Getting Started with Android App Testing with Genymotion

Подписаться 80 тыс.

Просмотров 36 тыс.

50% 1

Okay so we've done iOS so by popular demand here is Android! In this episode, I show you how to get started with android app testing by using an emulator. Using Genymotion we set up an emulator, proxy our traffic into burp and see what APIs the Yahoo Mail app is calling. Much more simple than iOS, and you don't even need an android phone! Android is still a minority when it comes to platforms to hack, so don't worry you'll still be finding those bugs that no one else can!
Did you know this episode was sponsored by Intigriti? Sign up with my link go.intigriti.com/katie I'm so pleased with everyone's positive response to the Intigriti sponsorship and I'm so pleased you folks are finding bugs and even finding your first bugs! Thank you for being awesome!
Resources
- Genymotion: www.genymotion.com
- Using your device: / root-detection-ssl-pin...
- What is SSL pinning: owasp.org/www-community/contr...
- FRIDA: frida.re

Развлечения

Опубликовано:

15 сен 2020

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 128

@learningwithtom4104 2 года назад

Thanks for helping getting started with Android PT. Will surely share once i find a vaild bug. Thanks once again. Keep up the good work.

@khaledmohamed5564 Месяц назад

You are the most helpful Bug bounty content creator and I learnt a lot from you, I hope you make more videos about Android Pentesting because Web is sooooo much competitive.

@mehboob9324 2 года назад

This was really help full i watched a few videos about it, but you explained it very well and now its working finally , thankss

@watchvideoswatchvideos6958 3 года назад

Amazing info katie, thank you so much!!

@kentslaves 3 года назад

Useful and entertaining, Katie! Keep it up! 😍

@InsiderPhD 3 года назад

Thank you so much!!

@igwenonso4084 Год назад

just seeing this now I LOVE IT keep up the good work katie😚

@mr.kn0w1t4ll2 3 года назад

Been wanting to get into android for a while now, the video really helped! Thanks a lot !! btw, could you also make a tutorial on how to disable ssl pinning on mobile applications ?

@InsiderPhD 3 года назад

I’ve included one in the description I don’t work physical android devices I’m afraid so I can’t include a tutorial on that! I work with iOS mainly!

@rahul.mishr411 3 года назад

Thank you for amazing lectures.

@xormagic5190 3 года назад

Hi, Katie your video realy help me. Thank you for such a good contents.

@iandonohue7257 11 месяцев назад

hey katie! thank you for your content you are really helping - i have one question - why is my google nexus 6 different from the demonstration? i have slightly different apps and cannot access - even after GApps? i had to go into network internet>internet>androidwifi> the little pencil in the top right of the box> roggle the advanced options carrot

@wolfrevokcats7890 5 месяцев назад

Hi Kathy, appreciate if you could make videos about Magisk, frida, objection, to bypass root detection & SSL pinning

@cyrexplays5031 3 года назад

My ooxe extension not displaying on burp suite. But other extensions are displaying. What's the problem??

@bagasrizki973 3 года назад

Yesss mobile app hunting, thanks Katie!

@matthiasgarrett669 2 года назад

instablaster...

@billapatigoutham6066 3 года назад

Thank you so much for sharing 👍

@khushmanvar9038 3 года назад

Thank you madam. These content is really helpful!

@InsiderPhD 3 года назад

Aww thank you so much, I’m glad it helped you!

@sy-gamer9556 3 года назад

hi katie wnted to ask i want to do both on ios and android bug bounty so is it necessary to have a mac for ios or an iphone is ok

@Haidderispro 2 года назад

I have an iPhone but can’t jailbreak it maybe because my iOS version or because it’s an iPhone 12. So thinking about doing this instead for bug hunting. Is there way to use burp with iPhone without jail breaking?

@gyangaha109 2 года назад

Can't intercept native mobile app like facebook. But able to intercept via browser. Tried SSLUnpinning with Xposed Installer but still can't intercept native facebook app traffic. Can somebody help? thanks

@_clavita 3 года назад

thanks this video helped me setting my mobile env :)

@sandeepsingh87 3 года назад

After downloading, Genymotion is stuck at starting virtual device, does anyone have any idea how to solve it?

@ggmaxx66 3 года назад

anyone know why you cannot configure manual proxy settings in android os ver 7.0 and above? 6.0 os instructions don't work and the manual says to open a wifi edit button which is not there. blogs have said this was changed for os 7.0 and above.

@ggmaxx66 3 года назад

here's why ==> to set manual proxy for android 0s 7 and above => hit advanced options WITHOUT entering a password. this will open the advanced options tab ( three days later ) *whew*

@xdmotivation 3 года назад

Full respect

@DictionaryMath5903 3 года назад

Just discovered your channel. Love your work! I'm about to sign up but I just want to clarify - are you tied to a single bug bounty platform? Just asking because from what I understand, different platforms can cater to different regions/industries.

@InsiderPhD 3 года назад

Nope you can hunt on any platform I’m on Bugcrowd, HackerOne and Intigriti

@DictionaryMath5903 3 года назад

@@InsiderPhD that's great. thank you!

@albonycal 3 года назад

Yes!! New video 🎉

@InsiderPhD 3 года назад

🎉

@savirsuda 3 года назад

Thanks for this video :)

@AjayKumar-xl4jc 3 года назад

Woow this is a another useful and interesting video thanks

@InsiderPhD 3 года назад

Glad you think so!

@abhhibirdawade9657 3 года назад

Katie your amazing !!

@InsiderPhD 3 года назад

Thanks so much

@James-dt6xv 3 года назад

hi katie first of all a big thanks for your great videos, I've learned a lot from them :) but sadly I have a problem with setting up the burp to intercept the apps data :( I first tried to use genymotion but it didn't work because it just fails while installing Gapps so I used memu instead then installed the burp cert and it captures data while using browser but for apps it just returns TLS errors in dashboard (the client failed to negotiate a TLS connection to ...) I don't know what to do, please help me I really want to start android hacking :(

@erickguzman1406 2 года назад

Already tried with another device on Genymotion?

@wardellcastles 3 года назад

Katie.. thanks for the vid. Basic question though. Since the same APIs are used by both Web and Mobile version of an App, what's the purpose of testing APIs on a mobile emulator vs the web version of the App?

@InsiderPhD 3 года назад

So sometimes the mobile app uses a different API (usually to batch requests because of signal issues), also a website may not actually use an API but a mobile app has to.

@wardellcastles 3 года назад

@@InsiderPhD Makes sense. I have so much to learn. You are a treasure.

@InsiderPhD 3 года назад

That's was a great question! I will include it in the next video!

@Mersal-uj5nh 3 года назад

I was thinking the same but you asked it 💞🙏

@bugbountyvideo 3 года назад

Awesome katie

@Stas1983ful 3 года назад

I have't modify network when click to WiredSSID

@anujkumarpatel2686 3 года назад

great content you are the best

@nixsonblackstone7900 3 года назад

You're the best katie

@yoshi5113 3 года назад

hi Katie, have you ever used BRIDA? I hope you can demo it on your RU-vid channel, because I think this tools will be great ..

@InsiderPhD 3 года назад

No I will definitely check it out!

@karthikkarthik-kf6bb 3 года назад

But the android version is 5 right? So some apps won't be installed for testing ...

@aryankushwaha4261 3 года назад

Love watching your videos...........!!!!!! 💓💓💓💓💓💓💓💓💓💓💓💓

@jakariaislamshanto1217 3 года назад

Man you are getting better .

@InsiderPhD 3 года назад

Thank you for this comment :) I'm trying new things with my content and trying to push myself out of my comfort zone so it means a lot to know my improvement is noted!

@AjayKumar-xl4jc 3 года назад

No man she is girl

@jakariaislamshanto1217 3 года назад

@@AjayKumar-xl4jcMan : a member of the species Homo sapiens or all the members of this species collectively, without regard to sex:

@talishgarg1151 3 года назад

Amazing! Could you make a video on Frida too as there is very little content for that online

@InsiderPhD 3 года назад

For sure! I want to cover FRIDA with a focus on bug hunting which I think is really lacking in general! But I need to learn FRIDA first :)

@saranshsrivastav9743 3 года назад

Thanks katie the video was amazing but I didn't understand the part in the end where you said google apps doesn't provide ssl bypass so why does yahoo have ssl bypass ? and in this way why don't other companies can do just like google so that no one can attack their application

@InsiderPhD 3 года назад

The emulator version has it turned off for everything but Google apps, basically. But physical devices do have SSL pinning. If you want to test a physical device you need to bypass the SSL pinning. Also, it doesn't stop people from attacking an application but helps reduce MITM attacks which tend to be more common for mobile devices, think fake "free wifi" which is actually used to find credentials.

@saranshsrivastav9743 3 года назад

@@InsiderPhD got it thanks again you are amazing

@MRIDULSG 3 года назад

If you want to work with frida then I recommend using Runtime Mobile Security Framework which has a webui to run scripts and easy to setup

@InsiderPhD 3 года назад

Thanks for the tip!

@learnlylearnaboutmanything7112 3 года назад

Excellent explaination 😃😃

@InsiderPhD 3 года назад

Thank you! 😃 I hope you learn many things :)

@learnlylearnaboutmanything7112 3 года назад

@@InsiderPhD yep I did , looking forward for next video 😃😄

@mageshsal1015 3 года назад

Wow cool, tysm ❤️❤️

@himanshu4316 3 года назад

Thank you!! Good intro video on android PT.

@InsiderPhD 3 года назад

Aww thank you! I'm definitely going to cover some more stuff like RE and Frida for both Android + iOS later on

@himanshu4316 3 года назад

Oh yes!! I'm eagerly waiting for that.. I started my career in PT majorly on Android PT. Currently in Incident Response field.. Was looking to start BB in Android field since not many do it as you mentioned. .. This video refreshed my good ol memories!!! Cheers..

@InsiderPhD 3 года назад

Nice! Android bb is a great place at the moment, lots of resources available but still few people hacking, there's a ton of low hanging fruit in android apps!

@assanendiaye6279 2 года назад

Hello guys I want to clone my phone one genymotion is that possible? Literally, I want to virtualize my phone.

@James-mb5xt 3 года назад

Hey !! What about SSL Pinning ?? Any idea about this ?? I lost my whole damn week but didnt find any solution to intercept APPLICATION traffic ..

@InsiderPhD 3 года назад

SSL pinning is definitely an issue, I’m sorry I didn’t cover it, I’ll update this video ASAP :)

@James-mb5xt 3 года назад

@@InsiderPhD Please

@babay-mp4bq 3 года назад

Hello,is it illegal if i use free license of genymotion for bug bounty hunting ?

@sandeepsingh87 3 года назад

did you find the answer, is it illegal?

@chad4634 3 года назад

Thx Zo Usefull

@TomcatGoesBr 3 года назад

you re LEGEND !

@InsiderPhD 3 года назад

Thank you soo much!

@anujkumarpatel2686 3 года назад

katie you are awesome

@shopflicker 3 года назад

we need more video for android bug bounty

@DEADCODE_ Год назад

I registered by your link

@atNguyen-gm6cf 2 года назад

Cảm ơn bạn mong bạn ra nhiều video về testing android . Tôi là sinh viên an toàn thông tin đến từ Việt Nam

@historymystery4915 2 года назад

Oh god thank u so muchhh ...u saved my like u saved d world for mee u n angelll lol thankkk u so muchh hahha !!!

@kmunikrishnareddy7471 3 года назад

Can i use burp in my mobile phone without a pc?

@Log.Rhythm 5 месяцев назад

No, but you can with Caido

@asadmehar3632 3 года назад

Please make more videos into Android bug hunting

@InsiderPhD 3 года назад

FRIDA is coming next!

@danielmaina4817 3 года назад

U explain things so well .wish u were my lecturer 😅😅

@InsiderPhD 3 года назад

I am your online lecturer! :D

@danielmaina4817 3 года назад

@@InsiderPhD very true .. you videos help me to my first bug.. though it was duplicate... U do great work

@InsiderPhD 3 года назад

That's AWESOME congrats! Finding your first bug means you got the skills to find bugs 100%, but you just weren't quick enough this time, but you'll get much quicker as you learn more!

@danielmaina4817 3 года назад

@@InsiderPhD thanks alot...

@AmitChauhan-sp1cw 3 года назад

Can I use physical device ? Will it make some difference

@InsiderPhD 3 года назад

I included instructions for a physical device in the description it’s a little harder to get setup as you need to disable ssl pinning

@pianodotexe3852 3 года назад

Mam How go fetch newly added subdomains in a particular program !!!!

@InsiderPhD 3 года назад

Coming in 2 weeks going to go over subdomain enum + amass :D

@InsiderPhD 3 года назад

2 months* sorry!

@pianodotexe3852 3 года назад

@@InsiderPhD Thanks for you reply ♥️ Sublist3r vs knockpy vs chaospy vs subjack vs HostileSubBruteforcer

@pianodotexe3852 3 года назад

@@InsiderPhD it's ok mam Quality contents take time☺️🤞

@joshgordon7299 3 года назад

You're awesome

@akmutik6259 3 года назад

That's not bypassing ssl pining You just installed certificate if the app encrypts the network internally you cannot intercept it through burp

@InsiderPhD 3 года назад

No it’s not :)

@anujkumarpatel2686 3 года назад

can please anyone explain what is an endpoint i am kinda confuse

@InsiderPhD 3 года назад

Endpoint is just a URL which exists, so www.youtube.com is an endpoint but www.youtube.com/watch isn't cause it redirects to the home screen cause it doesn't exist

@anujkumarpatel2686 3 года назад

@@InsiderPhD thanks katie much love to you

@prob_here 3 года назад

Where is time stamps

@RAVIJATAV007 3 года назад

🦋

@sudosuraj Год назад

next : ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-aQGbYfalRTA.html

@girishpadia6449 3 года назад

Please make a video on Frida.

@InsiderPhD 3 года назад

Definitely coming!

@lukeempty3386 Год назад

This doesn't really work anymore on more up to date android stuff. Burp certificate need to be installed in the system section and not user, this guy has a few videos you can use to set it up using android studio ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-Jg4hyZfFTdc.html