Android Dev & Penetration Testing Setup – Part 1

Joff Thyer //

Editor’s Note:  This is part 1 of a 3 part series.  Part 1 will discuss configuring your virtual machine engine and virtual hardware emulation.  Part 2 covers installing Android for the emulator, and Part 3 covers installing the drozer attack framework.

_______

If you’re planning to test mobile apps on Android, then you’ll need a suitable environment setup with the correct development tools, Android emulation, and the drozer security and attack framework. This blog post will walk through the steps to correctly configure an Ubuntu 16.04 system to engage in both penetration testing and development with Android apps.

A word of warning on this documented procedure: several hundred megabytes of data will need to be downloaded from the internet; thus, if you are trying to do this at a hotel or public Wi-Fi spot, I suspect you will be quite disappointed. Make sure you are connected to at least 10 Mbps downstream.

You have a choice of using a physical or virtual machine. This post will focus on creating a virtual machine with VMware Fusion on OSX. Be aware that there are significant resource requirements for this project that are dependent on how much RAM you want to devote to the emulator.

Absolute Minimum VM Resources Required:

  • Software
  • Ubuntu 16.04.1 Desktop
  • Hardware
  • 2 GB RAM
  • 2 processor cores
  • 50 GB hard disk

Due to the size of the Android studio and emulator installation downloads, you will end up with an Ubuntu system using about 30 GB of disk space from day one. When the emulator is running, it allocates 1 GB of RAM for the memory of the device by default. If possible, the preferred machine resource configuration should be increased to 4GB RAM, and 4CPU cores.

Start by performing a standard Ubuntu 16.04.1 desktop installation on the virtual machine. Since you will be running in a GUI environment, the desktop distribution is required. Note: This installation and test were performed on VMware Fusion version 8.5.3. I have included a screenshot below so you can see the exact release information.

Configure Virtual Machine Engine and Virtual Hardware Emulation

After the installation is complete, shut down the Virtual Machine and modify its configuration as follows.

  • Change the preferred virtualization engine to  “Intel VT-x with EPT”
  • Perform an edit using your favorite text editor (that must be “vi” of course!), and add a line into the VMware VMX file to enable hardware-assisted virtualization.

    vhv.enable = “TRUE”
    This is required in order for the emulator to have any fighting chance of performing decently.

Now boot up your Ubuntu 16.04.1 VM again and log in as a regular user. It is assumed that you will have created an ordinary user account as part of the installation.

As soon as you log in to the Ubuntu desktop, you need to install the “cpu-checker” package so that we can verify that “Kernel Virtual Machine” (KVM) acceleration support is properly recognized by the VM. When the package finishes installing,  run the command “kvm-ok” as root to perform the check.

Installing the “cpu-checker” Package
Performing the KVM check

Install Oracle Java8

At this point in time, we need to install an appropriate version of Java. The best option that seemed to work for me was to select the latest Oracle Java package. In order to do this, you need to add a new repository and then install the Java package.

The actual terminal commands you need are as follows:

$ sudo apt-add-repository ppa:webupd8team/java
$ sudo apt update
$ sudo apt install oracle-java8-installer

During the Oracle Java8 installation, you will also need to accept the Oracle binary license.

After installing Oracle Java 8, you are ready to begin the Android studio development software, and Android emulator installation.

Editor’s Note: Remember, this is Part 1 of 3. Part 2: Installing Android for the Emulator is hereCheck out Part 3 here.



You can learn more straight from Joff himself with his classes:

Regular Expressions, Your New Lifestyle

Enterprise Attacker Emulation and C2 Implant Development

Introduction to Python

Available live/virtual and on-demand!