# Dynamic Analysis with Waydroid
#### System I worked with
I was using debian13, kde and AMD to test this setup
The process should be similar if you are using ubuntu or any other debian-based systems
Make sure you are using **Wayland**, otherwise Waydroid won't fit in such case
#### Tools
These are the tools we will be working with:
* Waydroid
* frida
* adb
* Caido
* waydroid-script
* apk-mitm (optional)
## Start Here
I made this cuz there's not too much resources out there, at least for Waydroid related setup for testing android apps
I hit so many dead ends, and some will work and some won't for whatever reason. My head hurts just from dealing with frida, and that's why I made this guide so you don't have to go down the same path as I did
This guide doesn't include all possible scenarios. It's mostly for my own reference, so you'll have to check the dependencies and stuff
### Waydroid
* Source: \
This will be our android emulator (technically it’s a container, but for the sake of simplicity, we’ll put it that way at least for now)
```bash
curl -s https://repo.waydroid.id | sudo bash
sudo apt install waydroid -y
```
Start the application and select minimal (both works, but this is enough and less restrictions)
Now head to the settings and search "About Phone", scroll to the very bottom, then click on the **Build number** 7 times, this should enable developer mode\
`NOTE: If you see the rooted debugging, turn it on`
Now search for usb debugging and wireless debugging, these should be under the developer category. Turn those on. Because Waydroid emulates a USB connection over a specialized driver, so adb treats it as a USB device
Btw this is how you turn off Waydroid in terminal:
```bash
waydroid session stop
```
### adb
This tool is a must for android app testing, follow these commands:
```bash
sudo apt install adb lzip -y
```
**Finding device and connection**
Here, we will connect adb to our Waydroid, and first we need its IP addr:
```bash
ip addr waydroid0
[...]
inet 192.168.240.1/24 brd 192.168.240.255 scope global waydroid0
[...]
adb connect 192.168.240.1 # if you can't connect it try 192.168.240.2:5555 and so on
adb devices
List of devices attached
192.168.240.1:5555 device
```
Now if those won't work, try this:
```bash
sudo waydroid shell ip addr show eth0
net 192.168.240.112/24 brd 192.168.240.255 scope global eth0
valid_lft forever preferred_lft forever
adb connect 192.168.240.112
```
This essentially tells you what it's running on, if you can't connect to the port 5555, consider this step:
```bash
sudo waydroid shell
:/ # setprop service.adb.tcp.port 5555
:/ # stop adbd
:/ # start adbd
:/ # exit
```
This step is to force Waydroid to run on port 5555
### waydroid-script
* Source: \
We will use waydroid\_script to help us to download magisk and other tools you might find handy later on
```shellscript
git clone https://github.com/casualsnek/waydroid_script
cd waydroid_script
python3 -m venv venv
venv/bin/app install -r requirements.txt
sudo venv/bin/python3 main.py
```
Choose android 13 then check **libndk** and **magisk**
After that, Waydroid will reboot and you will able to see the magisk installed
**`NOTE: Open magisk and go to "Superuser" session, make sure the [SharedUID] Shell is on, that way we can root the device`**
**Verify rooted device**
Use these command to check if you rooted the device
```bash
adb shell
(waydroid shell)
su
whoami
root
```
### frida
* Source:
(MAKE SURE YOU ROOTED THE DEVICE TO CONTINUE)\
Virtual env here is a must:
```bash
sudo apt install python3-pip python3-venv -y
python3 -m venv ~/myVenv
source ~/myVenv/bin/activate
# at this point you are in virtual env shell
pip install frida-tools
frida --version
17.7.3
```
Once get the version, go to the frida release page:
And download the `frida-server--android-x86_64.xz` (you should match the version)
Now follow these commands:
```bash
mv frida-server-17.7.3-android-x86_64 frida-server
adb push frida-server /data/local/tmp
adb shell "su -c 'chmod +x /data/local/tmp/frida-server'"
adb shell "su -c 'nohup /data/local/tmp/frida-server > /dev/null 2>&1 &'"
```
The command is essentially running the `frida-server` in the backgroud
After that use this command on your virtual env shell:
```bash
frida-ps -U
PID Name
---- ----------------------------------------------------------------
1100 Clock
1345 Contacts
2254 Files
1723 Magisk Delta
[...]
```
The command returns what processes are currently running on Waydroid, if you can't see it list out or get an error message, make sure the version is corresponding
## CA to Waydroid
Make sure your application is installed, if not follow the next step:
#### **Install application to Waydroid**
I will use Aurora store as an example here:
```bash
adb install AuroraStore-nightly.apk
Success
```
If you get a **xapk** file, rename the extension to **zip** file and then unzip it (expect to see few more apk files) and run the command:
```bash
adb install-multiple base.apk config.*.apk ...
Success
```
Sometimes, base.apk will be the name of the application, and doesn't include things like icon or manifest.json files
**`NOTE: This works for Split APKs. BUT doesn't work for XAPKs that contain OBB files, if it has an Android/obb folder inside, the command will likely fail or not launch. In such case I recommend using an installer tool or manually pushing the OBB file to /sdcard/Android/obb/package.name/`**
### Caido CA (or any other proxy CA)
To see the traffic, we'll need to get the certificate into the System store, we will use one of the magisk module to do so:
* Source: (Just grab the latest one)
**Push cert to waydroid**
Now, push both your Caido certificate (should be `.crt` or `.der`) and the magisk module to Waydroid:
```bash
adb push caido.crt /sdcard/
adb push AlwaysTrustUserCerts.zip /sdcard/
```
#### **Install via Android Settings**
1. Now, on Waydroid, head to **Settings > Security > Encryption & Credentials > Install a certificate > CA Certificate**
2. And just click "install anyway"
3. Find where your cert is and select it
4. You can name it Caido or whatever
For now, it's a **User** certificate, which means the apps won't trust it yet, and here's where the magisk module comes into play:
#### **Move cert to System**
1. Open Magisk app on Waydroid
2. Go to the **Modules** tab (bottom right piece of puzzle icon)
3. Click "Install from storage"
4. Locate the `AlwaysTrustUserCerts.zip` file and select it
5. Once it flashes, hit Reboot
After that, check if it worked:
Go to **Settings > Security > Trusted Credentials > System** and scroll down until you find **Caido** (or whatever you named it)
On your Caido you will likely see traffic start flooding through your HTTP history, that means it worked!
**`NOTE: Your Caido must listen on 0.0.0.0:8080. Since Waydroid runs in a container, it can't access the localhost (127.0.0.1). Changing it to 0.0.0.0 allows Waydroid interface to connect to Caido`**
#### **Final step for CA**
The most important part is to include a cert in `/data/local/tmp/`named `cert-der.crt`
```bash
cp caido.crt cert-der.crt
adb push cert-der.crt /data/local/tmp
adb shell "su -c 'chmod 644 /data/local/tmp/cert-der.crt'"
```
We will name this because the script: `pcipolloni/universal-android-ssl-pinning-bypass-with-frida` will look for that file name
## SSL Pinning
Here, we will use frida, so bear with me\
If you haven't started the server yet, run this command:
```bash
adb shell "su -c 'nohup /data/local/tmp/frida-server > /dev/null 2>&1 &'"
```
Now make sure it's running:
```bash
frida-ps -U
[list of processes...]
```
### SSL pinning bypass
```bash
frida -U -f --codeshare pcipolloni/universal-android-ssl-pinning-bypass-with-frida
```
If this failed, you can try finding it's PID:
```bash
frida-ps -U | grep -i
2922
frida -U -p 2922 --codeshare pcipolloni/universal-android-ssl-pinning-bypass-with-frida
[WayDroid x86 64 Device::PID::2567 ]->
[.] Cert Pinning Bypass/Re-Pinning
[+] Loading our CA...
[o] Our CA Info: CN=Caido, O=Caido, ST=QC, C=CA
[+] Creating a KeyStore for our CA...
[+] Creating a TrustManager that trusts the CA in our KeyStore...
[+] Our TrustManager is ready...
[+] Hijacking SSLContext methods now...
[-] Waiting for the app to invoke SSLContext.init()...
[o] App invoked javax.net.ssl.SSLContext.init...
[+] SSLContext initialized with our custom TrustManager!
```
You should expect it to work properly, if not, the application might as well detect frida thus blocking it :(
**`NOTE: The -f flag often fails on Waydroid when the target app is ARM-based application and running through binary translation. In such case, launching the app in advance and using -p flag is the way to do it`**
Move on to the next step if none of those worked
### **apk-mitm**
* Source:
`Heads up: you don't have to download any tools it mentioned, this tool will do that for you automatically`
And what we can do is to try another tool called `apk-mitm` if you can't get the frida thing working:
```shellscript
sudo apt install nodejs npm
sudo npm install -g apk-mitm
```
You should have your apk or xapk file ready:
```shellscript
apk-mitm app.xapk
```
This will go through some process and we will able to (hopefully) get traffic on your proxy of choice:
```bash
adb install app.apk
```
Check on your Waydroid and see if it's properly installed, and now you should be good to go
And that's the end of the whole setup, I hope you learned something from this guide, and again I can't cover all possible scenarios, anyways, good luck on your hunt!
Feel free to reach out via discord or Twitter, any opinions are welcomed ;)
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://vix-w1zzer.gitbook.io/vixwizzer/notes/android-applications/dynamic-analysis-with-waydroid.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.