hacktricks/mobile-pentesting/android-app-pentesting/avd-android-virtual-device.md

# AVD - Android Virtual Device

<details>

<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>

* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).

</details>

Thank you very much to [**@offsecjay**](https://twitter.com/offsecjay) for his help while creating this content.

## What is

Android Studio allows to **run virtual machines of Android that you can use to test APKs**. In order to use them you will need:

* The **Android SDK tools** - [Download here](https://developer.android.com/studio/releases/sdk-tools).
* Or **Android Studio** (with Android SDK tools) - [Download here](https://developer.android.com/studio).

In Windows (in my case) **after installing Android Studio** I had the **SDK Tools installed in**: `C:\Users\<UserName>\AppData\Local\Android\Sdk\tools`

In mac you can **download the SDK tools** and have them in the PATH running:

```bash
brew tap homebrew/cask
brew install --cask android-sdk
```

Or from **Android Studio GUI** as indicated in [https://stackoverflow.com/questions/46402772/failed-to-install-android-sdk-java-lang-noclassdeffounderror-javax-xml-bind-a](https://stackoverflow.com/questions/46402772/failed-to-install-android-sdk-java-lang-noclassdeffounderror-javax-xml-bind-a) which will install them in `~/Library/Android/sdk/cmdline-tools/latest/bin/` and `~/Library/Android/sdk/platform-tools/` and `~/Library/Android/sdk/emulator/`

For the Java problems:&#x20;

```java
export JAVA_HOME=/Applications/Android\ Studio.app/Contents/jbr/Contents/Home
```

## GUI

### Prepare Virtual Machine

If you installed Android Studio, you can just open the main project view and access: _**Tools**_ --> _**AVD Manager.**_

<div align="center" data-full-width="false">

<figure><img src="../../.gitbook/assets/image (670).png" alt="" width="293"><figcaption></figcaption></figure>

</div>

Then, click on _**Create Virtual Device**_

<figure><img src="../../.gitbook/assets/image (671).png" alt="" width="188"><figcaption></figcaption></figure>

_**select** the phone you want to use_ and click on _**Next.**_

{% hint style="warning" %}
If you need a phone with Play Store installed select one with the Play Store icon on it!

![](<../../.gitbook/assets/image (672).png>)
{% endhint %}

In the current view you are going to be able to **select and download the Android image** that the phone is going to run:

<figure><img src="../../.gitbook/assets/image (673).png" alt="" width="375"><figcaption></figcaption></figure>

So, select it and if it isn't downloaded click on the _**Download**_ symbol next to the name (**now wait until the image is downloaded).**\
Once the image is downloaded, just select **`Next`** and **`Finish`**.

The virtual machine will be created. Now **every time that you access AVD manager it will be present**.

### Run Virtual Machine

In order to **run** it just press the _**Start button**_.

![](<../../.gitbook/assets/image (334).png>)

## Command Line tool

First of all you need to **decide which phone you want to use**, in order to see the list of possible phones execute:

```
C:\Users\<UserName>\AppData\Local\Android\Sdk\tools\bin\avdmanager.bat list device

d: 0 or "automotive_1024p_landscape"
    Name: Automotive (1024p landscape)
    OEM : Google
    Tag : android-automotive-playstore
---------
id: 1 or "Galaxy Nexus"
    Name: Galaxy Nexus
    OEM : Google
---------
id: 2 or "desktop_large"
    Name: Large Desktop
    OEM : Google
    Tag : android-desktop
---------
id: 3 or "desktop_medium"
    Name: Medium Desktop
    OEM : Google
    Tag : android-desktop
---------
id: 4 or "Nexus 10"
    Name: Nexus 10
    OEM : Google
[...]
```

Once you have decide the name of the device you want to use, you need to **decide which Android image you want to run in this device.**\
You can list all the options using `sdkmanager`:

```bash
C:\Users\<UserName>\AppData\Local\Android\Sdk\tools\bin\sdkmanager.bat --list
```

And **download** the one (or all) you want to use with:

{% code overflow="wrap" %}
```bash
C:\Users\<UserName>\AppData\Local\Android\Sdk\tools\bin\sdkmanager.bat "platforms;android-28" "system-images;android-28;google_apis;x86_64"
```
{% endcode %}

Once you have downloaded the Android image you want to use you can **list all the downloaded Android images** with:

```
C:\Users\<UserName>\AppData\Local\Android\Sdk\tools\bin\avdmanager.bat list target
----------
id: 1 or "android-28"
     Name: Android API 28
     Type: Platform
     API level: 28
     Revision: 6
----------
id: 2 or "android-29"
     Name: Android API 29
     Type: Platform
     API level: 29
     Revision: 4
```

At this moment you have decided the device you want to use and you have downloaded the Android image, so **you can create the virtual machine using**:

{% code overflow="wrap" %}
```bash
C:\Users\<UserName>\AppData\Local\Android\Sdk\tools\bin\avdmanager.bat -v create avd -k "system-images;android-28;google_apis;x86_64" -n "AVD9" -d "Nexus 5X"
```
{% endcode %}

In the last command **I created a VM named** "_AVD9_" using the **device** "_Nexus 5X_" and the **Android image** "_system-images;android-28;google\_apis;x86\_64_".\
Now you can **list the virtual machines** you have created with:

```bash
C:\Users\<UserName>\AppData\Local\Android\Sdk\tools\bin\avdmanager.bat list avd

 Name: AVD9
  Device: Nexus 5X (Google)
    Path: C:\Users\cpolo\.android\avd\AVD9.avd
  Target: Google APIs (Google Inc.)
          Based on: Android API 28 Tag/ABI: google_apis/x86_64

The following Android Virtual Devices could not be loaded:
    Name: Pixel_2_API_27
    Path: C:\Users\cpolo\.android\avd\Pixel_2_API_27_1.avd
   Error: Google pixel_2 no longer exists as a device
```

### Run Virtual Machine

We have already seen how you can list the created virtual machines, but **you can also list them using**:

```bash
C:\Users\<UserName>\AppData\Local\Android\Sdk\tools\emulator.exe -list-avds
AVD9
Pixel_2_API_27
```

You can simply **run any virtual machine created** using:

{% code overflow="wrap" %}
```bash
C:\Users\<UserName>\AppData\Local\Android\Sdk\tools\emulator.exe -avd "VirtualMachineName"
C:\Users\<UserName>\AppData\Local\Android\Sdk\tools\emulator.exe -avd "AVD9"
```
{% endcode %}

Or using more advance options you can run a virtual machine like:

{% code overflow="wrap" %}
```bash
C:\Users\<UserName>\AppData\Local\Android\Sdk\tools\emulator.exe -avd "AVD9" -http-proxy 192.168.1.12:8080 -writable-system
```
{% endcode %}

### Command line options

However there are **a lot of different command line useful options** that you can use to initiate a virtual machine. Below you can find some interesting options but can [**find a complete list here**](https://developer.android.com/studio/run/emulator-commandline)

**Boot**

* `-snapshot name` : Start VM snapshot
* `-snapshot-list -snapstorage ~/.android/avd/Nexus_5X_API_23.avd/snapshots-test.img` : List all the snapshots recorded

**Network**

* `-dns-server 192.0.2.0, 192.0.2.255` : Allow to indicate comma separated the DNS servers to the VM.
* **`-http-proxy 192.168.1.12:8080`** : Allow to indicate an HTTP proxy to use (very useful to capture the traffic using Burp)
* `-port 5556` : Set the TCP port number that's used for the console and adb.
* `-ports 5556,5559` : Set the TCP ports used for the console and adb.
* **`-tcpdump /path/dumpfile.cap`** : Capture all the traffic in a file

**System**

* `-selinux {disabled|permissive}` : Set the Security-Enhanced Linux security module to either disabled or permissive mode on a Linux operating system.
* `-timezone Europe/Paris` : Set the timezone for the virtual device
* `-screen {touch(default)|multi-touch|o-touch}` : Set emulated touch screen mode.
* **`-writable-system`** : Use this option to have a writable system image during your emulation session. You will need also to run `adb root; adb remount`. This is very useful to install a new certificate in the system.

## Rooting a Play Store device

If you downloaded a device with Play Store you are not going to be able to get root directly, and you will get this error message

```
$ adb root
adbd cannot run as root in production builds
```

Using [rootAVD](https://github.com/newbit1/rootAVD) with [Magisk](https://github.com/topjohnwu/Magisk) I was able to root it (follow for example [**this video**](https://www.youtube.com/watch?v=Wk0ixxmkzAI) **or** [**this one**](https://www.youtube.com/watch?v=qQicUW0svB8)).

## Install Burp certificate on a Virtual Machine

First of all you need to download the Der certificate from Burp. You can do this in _**Proxy**_ --> _**Options**_ --> _**Import / Export CA certificate**_

![](<../../.gitbook/assets/image (367).png>)

**Export the certificate in Der format** and lets **transform** it to a form that **Android** is going to be able to **understand.** Note that **in order to configure the burp certificate on the Android machine in AVD** you need to **run** this machine **with** the **`-writable-system`** option.\
For example you can run it like:

{% code overflow="wrap" %}
```bash
C:\Users\<UserName>\AppData\Local\Android\Sdk\tools\emulator.exe -avd "AVD9" -http-proxy 192.168.1.12:8080 -writable-system
```
{% endcode %}

Then, to **configure burps certificate do**:

{% code overflow="wrap" %}
```bash
openssl x509 -inform DER -in burp_cacert.der -out burp_cacert.pem
CERTHASHNAME="`openssl x509 -inform PEM -subject_hash_old -in burp_cacert.pem | head -1`.0"
mv burp_cacert.pem $CERTHASHNAME #Correct name
adb root && sleep 2 && adb remount #Allow to write on /syste
adb push $CERTHASHNAME /sdcard/ #Upload certificate
adb shell mv /sdcard/$CERTHASHNAME /system/etc/security/cacerts/ #Move to correct location
adb shell chmod 644 /system/etc/security/cacerts/$CERTHASHNAME #Assign privileges
adb reboot #Now, reboot the machine
```
{% endcode %}

Once the **machine finish rebooting** the burp certificate will be in use by it!

## Install Burp Certificate with Magisc

If you **rooted your device with Magisc** (maybe an emulator), and you **can't follow** the previous **steps** to install the Burp cert because the **filesystem is read-only** and you cannot remount it writable, there is another way.

Explained in [**this video**](https://www.youtube.com/watch?v=qQicUW0svB8) you need to:

1. **Install a CA certificate**: Just **drag\&drop** the DER Burp certificate **changing the extension** to `.crt` in the mobile so it's stored in the Downloads folder and go to `Install a certificate` -> `CA certificate`

<figure><img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" width="164"><figcaption></figcaption></figure>

* Check that the certificate was correctly stored going to `Trusted credentials` -> `USER`

<figure><img src="../../.gitbook/assets/image (1) (1) (1) (1) (1).png" alt="" width="334"><figcaption></figcaption></figure>

2. **Make it System trusted**: Download the Magisc module [MagiskTrustUserCerts](https://github.com/NVISOsecurity/MagiskTrustUserCerts) (a .zip file), **drag\&drop it** in the phone, go to the **Magics app** in the phone to the **`Modules`** section, click on **`Install from storage`**, select the `.zip` module and once installed **reboot** the phone:

<figure><img src="../../.gitbook/assets/image (2) (1) (1) (1).png" alt="" width="345"><figcaption></figcaption></figure>

* After rebooting, go to `Trusted credentials` -> `SYSTEM` and check the Postswigger cert is there

<figure><img src="../../.gitbook/assets/image (3) (1) (1) (1).png" alt="" width="314"><figcaption></figcaption></figure>

## Nice AVD Options

### Take a Snapshot

You can **use the GUI** to take a snapshot of the VM at any time:

![](<../../.gitbook/assets/image (336).png>)

<details>

<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>

* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).

</details>