Getting Started with Android App Testing with Genymotion

Рет қаралды 35,825

3 жыл бұрын

Okay so we've done iOS so by popular demand here is Android! In this episode, I show you how to get started with android app testing by using an emulator. Using Genymotion we set up an emulator, proxy our traffic into burp and see what APIs the Yahoo Mail app is calling. Much more simple than iOS, and you don't even need an android phone! Android is still a minority when it comes to platforms to hack, so don't worry you'll still be finding those bugs that no one else can!
Did you know this episode was sponsored by Intigriti? Sign up with my link go.intigriti.com/katie I'm so pleased with everyone's positive response to the Intigriti sponsorship and I'm so pleased you folks are finding bugs and even finding your first bugs! Thank you for being awesome!
Resources
- Genymotion: www.genymotion.com
- Using your device: / root-detection-ssl-pin...
- What is SSL pinning: owasp.org/www-community/contr...
- FRIDA: frida.re

Пікірлер: 128

@learningwithtom4104 2 жыл бұрын

Thanks for helping getting started with Android PT. Will surely share once i find a vaild bug. Thanks once again. Keep up the good work.

@kentslaves 3 жыл бұрын

Useful and entertaining, Katie! Keep it up! 😍

@InsiderPhD 3 жыл бұрын

Thank you so much!!

@mehboob9324 2 жыл бұрын

This was really help full i watched a few videos about it, but you explained it very well and now its working finally , thankss

@khaledmohamed5564 15 күн бұрын

You are the most helpful Bug bounty content creator and I learnt a lot from you, I hope you make more videos about Android Pentesting because Web is sooooo much competitive.

@watchvideoswatchvideos6958 3 жыл бұрын

Amazing info katie, thank you so much!!

@igwenonso4084 Жыл бұрын

just seeing this now I LOVE IT keep up the good work katie😚

@rahul.mishr411 3 жыл бұрын

Thank you for amazing lectures.

@mr.kn0w1t4ll2 3 жыл бұрын

Been wanting to get into android for a while now, the video really helped! Thanks a lot !! btw, could you also make a tutorial on how to disable ssl pinning on mobile applications ?

@InsiderPhD 3 жыл бұрын

I’ve included one in the description I don’t work physical android devices I’m afraid so I can’t include a tutorial on that! I work with iOS mainly!

@billapatigoutham6066 3 жыл бұрын

Thank you so much for sharing 👍

@bagasrizki973 3 жыл бұрын

Yesss mobile app hunting, thanks Katie!

@matthiasgarrett669 2 жыл бұрын

instablaster...

@wolfrevokcats7890 4 ай бұрын

Hi Kathy, appreciate if you could make videos about Magisk, frida, objection, to bypass root detection & SSL pinning

@xdmotivation 3 жыл бұрын

Full respect

@xormagic5190 3 жыл бұрын

Hi, Katie your video realy help me. Thank you for such a good contents.

@khushmanvar9038 3 жыл бұрын

Thank you madam. These content is really helpful!

@InsiderPhD 3 жыл бұрын

Aww thank you so much, I’m glad it helped you!

@iandonohue7257 10 ай бұрын

hey katie! thank you for your content you are really helping - i have one question - why is my google nexus 6 different from the demonstration? i have slightly different apps and cannot access - even after GApps? i had to go into network internet>internet>androidwifi> the little pencil in the top right of the box> roggle the advanced options carrot

@_clavita 3 жыл бұрын

thanks this video helped me setting my mobile env :)

@DictionaryMath5903 3 жыл бұрын

Just discovered your channel. Love your work! I'm about to sign up but I just want to clarify - are you tied to a single bug bounty platform? Just asking because from what I understand, different platforms can cater to different regions/industries.

@InsiderPhD 3 жыл бұрын

Nope you can hunt on any platform I’m on Bugcrowd, HackerOne and Intigriti

@DictionaryMath5903 3 жыл бұрын

@@InsiderPhD that's great. thank you!

@savirsuda 3 жыл бұрын

Thanks for this video :)

@albonycal 3 жыл бұрын

Yes!! New video 🎉

@InsiderPhD 3 жыл бұрын

🎉

@cyrexplays5031 3 жыл бұрын

My ooxe extension not displaying on burp suite. But other extensions are displaying. What's the problem??

@sy-gamer9556 3 жыл бұрын

hi katie wnted to ask i want to do both on ios and android bug bounty so is it necessary to have a mac for ios or an iphone is ok

@talishgarg1151 3 жыл бұрын

Amazing! Could you make a video on Frida too as there is very little content for that online

@InsiderPhD 3 жыл бұрын

For sure! I want to cover FRIDA with a focus on bug hunting which I think is really lacking in general! But I need to learn FRIDA first :)

@abhhibirdawade9657 3 жыл бұрын

Katie your amazing !!

@InsiderPhD 3 жыл бұрын

Thanks so much

@nixsonblackstone7900 3 жыл бұрын

You're the best katie

@Haidderispro 2 жыл бұрын

I have an iPhone but can’t jailbreak it maybe because my iOS version or because it’s an iPhone 12. So thinking about doing this instead for bug hunting. Is there way to use burp with iPhone without jail breaking?

@wardellcastles 3 жыл бұрын

Katie.. thanks for the vid. Basic question though. Since the same APIs are used by both Web and Mobile version of an App, what's the purpose of testing APIs on a mobile emulator vs the web version of the App?

@InsiderPhD 3 жыл бұрын

So sometimes the mobile app uses a different API (usually to batch requests because of signal issues), also a website may not actually use an API but a mobile app has to.

@wardellcastles 3 жыл бұрын

@@InsiderPhD Makes sense. I have so much to learn. You are a treasure.

@InsiderPhD 3 жыл бұрын

That's was a great question! I will include it in the next video!

@Mersal-uj5nh 3 жыл бұрын

I was thinking the same but you asked it 💞🙏

@anujkumarpatel2686 3 жыл бұрын

great content you are the best

@jakariaislamshanto1217 3 жыл бұрын

Man you are getting better .

@InsiderPhD 3 жыл бұрын

Thank you for this comment :) I'm trying new things with my content and trying to push myself out of my comfort zone so it means a lot to know my improvement is noted!

@AjayKumar-xl4jc 3 жыл бұрын

No man she is girl

@jakariaislamshanto1217 3 жыл бұрын

@@AjayKumar-xl4jcMan : a member of the species Homo sapiens or all the members of this species collectively, without regard to sex:

@mageshsal1015 3 жыл бұрын

Wow cool, tysm ❤️❤️

@sandeepsingh87 3 жыл бұрын

After downloading, Genymotion is stuck at starting virtual device, does anyone have any idea how to solve it?

@bugbountyvideo 2 жыл бұрын

Awesome katie

@aryankushwaha4261 3 жыл бұрын

Love watching your videos...........!!!!!! 💓💓💓💓💓💓💓💓💓💓💓💓

@AjayKumar-xl4jc 3 жыл бұрын

Woow this is a another useful and interesting video thanks

@InsiderPhD 3 жыл бұрын

Glad you think so!

@gyangaha109 Жыл бұрын

Can't intercept native mobile app like facebook. But able to intercept via browser. Tried SSLUnpinning with Xposed Installer but still can't intercept native facebook app traffic. Can somebody help? thanks

@learnlylearnaboutmanything7112 3 жыл бұрын

Excellent explaination 😃😃

@InsiderPhD 3 жыл бұрын

Thank you! 😃 I hope you learn many things :)

@learnlylearnaboutmanything7112 3 жыл бұрын

@@InsiderPhD yep I did , looking forward for next video 😃😄

@chad4634 3 жыл бұрын

Thx Zo Usefull

@yoshi5113 3 жыл бұрын

hi Katie, have you ever used BRIDA? I hope you can demo it on your KZfaq channel, because I think this tools will be great ..

@InsiderPhD 3 жыл бұрын

No I will definitely check it out!

@MRIDULSG 3 жыл бұрын

If you want to work with frida then I recommend using Runtime Mobile Security Framework which has a webui to run scripts and easy to setup

@InsiderPhD 3 жыл бұрын

Thanks for the tip!

@himanshu4316 3 жыл бұрын

Thank you!! Good intro video on android PT.

@InsiderPhD 3 жыл бұрын

Aww thank you! I'm definitely going to cover some more stuff like RE and Frida for both Android + iOS later on

@himanshu4316 3 жыл бұрын

Oh yes!! I'm eagerly waiting for that.. I started my career in PT majorly on Android PT. Currently in Incident Response field.. Was looking to start BB in Android field since not many do it as you mentioned. .. This video refreshed my good ol memories!!! Cheers..

@InsiderPhD 3 жыл бұрын

Nice! Android bb is a great place at the moment, lots of resources available but still few people hacking, there's a ton of low hanging fruit in android apps!

@shopflicker 3 жыл бұрын

we need more video for android bug bounty

@Stas1983ful 3 жыл бұрын

I have't modify network when click to WiredSSID

@ggmaxx66 3 жыл бұрын

anyone know why you cannot configure manual proxy settings in android os ver 7.0 and above? 6.0 os instructions don't work and the manual says to open a wifi edit button which is not there. blogs have said this was changed for os 7.0 and above.

@ggmaxx66 3 жыл бұрын

here's why ==> to set manual proxy for android 0s 7 and above => hit advanced options WITHOUT entering a password. this will open the advanced options tab ( three days later ) *whew*

@saranshsrivastav9743 3 жыл бұрын

Thanks katie the video was amazing but I didn't understand the part in the end where you said google apps doesn't provide ssl bypass so why does yahoo have ssl bypass ? and in this way why don't other companies can do just like google so that no one can attack their application

@InsiderPhD 3 жыл бұрын

The emulator version has it turned off for everything but Google apps, basically. But physical devices do have SSL pinning. If you want to test a physical device you need to bypass the SSL pinning. Also, it doesn't stop people from attacking an application but helps reduce MITM attacks which tend to be more common for mobile devices, think fake "free wifi" which is actually used to find credentials.

@saranshsrivastav9743 3 жыл бұрын

@@InsiderPhD got it thanks again you are amazing

@anujkumarpatel2686 3 жыл бұрын

katie you are awesome

@James-dt6xv 3 жыл бұрын

hi katie first of all a big thanks for your great videos, I've learned a lot from them :) but sadly I have a problem with setting up the burp to intercept the apps data :( I first tried to use genymotion but it didn't work because it just fails while installing Gapps so I used memu instead then installed the burp cert and it captures data while using browser but for apps it just returns TLS errors in dashboard (the client failed to negotiate a TLS connection to ...) I don't know what to do, please help me I really want to start android hacking :(

@erickguzman1406 2 жыл бұрын

Already tried with another device on Genymotion?

@TomcatGoesBr 3 жыл бұрын

you re LEGEND !

@InsiderPhD 3 жыл бұрын

Thank you soo much!

@karthikkarthik-kf6bb 3 жыл бұрын

But the android version is 5 right? So some apps won't be installed for testing ...

@asadmehar3632 3 жыл бұрын

Please make more videos into Android bug hunting

@InsiderPhD 3 жыл бұрын

FRIDA is coming next!

@assanendiaye6279 2 жыл бұрын

Hello guys I want to clone my phone one genymotion is that possible? Literally, I want to virtualize my phone.

@danielmaina4817 3 жыл бұрын

U explain things so well .wish u were my lecturer 😅😅

@InsiderPhD 3 жыл бұрын

I am your online lecturer! :D

@danielmaina4817 3 жыл бұрын

@@InsiderPhD very true .. you videos help me to my first bug.. though it was duplicate... U do great work

@InsiderPhD 3 жыл бұрын

That's AWESOME congrats! Finding your first bug means you got the skills to find bugs 100%, but you just weren't quick enough this time, but you'll get much quicker as you learn more!

@danielmaina4817 3 жыл бұрын

@@InsiderPhD thanks alot...

@DEADCODE_ Жыл бұрын

I registered by your link

@babay-mp4bq 3 жыл бұрын

Hello,is it illegal if i use free license of genymotion for bug bounty hunting ?

@sandeepsingh87 3 жыл бұрын

did you find the answer, is it illegal?

@James-mb5xt 3 жыл бұрын

Hey !! What about SSL Pinning ?? Any idea about this ?? I lost my whole damn week but didnt find any solution to intercept APPLICATION traffic ..

@InsiderPhD 3 жыл бұрын

SSL pinning is definitely an issue, I’m sorry I didn’t cover it, I’ll update this video ASAP :)

@James-mb5xt 3 жыл бұрын

@@InsiderPhD Please

@atNguyen-gm6cf 2 жыл бұрын

Cảm ơn bạn mong bạn ra nhiều video về testing android . Tôi là sinh viên an toàn thông tin đến từ Việt Nam

@joshgordon7299 3 жыл бұрын

You're awesome

@kmunikrishnareddy7471 3 жыл бұрын

Can i use burp in my mobile phone without a pc?

@Log.Rhythm 4 ай бұрын

No, but you can with Caido

@AmitChauhan-sp1cw 3 жыл бұрын

Can I use physical device ? Will it make some difference

@InsiderPhD 3 жыл бұрын

I included instructions for a physical device in the description it’s a little harder to get setup as you need to disable ssl pinning

@historymystery4915 2 жыл бұрын

Oh god thank u so muchhh ...u saved my like u saved d world for mee u n angelll lol thankkk u so muchh hahha !!!

@sudosuraj Жыл бұрын

next : kzfaq.info/get/bejne/l7d3lbyXxtK2hHU.html

@RAVIJATAV007 3 жыл бұрын

🦋

@pianodotexe3852 3 жыл бұрын

Mam How go fetch newly added subdomains in a particular program !!!!

@InsiderPhD 3 жыл бұрын

Coming in 2 weeks going to go over subdomain enum + amass :D

@InsiderPhD 3 жыл бұрын

2 months* sorry!

@pianodotexe3852 3 жыл бұрын

@@InsiderPhD Thanks for you reply ♥️ Sublist3r vs knockpy vs chaospy vs subjack vs HostileSubBruteforcer

@pianodotexe3852 3 жыл бұрын

@@InsiderPhD it's ok mam Quality contents take time☺️🤞

@akmutik6259 3 жыл бұрын

That's not bypassing ssl pining You just installed certificate if the app encrypts the network internally you cannot intercept it through burp

@InsiderPhD 3 жыл бұрын

No it’s not :)

@anujkumarpatel2686 3 жыл бұрын

can please anyone explain what is an endpoint i am kinda confuse

@InsiderPhD 3 жыл бұрын

Endpoint is just a URL which exists, so www.youtube.com is an endpoint but www.youtube.com/watch isn't cause it redirects to the home screen cause it doesn't exist

@anujkumarpatel2686 3 жыл бұрын

@@InsiderPhD thanks katie much love to you

@prob_here 3 жыл бұрын

Where is time stamps

@girishpadia6449 3 жыл бұрын

Please make a video on Frida.

@InsiderPhD 3 жыл бұрын

Definitely coming!

@ArunKumar-sg6jf 3 жыл бұрын

Are u using Android phone for this testing

@InsiderPhD 3 жыл бұрын

I'm using genymotion and android in an emulator :)

@lukeempty3386 11 ай бұрын

This doesn't really work anymore on more up to date android stuff. Burp certificate need to be installed in the system section and not user, this guy has a few videos you can use to set it up using android studio kzfaq.info/get/bejne/gM1km9yLy6y4lJc.html