This repository provides a comprehensive set of tools and information to start pentesting Android applications using Frida. It's specifically designed for use with Waydroid, but the included scripts can also be adapted for other Android devices or emulators with minimal adjustments. I focused on waydroid because it provides the perfect development environment for pentesting and also when i was starting to pentest android apps myself, i noticed there was little information about doing it using waydroid.
Before using this kit, ensure the following are installed on your system:
-
ADB (Android Debug Bridge)
Required to interact with Android devices and emulators.
Install via:sudo apt install android-tools
-
Waydroid
A container-based Android system for Linux distributions.
Follow the Waydroid installation guide for your specific distribution. -
Rooted Device Folllow these instructions to root waydroid using magisk.
-
Clone this repository to your local machine:
git clone https://github.com/dev-diaries41/waydroid-frida-starter-kit.git cd waydroid-frida-starter-kit -
Ensure that ADB and Waydroid are properly installed and running.
Follow the Burp suite instructions here to configure a proxy listener (step 1). Step 2 in the burp suite instructions can be skipped, use the proxysetup.sh script below instead. Once you have downloaded your certificate by following the instruction in step 3 you will need to do the following:
- Find out the hash of the certificate subject name using the older algorithm as used by OpenSSL before version 1.0.0:
$ openssl x509 -subject_hash_old -in Portswigger.der | head -1
13acab12- Create the /system/etc/security/cacerts/ directory on the overlay FS:
$ sudo mkdir -p /var/lib/waydroid/overlay/system/etc/security/cacerts/- Copy the certificate, renaming it to the hash from step 1, with .0 appended, and set the proper permissions for it:
$ sudo cp Portswigger.der /var/lib/waydroid/overlay/system/etc/security/cacerts/13acab12.0
$ sudo chmod 644 /var/lib/waydroid/overlay/system/etc/security/cacerts/13acab12.0Make sure to replace Portswigger.der with the actual path to the .der file you exported from Burpsuite and replace 13acab12 with the acutal hash produced in step 1. You may need to restart waydroid.
-
frida.sh
Manages the Frida server on Waydroid, including setup, starting, and stopping. -
proxy.sh
Configures and resets proxy settings for routing traffic through Frida, either via a router (-r) or Waydroid VM (-w).
Run the frida.sh script with the -setup flag to install the necessary Frida server on your Waydroid container.
./frida.sh -setupStart the Frida server on Waydroid:
./frida.sh -startTo stop the Frida server, use:
./frida.sh -stopTo redirect traffic through Frida, use:
- Router-based traffic redirection
./proxy.sh setup -r
- Waydroid VM traffic redirection
./proxy.sh setup -w
To revert proxy settings back to default, use:
- Reset router-based proxy settings
./proxy.sh reset -r
- Reset Waydroid VM proxy settings
./proxy.sh reset -w
The scripts/ directory contains various Frida scripts designed to assist in pentesting Android applications. These scripts are NOT perfect or meant for production level pentesting but should help you get familiar with android pentesting.