Many people think that the best way to pentest Android apps is to connect an Android phone directly to a PC or Mac and debug it. This combination provides a lot of control options for pentesting and for many cases it will be more optimal than typical Android emulators.
Even if you don’t have access to multiple devices, Android Studio’s built-in virtual device (AVD) is often the right choice for such pentest jobs. Can root AVD and it integrates perfectly with debuger, so everything works fine. But if you’re running Windows 11 and you want to pentest Android apps, you can easily do so without relying on emulators or virtual machines, thanks to Windows Subsystem for Android (WSA) support.
How to pentest Android apps on Windows 11 with WSA
According to Michael Higgo from Orange Cyberdefense, one can use WSA to test Android security in the same way as on a physical Android device. Higgo, Lead Security Analyst at SensePost, recently posted a blog post with some general details on how to conduct Android app security testing on WSA.
When assessing the security status of an Android application, using a mobile runtime exploit kit like Objection in combination with the Windows Subsystem for Android makes the job quite affordable for a researcher. security rescue.
Android Subsystem for Windows 11 is developed by the same technology of Windows Subsystem for Linux. Thanks to the seamless virtualization supported by Hyper-V, WSA is significantly faster than any other Android emulator available. Furthermore, you can download apps on WSA or even modify the base system image to install Play Store and other Google apps. In summary, it makes sense to use Windows Subsystem for Android as a mobile application testing platform.
After installing the launcher in WSA, you can access the network settings of the Android layer. Next, you can install the certificate authority and set up a custom proxy to intercept traffic using web vulnerability scanning tools like Burp suite.
For more on Android security testing using WSA, check out Michael Higgo’s blog post here. Whether you are a professional security researcher or you simply want to learn about Windows Subsystem for Android, this is a great way to learn penetration testing on Android applications.