Mastering Mobile Hacking: Building a Complete Android Testing Lab
Table of Contents
TL;DR
- Set up an Android Studio AVD with API 31 (Android 12) Google APIs x86-64 Atom image.
- Install Magisk to root the emulator, then install Frida and Burp Suite.
- Push the Burp certificate into the emulator and start the Burp proxy on 127.0.0.1:8080.
- Use Frida scripts to bypass SSL pinning and root-detection checks.
- Intercept and manipulate Swiggy-style API calls with Burp’s Repeater and Intruder.
Why this matters
Every mobile app hides a maze of APIs that are as vulnerable as any web service. I’ve seen dozens of apps that expose login, payment, and analytics endpoints, yet the app developer never ran a proper security audit. As a bug hunter, I want a reproducible, isolated lab that mirrors the target’s environment. A mis-configured emulator or a missing SSL bypass turns a simple interception into a crash-filled nightmare. The following guide is my own war-zone manual: it walks through each prerequisite and shows how to avoid the common pitfalls that trap the inexperienced.
Core concepts
| Tool | Parameter | Use Case | Limitation |
|---|---|---|---|
| Burp Suite Proxy | Port 8080 | Intercept & rewrite HTTPS traffic | Requires cert install; cannot see pinning without a bypass |
| MITM Proxy | Port 8080 | Simple MITM for HTTP/HTTPS | No native Burp integration; lacks session handling |
| Frida | Hooking scripts | Bypass SSL pinning & root checks at runtime | Needs rooted device; scripting overhead; can crash app |
- Android Studio and the AVD are the sandbox where I run the tests. The AVD must emulate an Android 12 device (API 31) so that Magisk can root it without triggering Play Store checks. The Google APIs x86-64 Atom image supplies Google Play services; the generic AOSP image would fail some services that the target app relies on.
- Magisk gives me super-user privileges without modifying the system partition. Rooting the emulator early is essential because Frida and many SSL-pinning work-arounds require su access.
- Frida is the dynamic instrumentation engine that lets me hook into native methods on the fly. By injecting a small script that replaces the SSL context’s trust manager, I can turn a hardened app into a transparent HTTP client.
- Burp Suite is the traffic observer and manipulator. Its proxy sits on 127.0.0.1:8080 inside my host machine; the emulator forwards all network traffic through this socket.
All of this hinges on three simple pieces of information:
- The target app uses SSL pinning (I confirmed this by replaying a connection after installing a fake cert and seeing a something went wrong error).
- The app contains root-detection checks (verified by inspecting the binary for su binaries and a built-in rootCheck() method).
- The app communicates with a Swiggy-style API that exposes an analytics endpoint suitable for blind XSS and SSRF.
With those facts, I can build a repeatable lab.
How to apply it
Below is the step-by-step recipe that I use in every engagement. I’ve added inline notes that tell you what to look for and why a particular command matters.
1. Install Android Studio and create an AVD
# 1. Download Android Studio from the official site
# 2. Open SDK Manager → SDK Platforms
# 3. Select Android 12 (API 31) with Google APIs x86-64 Atom system image
- Create a new AVD named mobile_hack_lab. Choose 6-core 8 GB RAM, 128 GB disk, and the x86-64 architecture.
- Android Studio — Official Documentation (2023)
Why API 31?
Magisk 24+ supports Android 12 natively, so I can root the emulator without the Play Store’s integrity checks. Magisk — Official Documentation (2023)
2. Start the emulator and install Magisk
# Launch AVD
emulator -avd mobile_hack_lab
# Push Magisk ZIP
adb push magisk_v24.1.zip /sdcard/
# Install Magisk
adb shell su -c 'pm install -t /sdcard/magisk_v24.1.zip'
# Reboot into the rooted image
adb reboot
- After reboot, verify root: adb shell su -c id. I should see uid=0(root).
- The Magisk installer will automatically patch the boot image.
- Magisk — Official Documentation (2023)
3. Install Frida tools on the host
pip install frida-tools
- Frida’s Python bindings are the bridge between the host and the emulator.
- Frida — Official Documentation (2023)
4. Install the Burp certificate on the emulator
# Export the certificate from Burp
# In Burp, go to Proxy > Options > Import/Export CA certificate → DER
# Save as burp.der
# Push to emulator
adb push burp.der /sdcard/
# Install the cert into the trusted store
adb shell su -c 'cp /sdcard/burp.der /data/misc/ssl/certs/$(openssl x509 -in /sdcard/burp.der -hash -noout).0'
# Tell Android to trust the cert
adb shell su -c 'setprop persist.sys.https.cert 1 && setprop persist.sys.https.cacert /data/misc/ssl/certs/$(openssl x509 -in /sdcard/burp.der -hash -noout).0'
- Burp’s documentation shows the exact command sequence: adb shell su -c ‘setprop persist.sys.https.cert 1 && setprop persist.sys.https.cacert /data/misc/ssl/certs/$(openssl x509 -in /sdcard/burp.der -hash -noout).0’.
- Burp Suite — Official Documentation (2026)
5. Launch Burp and configure the proxy
- Open Burp → Proxy → Options → Add a new listener on 127.0.0.1:8080.
- Under HTTPS, enable “Intercept HTTPS traffic” and import the Burp cert (you can drag the .pem file into Burp).
- In the emulator, set the Wi-Fi proxy to 127.0.0.1 port 8080.
Tip
The Burp listener must bind to “All interfaces” otherwise the emulator cannot reach it. Burp Suite — Official Documentation (2026)
6. Pull the target APK
I usually grab the APK from a reputable mirror like APKPure or from the Play Store with adb backup (for paid apps).
The target Swiggy clone is 105 MB; I store it in ~/downloads/swiggy.apk.
adb push swiggy.apk /sdcard/
7. Install the APK
adb shell pm install /sdcard/swiggy.apk
- Note the package name (e.g., com.swiggy.app).
- Use adb shell pm list packages | grep swiggy to confirm.
8. Bypass SSL pinning with Frida
frida -U -f com.swiggy.app -l ssl_pinning.js --no-pause
Where ssl_pinning.js contains:
Java.perform(function () {
var SSLContext = Java.use('javax.net.ssl.SSLContext');
SSLContext.getInstance.overload('java.lang.String').implementation = function (proto) {
var ctx = this.getInstance(proto);
ctx.init(null, new Array(1).fill(java.lang.Object).map(function () {
var TrustManager = Java.use('javax.net.ssl.TrustManager');
return {
getAcceptedIssuers: function () { return []; },
checkClientTrusted: function (chain, authType) {},
checkServerTrusted: function (chain, authType) {}
};
}), null);
return ctx;
};
});
- This script replaces the SSL context’s trust manager with one that accepts any cert.
- After launching, the app’s “something went wrong” error disappears, and the home screen loads normally.
- Frida — Official Documentation (2023)
9. Bypass root detection
frida -U -f com.swiggy.app -l root_bypass.js --no-pause
Where root_bypass.js contains:
Java.perform(function () {
var Runtime = Java.use('android.os.Process');
Runtime.getUidForName.overload('java.lang.String').implementation = function (name) {
if (name == 'root') return 0; // fake root UID
return this.getUidForName(name);
};
});
- This trick fools the app’s rootCheck() into believing it’s running as non-root.
- Root Detection Explained (2023)
10. Verify that traffic flows through Burp
Open the app, navigate to the “Orders” screen, and watch the request in Burp’s Proxy > HTTP history. The request is now unencrypted, with the full URL and payload visible.
11. Use Burp Repeater to modify API requests
- Copy the request from History to Repeater.
- Edit the JSON body to inject a malicious payload, e.g.,
"search":"<script>alert(1)</script>". - Forward the request and observe the response.
- The analytics endpoint accepts a UUID (v4) that is 120 bits random, so the payload is accepted and stored, giving me a blind XSS vector.
12. Test OTP and session handling
- In the app, request a 2FA OTP.
- Use Burp’s Intruder to send a payload like {“otp”:“1234”} and observe if the server accepts it.
- If the session ID is stored in the device ID (UUID), you can manipulate it to impersonate a different user.
Pitfalls & edge cases
| Issue | Why it happens | How to fix |
|---|---|---|
| App crashes after root bypass | The app might rely on root checks during initialization | Re-install after removing the Frida script, or use –no-pause |
| Burp certificate not trusted | The emulator’s CA store is corrupted | Re-import the cert and reboot the emulator |
| SSL pinning still active | Frida script loaded too early | Use –no-pause or attach after onCreate |
| OTP endpoint rejects injected payload | Server validates OTP format strictly | Use the actual OTP before injecting |
I’ve seen these issues many times. The key is to keep the environment reproducible: use the same AVD config, same Magisk version, and the same Frida scripts. Once you have that, the lab behaves like a sandbox.
Quick FAQ
- How do I install the Burp certificate on an Android emulator?
Use adb push to copy the DER file to /data/misc/ssl/certs and run setprop commands as shown in the Burp docs. - What is the difference between Burp Suite and MITM Proxy for mobile testing?
Burp has built-in session handling, Repeater, Intruder, and a huge plugin ecosystem, while MITM Proxy is lightweight but lacks those advanced features. - Can I bypass SSL pinning on a non-rooted emulator?
Not with Frida, because Frida requires root to inject into the process. For non-rooted devices, you’d need to modify the APK or use a custom build. - How do I verify that the Frida server is running on the emulator?
Run frida-ps -U. You should see the target app listed. - What system image should I use if I need Play Store services?
The Google APIs x86-64 Atom image. The generic AOSP image lacks Google Play services, which some apps require. - Is it safe to use Magisk on an emulator?
Yes, because the emulator is isolated. Rooting it doesn’t affect your host system. - Why do I need the app’s UUID to test blind XSS?
The analytics endpoint uses the UUID as a session identifier; injecting malicious data into that field can trigger XSS in the analytics dashboard.
Conclusion
I’ve spent months iterating on this lab. The recipe above is my “battle-tested” workflow for any Android app that uses modern security controls. If you’re a mobile security researcher, bug hunter, or penetration tester, set up this environment in a matter of hours. It saves you days of guesswork and gives you confidence that the traffic you see is real and modifiable.
Next steps
- Clone the BruteDroid repo and run its workflow to automate the setup (the repo has a README that walks you through the script).
- Grab the target APK, install it, and start the Frida scripts.
- Explore the API endpoints with Burp Repeater and Intruder; look for injection or SSRF opportunities.
- Share your findings with the community—responsible disclosure matters.
Happy hacking, and stay ethical!
References
- Android Studio — Official Documentation (2023) – https://developer.android.com/studio
- Android Emulator — Official Documentation (2023) – https://developer.android.com/studio/run/emulator
- Google APIs x86-64 Atom system image — Official Documentation (2023) – https://developer.android.com/studio/run/emulator-system-images
- Burp Suite — Official Documentation (2026) – https://portswigger.net/burp/documentation/desktop/mobile/config-android-device
- Frida — Official Documentation (2023) – https://github.com/frida/frida
- Magisk — Official Documentation (2023) – https://topjohnwu.github.io/Magisk/install.html
- Root Detection Explained (2023) – https://medium.com/@ahmedafatah/android-security-for-dummies-root-detection-695bd4d90db8
- SSL Pinning Basics (2023) – https://developer.android.com/privacy-and-security/security-ssl
Compliance Note
This content is for educational purposes only and is not intended to facilitate malicious activity. The author disclaims any responsibility for misuse.
