ROM made by some sort of god on XDA. Now that you have downloaded your fancy zip, you can go back to your phone. Click on Advanced then ADB Sideload. Tick both cases, and do a swipe again. Now your phone should be waiting be displaying some logs ending by

Staring ADB sideload feature...

On your computer, run

sudo adb sideload <your fancy rom.zip>

While you rom is being installed, you can watch some intriguing videos, or do anything you want, I’m not your mother. When it’s done the screen should light up, and you can click on Reboot System. If it says that you have no OS installed, don’t worry it’s okay, reboot anyway. Do the android install setup, I’m sure you don’t need help for that :)

Root your phone

Now that we have a pretty good base, we can actually start the intresting stuff! Once again enable the USB debugging feature, then run

sudo adb reboot recovery

While your phone is rebooting download the su for your LineageOS. At that point your phone should be on the main menu of TWRP again, and click Advanced, ADB Sideload. Tick both cases again, swipe, then run the following command on your computer

sudo adb sideload <addonsu.zip>

(optional) Install Gapps

You might need Google Play services or other stuff from Google, if so, download what you need from opengaps. Then it is the same method as with addonsu, go to adb sideload on your phone, then run

sudo adb sideload <gapps.zip>

Install the Xposed framework

You can now reboot your phone.

sudo adb reboot

Once your phone started again, go to the developpers options and enable root for app and adb.

Having a rooted phone is nice. But the Xposed framework takes it a step further, by letting you add some modules that will be quite usefull ;)
Download the XPosed framework installer apk from this thread, then run

sudo adb install <xposedInstaller.apk>

You should now have an app called Xposed Installer in your app drawer. Start it, and click on INSTALL / UPDATE then install. The XPosed framework should install itself, and restart once it’s done.

Install JustTrustMe

Now that you have the incredible Xposed framework, you can install an amazing module called JustTrustMe. It will disable ssl certificate verifications on a lot of apps. To install it, just download the latest version on this link, then run

sudo adb install <justTrustMe.apk>

A notification should appear on your phone, saying that the module isn’t activated yet. Go to the Xposed Installer app, go to the modules tab, tick the box of JustTrustMe, and reboot your phone.

You can run the following command, if you wanna look like a cool kid.

sudo adb reboot

Install ProxyDroid

Without Google Play Store

I personally use this to download APKs, when I don’t install the Play Store. You need to download ProxyDroid. Download it on your computer, then run

sudo adb install <proxydroid.apk>

With Google Play Store

You just need to install ProxyDroid.

Configure ProxyDroid

Open ProxyDroid. Change the host to the IP of your computer, the port to 8080 and set it either as a global proxy, or individual proxy. Individual proxy is usefull when you have playservices, or plenty of apps and want only request from one app Enable it, and your phone configuration is done.

Configure Burp

Go to the proxy tab, then options. Once in there, edit the running listener, and bind it to all interfaces instead of loopback only. Now you can have fun and enjoy testing any app you want :)