Automated Android penetration testing environment for Arch Linux.
- Arch Linux with
yay - 20GB+ free disk space
burp.der(Burp certificate in DER format)
git clone https://github.com/yourusername/Android-PT-Setup.git
cd Android-PT-Setup
bash setup.shbash uninstall.shA10 # Launch Android 10 (rooted + Burp cert)
A14PR # Launch Android 14 (rooted with Magisk)- Android SDK (platform-tools, cmdline-tools, emulator)
- AVDs: A10 (API 29), A14PR (API 34)
- Pentest tools: frida-tools, objection, apkleaks
- Magisk + rootAVD
| Script | Description |
|---|---|
setup.sh |
Full installation |
uninstall.sh |
Remove everything |
rootAVD.sh <AVD> |
Root AVD / install Burp cert |
HWKeys.sh <AVD> |
Enable hardware keyboard |
Tools-downloader.sh |
Download SDK + Magisk |
- Export Burp cert as
burp.der - Place in project directory before running
setup.sh - Certificate installs automatically on A10
~/android_sdk/ # SDK and tools
~/.android/avd/ # AVD configs
- Uses
google_apisimage (no Play Store, easier to root) - Runs with
-writable-systemflag for system modifications - Burp certificate is installed directly to
/system/etc/security/cacerts/ - AVB (Android Verified Boot) is disabled for persistence
- Uses
google_apis_playstoreimage (includes Play Store) - Rooted via Magisk using rootAVD
- Magisk patches the ramdisk.img for root access
- System remains unmodified (systemless root)
| Tool | Purpose |
|---|---|
| frida-tools | Dynamic instrumentation for app analysis |
| objection | Runtime mobile exploration using Frida |
| apkleaks | Scan APKs for URIs, endpoints, and secrets |
| adb | Android Debug Bridge for device communication |
| Magisk | Systemless root and module framework |
Added to ~/.zshrc:
export ANDROID_HOME=$HOME/android_sdk
export PATH="$HOME/android_sdk/cmdline-tools/latest/bin:$PATH"
export PATH="$HOME/android_sdk/platform-tools:$PATH"
export PATH="$HOME/android_sdk/emulator:$PATH"