Android emulation

For emulating Android devices, you can use Android Studio. You can create virtual devices there, but do not launch the emulator from the UI (functionalities are limited if you do this). Use emulator.exe from the command line instead.

Devices with Google Play services are not rooted. You cannot add certificates (to system CA store) or do anything which requires root permissions. You can, however, not install apps from Google Play store on devices without Google Play services. You can use the APKPure store which mirrors apps from Google Play.

Starting the virtual device

Android Studio installs an emulator.exe into C:\Users\{user}\AppData\Local\Android\Sdk\emulator\.

You can list your available (already created) devices using:

> .\emulator.exe -list-avds
Pixel_3a_API_33
Pixel_3a_XL_API_33

Start your device using:

.\emulator.exe -avd Pixel_3a_XL_API_33 -writable-system -http-proxy 127.0.0.1:8080

Install user certificate

1. Export CA from Burp
2. Push certificate to device: .\adb.exe push "cacert.der" "/sdcard/Download/cacert.der"
3. Import via settings
4. Chrome now trusts this certificate
5. Most other apps don't

Install system certificate (works until Android 14 / API level 34)

1. Use adb root to escalate privileges
2. adb remount, adb reboot
3. adb root
4. ...and adb shell to get a shell
5. Remount system for r/w permissions: mount -o rw,remount /system
6. Copy your certificate file
   • Source: /data/misc/user/0/cacerts-added/ or /data/misc/keychain/cacerts-added
   • Destination: /system/etc/security/cacerts
7. If your app respects the system proxy and system certificates, you are done now.
   • Some apps (e.g., created with Flutter) don't respect the system certificate.

Install system certificate on newer API levels

See pwlin’s notes, but we haven’t tried it yet.

Pull an APK from a phone with Google Play

1. Check if your emulated device is recognized by adb: .\adb.exe devices
2. Get the package name of the app: .\adb.exe shell pm list packages
3. Get the location of the APK files: .\adb.exe shell pm path com.your.app
4. Pull the APK files from the phone
   • .\adb.exe pull /data/app/~~nwih7hvni7lEqdx1mZcyqw==/com.your-app-sirLqnpMMFiaoIFpF1F6lA==/split_config.en.apk .
   • If there are multiple files, you can use: adb shell pm path com.your.app | sed 's/package://g' | xargs -L 1 adb pull

Install the APK on the rooted device

.\adb.exe install-multiple base.apk split_config.en.apk split_config.x86_64.apk split_config.xxhdpi.apk