Pentesting Android Applications-Part 3-Dynamic Analysis

Hi Friends ,

Let move on to the third part of this series which is the dynamic analysis

Here we will look at how we can setup our Genymotion virtual Device to pass traffic through Burp Suite.

Burp Suite is a proxy tool to capture traffic and modify it to perform testing.

Tools required

Burp Suite
Genymotion virtual device

Download Burp Suite Community Edition(free) from here:

https://portswigger.net/burp/communitydownload

Genymotion was covered in my earlier blogs so just start a virtual device

After the virtual device has started follow the steps:

Go to settings

2. Click on About phone and you will see Build number

3. Now click on Build number seven times to enable debugging options , the debugger options will be useful later on

4. Go to Wi-FI and left click on it for two seconds on the wifi name(in my case its WiredSSID) , the below options should show up , click on Modify Network

5.Click on Show advanced options

6. Do the settings as shown below , in Proxy hostname enter your machine’s ip address,Proxy port you can select any , I have selected 8081 randomly

7. In Burp Suite Go to Proxy>Options>Add

8. Add 8081 and make sure to select All interfaces

9. Before we start capturing traffic we would need to install Burp ca certificate on our Android virtual device, the steps are as follows:

a)Go to Proxy>Options>Import/export CA Certificate

b)Click on Export>Certificate in DER format

c)Click on next and save the cert anywhere you wish with extension .cer

d) Next you need to have an email configured on your virtual device to receive files.I have a gmail account setup and I kept the cert file in my drafts and downloaded it on virtual device