Dynamic Mobile App Security Testing (DMAST) with Android Emulator OWASP ZAP
A nice way I’ve found to run dynamic security tests on Android apps is using an Android emulator on your local machine, in conjunction with OWASP ZAP. Since these are both free tools, this should not cost you anything, other than some time, RAM and storage space.
Part 1: Set up virtual Android device
1. There are a few ways to set up a virtual Android device. Here I’ll be using Android Studio, which is available here. Install it as per the instructions here.
2. Once you have installed Android Studio installed, create a new virtual device:
3. Then, once you have created the virtual Android device, you may close Android Studio, and run the following commands in the terminal:
# To check that the virtual Android device exists and to find out its name
alex@ubuntu:~$ emulator -list-avdsPixel_4_XL_API_28
Pixel_4_XL_API_30
# To run the emulator for the purposes of dynamic analysis (DAST)
alex@ubuntu:~$ emulator -avd Pixel_4_XL_API_30 -writable-system -no-snapshot
You should then see output similar to that in the screenshot below, and the virtual device should pop up as well:
Note that you may get a response like:
emulator: command not found
This just means you have not added emulator to PATH, which can be done permanently in Linux by appending the following line to the .bashrc file in your home directory:
export PATH=$PATH:/home/alex/Android/Sdk/emulator
And in Windows by adding the path to your Environment variables. You can do this either via the command line:
PATH= %PATH%;C:\Users\User\AppData\Local\Android\Sdk\emulator
Or via the UI:
Part 2: Configure both OWASP ZAP and the Android virtual device so that it is possible to intercept HTTP(S) traffic from the virtual device
1. If it is not already installed, install OWASP ZAP from the official site.
2. On the virtual device, go to Wifi Settings > Advanced Options and change the proxy settings there to Manual. Then under Proxy hostname, enter 10.0.2.2 . This IP corresponds to the Special alias to your host loopback interface (i.e., 127.0.0.1 on your development machine) — see the Android Studio Developer documentation.
Click Save.
3. The port has to be whatever this is set to in OWASP ZAP. The default port used by OWASP ZAP is 8080.
4. You’ll notice at this stage that although you are still connected to the internet on the virtual Android device, you see this message when you try to access any HTTPS website:
5. To solve this problem you need to import the Dynamic SSL Certificate from OWASP ZAP. Go to Tools > Options > Dynamic SSL Certificate and click Save .
Once saved, you need to transfer the certificate to the virtual device, which can be done by simply dragging it across.
6. Then, on the mobile device, go to Settings > Security > Advanced > Encryption & Credentials > Install a certificate > CA certificate. Go to Downloads and it should be there. Click on it to install it.
You should see the following message when trying to install it. Click Install anyway.
7. Then try to visit a webpage, for example https://google.com. The page should load without any trouble and you should also see the OWASP ZAP (Heads Up Display) HUD overlay.
8. Any activity you perform in the browser now will be recorded in OWASP ZAP on your local machine:
9. The same will happen if you use an app. Transfer an .apk file (for this writeup, I have used one called VidMate) to the virtual device by dragging it over again, as was done with the certificate. That will install it automatically.
Then notice that as you use the app, all HTTPS requests made will appear in OWASP ZAP:
Happy testing!