Android Penetration Testing Lab Setup
Set up the ultimate Android pentesting lab with tools like Genymotion, ADB, JADX, and APKTool. Follow this step-by-step guide to install, configure, and start testing Android apps for security vulnerabilities. Perfect for ethical hackers, mobile security analysts, and pentesters.
Hey Hackers, In this blog we will setup ultimate android pentesting lab. We will start of by installing must have tools.
Installing ADB (Android Debug Bridge) 🔌
ADB is a versatile command-line tool that allows you to communicate with Android devices or emulators. It’s essential for tasks like:
- Installing and debugging apps
- Accessing device logs
- Running shell commands directly on the device
- Forwarding ports or mirroring traffic
1
sudo apt update && sudo apt install adb
After installing, connect your Android device via USB and run adb devices to verify it’s recognized.
Installing APKTool 🧰
APKTool is used to decompile and recompile APK files. It allows you to reverse engineer APK resources and makes it easier to analyze or modify app internals such as:
- AndroidManifest.xml
- Smali code
- Resource files (layouts, images, etc.)
1
sudo apt install apktool
Installing JADX (Decompilation Tool) 🔍
JADX is a command-line and GUI tool that decompiles Android APKs into Java-like source code from .dex files. It’s an incredibly useful static analysis tool when you want to:
- Understand app logic
- Look for hardcoded secrets (API keys, credentials)
- Trace function calls
1
2
sudo apt install default-jdk
sudo apt install jadx
You can also install jadx-gui for a visual interface.
1
sudo snap install jadx --classic
Setting Up MobSF (Mobile Security Framework) 🐳
MobSF (Mobile Security Framework) is a powerful and automated pentesting tool for mobile apps (Android/iOS). It supports both static and dynamic analysis and provides:
- Vulnerability analysis reports
- Code and manifest analysis
- API endpoint detection
- namic runtime instrumentation (if using with emulator/device)
We’ll use the Docker version to keep things clean and OS-agnostic. Install Docker (if not already):
1
sudo apt install docker.io
Pull MobSF image:
1
sudo docker pull opensecurity/mobile-security-framework-mobsf
Run MobSF:
1
sudo docker run -it --rm -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest
Once it’s running, access it via http://localhost:8000 in your browser.
Drag and drop APK files into the interface for an instant security report.
Gennymotion 🎴
Gennymotion is a android emulator. An Android emulator is a software-based simulation of an Android device that allows developers and users to run and test Android applications on a computer without the need for physical devices.
Setting up Gennymotion
We can download gennymotion from here. I will be downloading for windows.
After installation we will need an account to login, we can register an account and then login into the installed application.
Creting and Confirguring Emulator
Gennymoiton has various models and android versions we can use while creating a machine. For pentesting purposes we can use android 11 because it’s already root and we will need root access for setting up Burp Suite with gennymotion.
We will also need a binary of openssl in windows to setup the certificates for Burp Suite. Futher we can use this guide here to setup the certificate.
Openssl Commands for Converting the Burp Cert
1
2
3
4
5
6
7
8
9
openssl x509 -inform DER -in cacert.der -out burp.pem
openssl x509 -inform PEM -subject_hash_old -in burp.pem
mv burp.pem 9a5ba575.0
adb root
adb remount
adb push 9a5ba575.0 /sdcard/
adb shell
mv /sdcard/9a5ba575.0 /system/etc/security/cacerts/
chmod 644 /system/etc/security/cacerts/9a5ba575.0
Pointing Genymotion at Burp
1
2
adb shell settings put global http_proxy localhost:<some port>
adb reverse tcp:<some port> tcp:<port burp is listening on>