Dynamic Mobile App Security Testing (DMAST) with Android Emulator OWASP ZAP

A nice way I’ve found to run dynamic security tests on Android apps is using an Android emulator on your local machine, in conjunction with OWASP ZAP. Since these are both free tools, this should not cost you anything, other than some time, RAM and storage space.

Part 1: Set up virtual Android device

1. There are a few ways to set up a virtual Android device. Here I’ll be using Android Studio, which is available here. Install it as per the instructions here.

2. Once you have installed Android Studio installed, create a new virtual device:

Go to AVD Manager
Click “Create Virtual Device”
Choose a virtual device model.
Choose a release with a corresponding API level and Android version (30 and 11.0, respectively, are the most recent at the time of writing)

3. Then, once you have created the virtual Android device, you may close Android Studio, and run the following commands in the terminal:

# To check that the virtual Android device exists and to find out its name

Pixel_4_XL_API_28
Pixel_4_XL_API_30

# To run the emulator for the purposes of dynamic analysis (DAST)

You should then see output similar to that in the screenshot below, and the virtual device should pop up as well:

Note that you may get a response like:

This just means you have not added emulator to PATH, which can be done permanently in Linux by appending the following line to the .bashrc file in your home directory:

And in Windows by adding the path to your Environment variables. You can do this either via the command line:

Or via the UI:

Search for “Edit the system environment variables”
Click Environment Variables… > Edit… > New, and type in the path.

Part 2: Configure both OWASP ZAP and the Android virtual device so that it is possible to intercept HTTP(S) traffic from the virtual device

1. If it is not already installed, install OWASP ZAP from the official site.

2. On the virtual device, go to Wifi Settings > Advanced Options and change the proxy settings there to Manual. Then under Proxy hostname, enter 10.0.2.2 . This IP corresponds to the Special alias to your host loopback interface (i.e., 127.0.0.1 on your development machine) — see the Android Studio Developer documentation.

The correct proxy settings on the virtual device

Click Save.

3. The port has to be whatever this is set to in OWASP ZAP. The default port used by OWASP ZAP is 8080.

The correct proxy settings on OWASP ZAP

4. You’ll notice at this stage that although you are still connected to the internet on the virtual Android device, you see this message when you try to access any HTTPS website:

5. To solve this problem you need to import the Dynamic SSL Certificate from OWASP ZAP. Go to Tools > Options > Dynamic SSL Certificate and click Save .

A certificate should already have been auto-generated. You can also generate a new one by clicking “Generate”.

Once saved, you need to transfer the certificate to the virtual device, which can be done by simply dragging it across.

6. Then, on the mobile device, go to Settings > Security > Advanced > Encryption & Credentials > Install a certificate > CA certificate. Go to Downloads and it should be there. Click on it to install it.

You should see the following message when trying to install it. Click Install anyway.

7. Then try to visit a webpage, for example https://google.com. The page should load without any trouble and you should also see the OWASP ZAP (Heads Up Display) HUD overlay.

8. Any activity you perform in the browser now will be recorded in OWASP ZAP on your local machine:

9. The same will happen if you use an app. Transfer an .apk file (for this writeup, I have used one called VidMate) to the virtual device by dragging it over again, as was done with the certificate. That will install it automatically.

Then notice that as you use the app, all HTTPS requests made will appear in OWASP ZAP:

Happy testing!

A variety of topics related to the information security (infosec) field