Getting Started with Android App Testing with Genymotion
ฝัง
- เผยแพร่เมื่อ 29 ก.ย. 2024
- Okay so we've done iOS so by popular demand here is Android! In this episode, I show you how to get started with android app testing by using an emulator. Using Genymotion we set up an emulator, proxy our traffic into burp and see what APIs the Yahoo Mail app is calling. Much more simple than iOS, and you don't even need an android phone! Android is still a minority when it comes to platforms to hack, so don't worry you'll still be finding those bugs that no one else can!
Did you know this episode was sponsored by Intigriti? Sign up with my link go.intigriti.co... I'm so pleased with everyone's positive response to the Intigriti sponsorship and I'm so pleased you folks are finding bugs and even finding your first bugs! Thank you for being awesome!
Resources
- Genymotion: www.genymotion...
- Using your device: / root-detection-ssl-pin...
- What is SSL pinning: owasp.org/www-...
- FRIDA: frida.re
Hi Kathy, appreciate if you could make videos about Magisk, frida, objection, to bypass root detection & SSL pinning
Are u using Android phone for this testing
I'm using genymotion and android in an emulator :)
You are the most helpful Bug bounty content creator and I learnt a lot from you, I hope you make more videos about Android Pentesting because Web is sooooo much competitive.
Can't intercept native mobile app like facebook. But able to intercept via browser. Tried SSLUnpinning with Xposed Installer but still can't intercept native facebook app traffic. Can somebody help? thanks
next : th-cam.com/video/aQGbYfalRTA/w-d-xo.html
Hello,is it illegal if i use free license of genymotion for bug bounty hunting ?
did you find the answer, is it illegal?
Full respect
After downloading, Genymotion is stuck at starting virtual device, does anyone have any idea how to solve it?
Yesss mobile app hunting, thanks Katie!
instablaster...
Hello guys I want to clone my phone one genymotion is that possible? Literally, I want to virtualize my phone.
This doesn't really work anymore on more up to date android stuff. Burp certificate need to be installed in the system section and not user, this guy has a few videos you can use to set it up using android studio
th-cam.com/video/Jg4hyZfFTdc/w-d-xo.html
Oh god thank u so muchhh ...u saved my like u saved d world for mee u n angelll lol thankkk u so muchh hahha !!!
Been wanting to get into android for a while now, the video really helped! Thanks a lot !!
btw, could you also make a tutorial on how to disable ssl pinning on mobile applications ?
I’ve included one in the description I don’t work physical android devices I’m afraid so I can’t include a tutorial on that! I work with iOS mainly!
Amazing! Could you make a video on Frida too as there is very little content for that online
For sure! I want to cover FRIDA with a focus on bug hunting which I think is really lacking in general! But I need to learn FRIDA first :)
Katie.. thanks for the vid. Basic question though. Since the same APIs are used by both Web and Mobile version of an App, what's the purpose of testing APIs on a mobile emulator vs the web version of the App?
So sometimes the mobile app uses a different API (usually to batch requests because of signal issues), also a website may not actually use an API but a mobile app has to.
@@InsiderPhD Makes sense. I have so much to learn. You are a treasure.
That's was a great question! I will include it in the next video!
I was thinking the same but you asked it 💞🙏
Can i use burp in my mobile phone without a pc?
No, but you can with Caido
I registered by your link
Thanks katie the video was amazing but I didn't understand the part in the end where you said google apps doesn't provide ssl bypass so why does yahoo have ssl bypass ? and in this way why don't other companies can do just like google so that no one can attack their application
The emulator version has it turned off for everything but Google apps, basically. But physical devices do have SSL pinning. If you want to test a physical device you need to bypass the SSL pinning. Also, it doesn't stop people from attacking an application but helps reduce MITM attacks which tend to be more common for mobile devices, think fake "free wifi" which is actually used to find credentials.
@@InsiderPhD got it thanks again you are amazing
Cảm ơn bạn mong bạn ra nhiều video về testing android . Tôi là sinh viên an toàn thông tin đến từ Việt Nam
I have an iPhone but can’t jailbreak it maybe because my iOS version or because it’s an iPhone 12. So thinking about doing this instead for bug hunting. Is there way to use burp with iPhone without jail breaking?
Katie your amazing !!
Thanks so much
hey katie! thank you for your content you are really helping - i have one question - why is my google nexus 6 different from the demonstration? i have slightly different apps and cannot access - even after GApps? i had to go into network internet>internet>androidwifi> the little pencil in the top right of the box> roggle the advanced options carrot
great content you are the best
Amazing info katie, thank you so much!!
I have't modify network when click to WiredSSID
But the android version is 5 right?
So some apps won't be installed for testing ...
I have notice your gmail address is leaked in the video 13:25 ☝😀😀
It’s nothing private :) just an unused email that I don’t want people to try (they won’t get a reply!)
Thank you madam. These content is really helpful!
Aww thank you so much, I’m glad it helped you!
Thank you so much for sharing 👍
Woow this is a another useful and interesting video thanks
Glad you think so!
My ooxe extension not displaying on burp suite.
But other extensions are displaying.
What's the problem??
Awesome katie
Love watching your videos...........!!!!!!
💓💓💓💓💓💓💓💓💓💓💓💓
You're the best katie
hi katie wnted to ask i want to do both on ios and android bug bounty so is it necessary to have a mac for ios or an iphone is ok
Thanks for helping getting started with Android PT. Will surely share once i find a vaild bug. Thanks once again. Keep up the good work.
Please make a video on Frida.
Definitely coming!
Hi,
Katie your video realy help me. Thank you for such a good contents.
Thanks for this video :)
just seeing this now I LOVE IT keep up the good work katie😚
you re LEGEND !
Thank you soo much!
we need more video for android bug bounty
thanks this video helped me setting my mobile env :)
This was really help full i watched a few videos about it, but you explained it very well and now its working finally , thankss
hi Katie, have you ever used BRIDA? I hope you can demo it on your TH-cam channel, because I think this tools will be great ..
No I will definitely check it out!
anyone know why you cannot configure manual proxy settings in android os ver 7.0 and above? 6.0 os instructions don't work and the manual says to open a wifi edit button which is not there. blogs have said this was changed for os 7.0 and above.
here's why ==> to set manual proxy for android 0s 7 and above => hit advanced options WITHOUT entering a password. this will open the advanced options tab ( three days later ) *whew*
That's not bypassing ssl pining
You just installed certificate if the app encrypts the network internally you cannot intercept it through burp
No it’s not :)
Genymotion is not free, isn't there some free alternative?
You can use another emulator, or a physical device. Genymotion is free for personal use
its network feature is now for licensed only
@@InsiderPhD
Hey !! What about SSL Pinning ?? Any idea about this ?? I lost my whole damn week but didnt find any solution to intercept APPLICATION traffic ..
SSL pinning is definitely an issue, I’m sorry I didn’t cover it, I’ll update this video ASAP :)
@@InsiderPhD Please
Yes!! New video 🎉
🎉
katie you are awesome
Please make more videos into Android bug hunting
FRIDA is coming next!
Thx Zo Usefull
Useful and entertaining, Katie! Keep it up! 😍
Thank you so much!!
Can I use physical device ? Will it make some difference
I included instructions for a physical device in the description it’s a little harder to get setup as you need to disable ssl pinning
Where is time stamps
Thank you for amazing lectures.
If you want to work with frida then I recommend using Runtime Mobile Security Framework which has a webui to run scripts and easy to setup
Thanks for the tip!
hi katie
first of all a big thanks for your great videos, I've learned a lot from them :)
but sadly I have a problem with setting up the burp to intercept the apps data :(
I first tried to use genymotion but it didn't work because it just fails while installing Gapps so I used memu instead then installed the burp cert and it captures data while using browser but for apps it just returns TLS errors in dashboard (the client failed to negotiate a TLS connection to ...)
I don't know what to do, please help me I really want to start android hacking :(
Already tried with another device on Genymotion?
Man you are getting better .
Thank you for this comment :) I'm trying new things with my content and trying to push myself out of my comfort zone so it means a lot to know my improvement is noted!
No man she is girl
@@AjayKumar-xl4jcMan : a member of the species Homo sapiens or all the members of this species collectively, without regard to sex:
Wow cool, tysm ❤️❤️
can please anyone explain what is an endpoint i am kinda confuse
Endpoint is just a URL which exists, so www.youtube.com is an endpoint but www.youtube.com/watch isn't cause it redirects to the home screen cause it doesn't exist
@@InsiderPhD thanks katie much love to you
Mam
How go fetch newly added subdomains in a particular program !!!!
Coming in 2 weeks going to go over subdomain enum + amass :D
2 months* sorry!
@@InsiderPhD Thanks for you reply ♥️
Sublist3r vs knockpy vs chaospy vs subjack vs HostileSubBruteforcer
@@InsiderPhD it's ok mam
Quality contents take time☺️🤞
You're awesome
Just discovered your channel. Love your work! I'm about to sign up but I just want to clarify - are you tied to a single bug bounty platform? Just asking because from what I understand, different platforms can cater to different regions/industries.
Nope you can hunt on any platform I’m on Bugcrowd, HackerOne and Intigriti
@@InsiderPhD that's great. thank you!
U explain things so well .wish u were my lecturer 😅😅
I am your online lecturer! :D
@@InsiderPhD very true .. you videos help me to my first bug.. though it was duplicate...
U do great work
That's AWESOME congrats! Finding your first bug means you got the skills to find bugs 100%, but you just weren't quick enough this time, but you'll get much quicker as you learn more!
@@InsiderPhD thanks alot...
🦋
Excellent explaination 😃😃
Thank you! 😃 I hope you learn many things :)
@@InsiderPhD yep I did , looking forward for next video 😃😄
Thank you!! Good intro video on android PT.
Aww thank you! I'm definitely going to cover some more stuff like RE and Frida for both Android + iOS later on
Oh yes!! I'm eagerly waiting for that.. I started my career in PT majorly on Android PT. Currently in Incident Response field.. Was looking to start BB in Android field since not many do it as you mentioned. .. This video refreshed my good ol memories!!! Cheers..
Nice! Android bb is a great place at the moment, lots of resources available but still few people hacking, there's a ton of low hanging fruit in android apps!