24 Jan, 2014

Android Assessments with GenyMotion + Burp

by Abdullah Munawar

As much as I love Android app assessments, I kept coming across the same problem: Do I waste time trying to ‘root’ an Android device or deal with the incredibly buggy, slow, unresponsive, and overly difficult to work with Android emulator that comes with the Android SDK bundle?

Then I was introduced to Genymotion: an Android emulator based on the AndroVM Open Source project ( http://androvm.org/blog/). Genymotion utilizes VirtualBox to run an Android OS within a Virtual Machine. This results in a drastic increase in speed, response, stability, and ease of use. I’ve been working with Genymotion for a little while now and wanted to compile a bunch of things I’ve learned how to do in order to make it easier for others to have a consolidated resource.

  • Downloading and Installing Genymotion

  • Standing up a new Android OS VM

  • Useful features within Genymotion (Drag & Drop, etc.)

  • Using ADB with Genymotion to install applications

  • Configure the Android VM to pass all web traffic through Burp

  • Using ADB with Genymotion to install a Burp SSL Certificate

  • Troubleshooting ARM error and adding Google Play support within Genymotion

Upon installation you are prompted to provide the same credentials that were created to login and download Genymotion. This will let you connect to the Genymotion cloud and download a pre-built Android VM. My Android testing environment consists of a MacBook Pro although all of the tools/techniques used in this post are platform independent. I am also going to use Burp Suite Pro and Free 1.5 which is also platform independent. Lastly, while I talk about utilizing the Android SDK/ADT/ADB and installing APK applications, I do not cover how to set up your Android SDK/ADT/ADB or find APK applications outside of Google Play.

Downloading and Installing Genymotion:

Genymotion requires the use of VirtualBox. The Windows 32/64 bit download of Genymotion comes with VirtualBox however, the OS X and Linux versions do not and therefore it must be installed separately. The link can be found here. VirtualBox must be installed first, before the installation of Genymotion. In order to download Genymotion, a free sign-up is required. Once the email address on the account has been verified a link to download Genymotion can be accessed. The link to sign up and download Genymotion can be found here.

Standing up a new Android OS VM:

Select ‘Galaxy Nexus - 4.3 - API 18 - 720x1280’ Click ‘Next’.

The VM will automatically downloaded from the Genymotion cloud.

Once the download is complete and the VM has been successfully installed within VirtualBox it should be listed under ‘Your Virtual Devices’.

Click the ‘Play’ Button to run the VM for the first time. If everything is successful the VM should be running.

Useful Features within Genymotion:

This feature list is not all inclusive however I wanted to point out a few features I found to be useful when setting up my environment. In addition, I want to point out that for developers - Genymotion has an IntelliJ IDEA plugin as well as an Eclipse plugin to be able to push the app you are developing directly to your Android VM through ADB. By clicking on the ‘Settings’ icon the Genymotion settings menu will appear.

Under the ‘Network’ Tab are proxy settings for Genymotion to be able to reach out to its cloud service and download new VMs and updates. NOTE: This setting is NOT for configuring the Android VM to send web traffic through a proxy. That will be covered in a later section.

Under the ADB Tab you can point Genymotion to the SDK directory within your Android development environment.

Within the Android VM, Genymotion installs a configuration application that allows for some environment modifications. Since the VM is already ‘rooted’ there are not a lot of configuration settings that need to be modified on this screen however, it is useful to enable the use of the physical keyboard for input. If any settings are modified within this application the VM will require a reboot.

The last and most useful feature within Genymotion is the drag and drop feature. This feature can be used to transfer files and install applications to the Android VM environment. Simply drag a file from the host’s desktop or a folder directly into the Android VM. Once the file transfer is complete the Android OS will notify the user where the file is located within the OS (by default it is ‘/sdcard/Download’).

Using ADB to Install Applications:

ADB can be used to push and pull files as well as install Android applications. However, as mentioned in the section above, the ADB environment path must be properly specified within Genymotion. Using ADB commands verify that a device is listed.

  Then using the syntax of ./adb install <path/to/.apk_file>, install the Android Application. If the installation is successful ADB will prompt ‘Success’ upon completion.

The newly installed application should now be available for use within the Android VM. However, an easier way of installing Android Applications into the Android VM is to simply utilize Genymotions drag and drop feature. Simply drag and drop an APK file into the VM and the application should install successfully and be ready for use within the VM environment.

Configure the Android VM Proxy and Burp:

For performing security assessments as well as validating an application in development it is necessary to view the web traffic that is passed back and forth between the client (android application installed on an end device) and its corresponding server. It is possible to configure the Android VM within Genymotion to pass all of its web traffic through a web proxy such as Burp. Verify the current IP address of the host machine.

In the instance above, the IP address of the host machine is: 192.168.1.11. We will later set the proxy within the Android VM to this IP address. Within the Android VM go to Settings.

Cick on Wi-Fi.

Click and hold ‘WiredSSID’ until a box pops up. 

Click on ‘Modify network’.

Check the ‘Show advanced options’ box and select ‘Manual’ from the Proxy Settings menu.

Specify the host IP address and set a default port for the proxy to listen on. In this case my host IP was 192.168.1.11 and the listening port was 8080.

When those changes have been made click ‘Save’ and exit out of Settings. At this point the Android VM should be completely configured to pass web traffic to the web proxy. However, the web proxy must be configured to listen on the host IP we specified within the Android VM. For the purposes of this blog I chose to use Burp Suite as it is one of the most common and widely used web proxies around. Launch Burp Suite Pro or Free. Click on the top ‘Proxy’ tab then click on the ‘Options’ secondary tab. Lastly, click on the ‘Add’ button to add a new proxy listener.

Specify the listener port that we defined within the Android VM (in our case port 8080). Also, click on the ‘Specific address’ radio button and from the drop down select the IP address specified within the Android VM (in our case it was 192.168.1.11). When complete click ‘OK’ to return to the previous screen.

Verify that the new proxy listener has been added and that a check box is located next to the listener to ensure it is enabled.

If all of the settings were configured properly Burp should now be seeing web traffic passed to it by the Android VM. If traffic is still not being passed the IP address of the host should be verified as the DHCP lease may have run out and the IP address may have changed.

Installing SSL Certificate with ADB:

Until this point all web traffic should be passing from the Android VM to Burp. However, if any applications are communicating over HTTPS, you will receive a ‘Webpage not Available’ error. This happens because the burp Certificate Authority (CA) Certificate is not yet trusted by the Android VM. There are two methods of retrieving the Burp CA Certificate in order to install it on the Android VM. If you have the free version of Burp:

Open up Burp and enable the loopback (127.0.0.1) listener on port 8080 if it is not already enabled.

Open up Firefox on your host machine. Go to Firefox’s Preferences and under the ‘Advanced’ tab in the ‘Connection’ section click on ‘Settings’. Click on the ‘Manual proxy configuration’ radio button. Specify the loopback address (127.0.0.1) and specify port 8080 as the listening port. Click ‘OK’ and exit out of the Preferences.

Go to any HTTPS based website. For this example I chose (https://google.com). You will receive a Connection Untrusted message. Click on the ‘Add Exception’ button on the bottom.

Click on the ‘View’ button to view the identity of the Certificate.

Click on the ‘Details’ tab and notice that the Certificate references PortSwigger CA which is the CA for Burp. Click ‘Export’ to export the Certificate.

Change the format to ‘X.509 Certificate (DER)’ and name the Certificate .cer. Save the Certificate to an easily accessible location.

If you have the Professional Version of Burp, click on the ‘Proxy’ tab and the ‘Options’ secondary tab. Click on the ‘CA certificate’ button.

Export as ‘Certificate in DER format’. Click ‘Next’. Name the Certificate .cer. Save it in an easily accessible location.

Next we will get the certificate onto the Android VM and install it. There are two methods of getting the Certificate onto the Android VM. The first one is by using ADB. We will use the ‘adb push’ command to push the Certificate onto the ‘/mnt/sdcard’ directory of the Android VM.  The syntax is: adb push <local/path/to/certifiate> </mnt/sdcard/>. We can also verify that the Certificate has been transferred over successfully by entering into a shell of the Android VM by using the ‘adb shell’ command and listing the contents of the /mnt/sdcard/ directory.

The second method of getting the Certificate onto the Android VM is to use the drag and drop feature. Drag and drop the Certificate file into the Android VM and the file should copy over and be located within the /mnt/sdcard/ directory. Now that the Certificate is on the Android VM we can install it.

In your Android VM go to ‘Settings’.

Click on ‘Security’

Click on ‘Install from SD card’

A box will pop up with the Certificate information. Verify it and then click ‘OK’.

Android requires you to set a password in order to use credential storage. Click ‘OK’.

This password can be pattern based, a PIN, or a password. Select one and set it.

The PortSwigger CA Certificate should now be installed on your Android VM. To verify that the CA Certificate successfully was installed click on ‘Trusted credentials’.

Click on the ‘User’ tab. The PortSwigger CA Certificate should now be there signifying it was successfully installed on your Android VM.

You should now be able to successfully view HTTPS traffic in plain text.

Troubleshooting ARM error and adding Google Play support within Genymotion:

The support for ARM applications and Google Play was removed within Genymotion starting with their 2.0 release. However, since a decent number of applications available require ARM translation this can be a major pain. When attempting to install an ARM based application you should see the error below.

The guys over at XDA-Developers have found a way to recover the functionality of both ARM based applications as well as Google Play. The entire thread and download files can be found here. Simply download the ARM Translation Install zip file and the Google Play application zip file (depending on which version of Android you are running within your VM). Drag and drop each file into your Android VM and that should do it.

We hope this information is useful and eases some of the pain of Android application assessments. We’d love to hear your thoughts.