Android App Pentesting Quickstart

7 minutes to read

I still find myself regularly referring to Eugene Lim’s fantastic start-up guide for iOS penetration testing. My iOS testing device has a tethered jailbreak, so I sometimes find myself having to reconfigure my environment and when doing so, the details matter. Getting it right the first time ensures that you won’t spend hours troubleshooting something that used to work but is now inexplicably broken.

Android testing usually goes hand in hand with iOS testing, although setting up a testing environment on this platform is considerably more varied and can be confusing. This is mostly due to the wide range of devices in the Android ecosystem and each manufacturer’s different customizations of both hardware and software. There are plenty of guides out there on the topic, but I found them to be incomplete, incorrect, or poorly translated from another language.

Here’s what you need:


Software (on your host)

Software (on your Android device)

Installing the Burp Suite Certificate

You will need to export Burp’s CA into a file. Navigate to Proxy > Options > Import/export CA certificate and export the certificate in DER format.

Certificate Export

Convert the certificate to plain text with

openssl x509 -inform DER -in cert.der -out cert.cer

Transfer to the device using your method of choice. I usually just spin up a little web server with python -m http.server 9898 just because it’s quick and easy, especially if you don’t yet have a file manager installed on the device. You can then just browse to your host IP address and download the file. You may need to modify your host system’s firewall to allow this traffic. Alternatively, you could use adb push to transfer the file.

Once the file is on your device, navgiate to Settings > Network & Internet > Wi-Fi > WiFi preferences > Advanced > Install Certificates. Select the previously transferred CER file, give it a name, and install. As long as you have the Move Certificates Magisk module listed above, it will automatically copy the certificate from the user store to the system store.

Certificate Install

Intercepting Traffic

Open up Burp Suite and configure the proxy to allow inbound connections from other devices. As above, you may need to allow inbound traffic on your host system firewall.

Proxy Listener Settings

In ProxyDroid on your Android device, set your Burp Suite IP and port in Proxy Settings and then enable the proxy.

ProxyDroid Settings

You might now start to see some traffic populating in Burp Suite. This is likely regular background Android traffic. You can silence these by defining a scope under the Target tab in Burp Suite.

Launching Apps for Testing

Ensure that your USB-connected device can be seen by the host system with adb devices. Your device serial should be listed in the output. If not, try unplugging and re-plugging the device, and ensuring that USB debugging is enabled in the developer options.

kali:~ sean$ adb devices
List of devices attached
00acXXXXXXXab942	device

After confirming the device is seen by the host, you can launch a basic Objection prompt to start poking around.

objection -g explore

This command launches the YouTube app with the Frida hook injected. Typically, you will need to specify the bundle ID of the app (com.whatever.appname), and these can be found by running frida-ps -Uia when the device is seen by adb.

As the app is starting up, you may also want to run android sslpinning disable --quiet in your Objection prompt to attempt to circumvent SSL pinning the app may have implemented. There is no one-size-fits-all solution for bypassing SSL pinning, so this trick doesn’t always work, and some implementations can be very tricky to get around.

You do not need to use Objection to proxy your traffic, but the pervasiveness of SSL pinning will probably form a habit of launching apps this way.

Optional Single Screen Setup

You can use the free scrcpy tool to access your USB-connected device from your host system. If you don’t have a dock to hold the device, this is a great option for testing from a single pane. Those little on screen keyboards can get very annoying as well, so being able to type on a full size device will tremendously increase the efficiency and speed at which you are testing.


This only encompasses a very small part of mobile pentesting, and is only intended to get a pentester up and running in a usable environment. While this setup can intercept web traffic, one cannot neglect static/dynamic analysis of the binary as well, and understanding how it interacts with the Android platform.

The demand for mobile pentesting, of which Android is no small part, continues to grow. It will likely continue to grow as more and more properties move away from user-controlled browsers and into vendor-controlled sandboxes (apps). Users can’t easily block ads or tracking cookies in mobile apps, and the space will only continue to saturate, increasing the demand for mobile pentesting skillsets year over year.