Preparing Android for penetration testing – WSA edition

We at Digital Security do a lot of Android app analysis, so it’s time to share some of what we’ve learned and review the environments we use every day.

There are many options for setting up a pentester environment, in which two groups of devices can be distinguished – virtual devices and physical ones.

We have a number of rooted devices with the same environment, but sometimes you have to use virtual ones. Basically, it’s Android Studio AVD.

Not so long ago, Microsoft released the Windows Subsystem for Android (TM). I was so interested in this tool that I left my working environment on Fedora Linux and installed Windows 11.

It would be possible to write this article in the context of a real device or a virtual Android Studio device, but it seems to me that it would be more interesting to disassemble Windows Subsystem For Android 😄

This option has its limitations, which will be discussed later.

As Microsoft itself describes this tool:

Подсистема Windows для Android позволяет устройству Windows 11 запускать приложения для Android, доступные в Amazon Appstore. Android является товарным знаком Google LLC. Это руководство поможет разработчикам, которые заинтересованы в создании приложений для настольных устройств Windows и оптимизации работы с операционной системой Windows.

In order for the Android app to be available on Windows 11 devices, you need to do the following: – Install the Amazon AppStore

In fact, the point about the Amazon AppStore is not entirely true. There is already a WSA build that comes bundled with Magisk, GApps and, of course, root access.

This assembly is distributed in a repository owned by the developers of LSPosed, an active fork of XPosed. The repository has been locked for violating the Github Actions policy, and does not currently provide a prebuilt GitHub build.

Okay, let’s do it ourselves 🙂

Installing the WSA

To do this, we only need WSL with any working Linux. On the Internet you can find ready-made assemblies (for example here), but it seems to me a bad practice from the article to send download some ZIP archive from the Telegram channel. Well, we are still hackers who know how to use the command line.

Make sure you have Virtual Machine Platform and WSL enabled. You can do this in the Windows Features or Windows Features app, depending on your locale.

Next, you need to use Linux to run a script that downloads the required artifacts and builds the WSA for us. I’m using the WSL version of Ubuntu.

git clone https://github.com/LSPosed/MagiskOnWSALocal.git
cd MagiskOnWSALocal
cd scripts
sudo ./run.sh # На данном этапе установятся необходимые вещи для скрипта и будет создана сборка WSA.

Click on the required options. I chose GApps Pico and Magisk.

The script will download a 1.5GB WSA distribution, Magisk and OpenGApps, so you need to wait.

As a result, we should have a folder with the following content:

Open PowerShell with administrative privileges in this directory and run the following command:

Add-AppxPackage -Register .\AppxManifest.xml

If the command completed successfully, then you just installed WSA 👏

You should now have a program in your system called “Windows Subsystem Settings for Android”

Device setup

Run it and enable developer mode.

Now we can connect via adb.

adb connect 127.0.0.1:58256

First we need to install the Magisk application, you can take it from the official repository https://github.com/topjohnwu/magisk/releases .

adb install .\Magisk-v25.2.apk

Here we need to make a digression, that the applications that you install in the WSA are integrated into the host system. Thus, through the Start menu, launch Magisk.

Now let’s test what all this was done for. Open adb shell and try to execute the command su to elevate privileges.
If everything is done correctly, the following window will appear asking you to grant superuser rights.

As a result:

Excellent. We have Magisk and root access. The next step is to install LSPosed so that we can use the XPosed modules. XPosed itself does not support recent releases of Android, while LSposed is an active fork.

Download the following things:

Unfortunately, the developer of Magisk ran out of energy to maintain the repository (proof – https://topjohnwu.medium.com/state-of-magisk-2021-fe29fdaee458), so you have to do a little manual work through Powershell.

Invoke-WebRequest "https://github.com/RikkaApps/Riru/releases/download/v25.4.4/riru-v25.4.4-release.zip" -OutFile "riru.zip"
adb push .\riru.zip /storage/emulated/0/

Invoke-WebRequest "https://github.com/LSPosed/LSPosed/releases/download/v1.8.3/LSPosed-v1.8.3-6552-riru-release.zip" -OutFile "lsposed.zip"
adb push .\lsposed.zip /storage/emulated/0/

Now go to Magisk -> Modules -> Install from repository and select riru.zip. We also install lsposed.zip.

In the next step, we also need to install lsposed itself so that it can be run as an application. APK is located along the path /data/adb/lspd/.

su
cd /data/adb/lspd
cp manager.apk /data/local/tmp
pm install /data/local/tmp/manager.apk
# Необходим перезагрузить устройство, чтобы изменения вступили в силу.
reboot

Done 🙂 Now you can install modules and work.

We wrap traffic in a proxy

Our everyday tool is BurpSuite – we will use it. You can use any other tool like Owasp ZAP or MitmProxy.

Export the CA certificate used by BurpSuite. When exporting, select DER format.

We open it through the explorer.

Select the Composition tab and copy it to a Base-64 encoded file. I saved it under the name outfile.cer.

Open WSL again and use openssl to calculate the hash of the certificate. It will be used later as the filename, otherwise Android will ignore it.

openssl x509 -inform PEM -subject_hash_old -in outfile.cer

The next step is to put it on the device, you can do this with the following command:

adb push .\outfile.cer /storage/emulated/0/9a5ba575.0 # где 9a5ba575 это хеш сертификат

Install the Magisk module, which will add our user certificate to the system directory. We will use the MagiskTrustUserCerts module.

Invoke-WebRequest "https://github.com/NVISOsecurity/MagiskTrustUserCerts/releases/download/v0.4.1/AlwaysTrustUserCerts.zip" -OutFile "trustcerts.zip"
adb push .\trustcerts.zip /storage/emulated/0/

And install it through Magisk, as it was earlier with LSposed and RiRu.

Now the most interesting thing is that you need to add your certificate to the device, but in the WSA settings (you can open it with the command
adb shell am start com.android.settings ) there is no item with the addition of a custom CA certificate. The following commands are executed via adb shell.

su # переходим в рута
cd /data/misc/user/0
mkdir cacerts-added
cp /storage/emulated/0/9a5ba575.0 cacerts-added/
chown -R system:system cacerts-added/
reboot

After the reboot, the MagiskTrustUserCerts module will move our user certificate to the system store.

Let’s direct application traffic to BurpSuite. I’ll use ADB port forwarding as it’s the easiest. For some reason, many people forget that adb can do a lot, besides launching a shell and installing apk 🙂 Another option is to look at our ip on the interface vEthernet (WSL) and specify it as the HTTP proxy address.

adb reverse tcp:7777 tcp:8080 
adb shell settings put global http_proxy 127.0.0.1:7777

Now we can study the traffic of most applications directly from the Windows interface.

Frida

This tool has been used by people who are interested in mobile security for a long time and there are many useful tools that use Frida.

Download frida server and transfer it to the device.

Invoke-WebRequest "https://github.com/frida/frida/releases/download/15.2.2/frida-server-15.2.2-android-x86_64.xz" -OutFile "fridaserver.xz"
7z e fridaserver.xz 
adb push .\fridaserver /data/local/tmp
# переходим в шелл девайса
adb shell
su
chmod +x /data/local/tmp/fridaserver
/data/local/tmp/fridaserver # запускаем frida server

You can connect as follows using adb forwarding.

adb forward tcp:27042 tcp:27042

Thus, our virtual device will be defined as a USB device, which is very convenient.

Interesting feature

As I said earlier, Windows Subsystem for Android is integrated into the system.

• Applications, along with icons, are integrated into the host system. Thus, all applications that are installed in subsystems will be visible on the host.

• WSA notifications are shown in the general Windows feed.

• If someone calls an intent to write a letter, then applications on the host will pick it up, and vice versa.

• The deeplink you declared in the mobile app’s intent filter is known to the host, and you can fall through from the host to the subsystem app.

The first two features are not as interesting as the others.

Let’s make an application with the following intent filter and set it to WSA.

<activity  
    android:name=".DeeplinkActivity"  
    android:exported="true">  
    <intent-filter>        
	    <action android:name="android.intent.action.VIEW" />  
        <category android:name="android.intent.category.DEFAULT" />  
        <category android:name="android.intent.category.BROWSABLE" />  
  
        <data android:scheme="dsec" />  
        <data android:host="open" />  
    </intent-filter>
</activity>

Now let’s run the rather old URLProtocolView program, which shows registered URL schemes in Windows. If sorted by URL name, then we will see the registered scheme dsec.

Let’s make a simple page with the following content:

<a href="https://habr.com/ru/company/dsec/blog/685410/dsec://open">Click</a>

If you go to it and click from the browser on the host, then the following will happen:

What is happening on the device at this moment? We have an XPosed module that hangs hooks on some functions and shows them in a convenient way. You can also use Xintent (https://github.com/2Y2s1mple/xintent)

It turns out that WSA has an agent application that acts as a proxy and launches deeplinks coming from the host system 🙂 The same application declares that it listens to mailto-, sip- and tel-schemes.

Summing up

The WSA is absolutely perfect for sitting in regular user apps and even playing some mobile toys. But what about from the point of view of a pentester and analysis of mobile applications? WSA, in my opinion, is much simpler and easier than analogues. For example, Android Studio AVD or Genymotion. And for the most part, they are in no way inferior.

However, there is one significant drawback – WSA is not capable of biometric authentication, which, with a full application audit, will force you to look for a real phone or still work through the same Android Studio AVD. Also, it was not possible to use the camera, it is not streamed from the host, and this can cause problems when testing applications with recognition of data and QR codes.