Android Application Security Assessments - Part 3: Starting Your Emulator And Configuring Your Proxy
You now should have a working test environment with all of the primary assessment tools. Time to create our Android Virtual Device (AVD) and connect it via proxy!
Create an AVD
To start, you will want to run the android file (located in the ‘tools/’ directory). This will launch the Android SDK and AVD Manager.
- Linux: $ ./android
- Windows: C:\>android
Click on ‘Virtual Devices’ (if it is not already selected) in the menu on the left.
On the far right, press the “New” button.
Fill in the data for your new AVD (this can vary based on your own personal needs):
Target: Android 2.3.3, API 10
SD Card: Optional. (We will leave this blank)
Skin: Default (WVGA800)
Hardware Support: You can select additional hardware support if it is necessary for testing your application. I have found this occurs VERY rarely.
Select the packages to download.
Check the box next to ‘Android SDK Platform-tools, revision x’
Check the box next to the Android SDK Platform you would like to emulate.
(You can always repoen the Android SDK and AVD Manager and download more Android SDK Platforms later).
Press the ‘Create AVD’ button.
Close out of the Android SDK and AVD Manager.
Like magic, you have your first Android Virtual Device!
Now, before we start our emulator, we will want to spin up our proxy. If you aren’t looking to capture requests, you can skip this step.
Starting your proxy
Double-click your BURP jar file to start your proxy (or use the command line to launch the proxy).
Within BURP, there are a few settings you will want to confirm:
Under the ‘Proxy’ > ‘Option’ tab, you will want to ensure you have a proxy listener running. If you are having network issues with your application, one thing to try is the ‘support invisible proxying for non-aware clients.’ For now, we will leave that option unchecked.
Upstream Proxy Servers:
If you are working in a corporate environment, you will likely have a proxy server standing between you and that dangerous Internet. In this case you will want to go to the ‘Options’ tab (not to be confused with the ‘Proxy’ > ‘Options’ tab), and scroll down to ‘Upstream Proxy Servers.”
Enter the settings for your proxy server and you should be set!
Starting your AVD
OK, merely having an AVD isn’t enough. You need it running. This is fairly simple.
- Linux: $ ./emulator -avd testingavd -http-proxy http://127.0.0.1:8080
- Windows: C:\>emulator -avd testingavd -http-proxy http://127.0.0.1:8080
You should now see your AVD!
Note: I have seen it take several minutes to start an AVD, particularly on older systems or VMs with little RAM.
If you find that you are having troubles connecting to the Internet, you can close out of your AVD and reload it, excluding the '-http-proxy http://127.0.0.1:8080' portion of the command. That will help you to determine if your proxy is the cause of your issues.
The above method is, in my opinion, the most consistent way to get your AVD to recognize your BURP proxy. If that does not work for you, you can always try setting it within the AVD:
Home > Menu > Settings > Wireless & networks > Mobile Networks > Access Point Names.
Here you can configure the Proxy Settings.
There are still a few other ways of setting up the Proxy, but the two described here are the most reliable.