Many would argue that the best way to perform mobile application penetration testing on Android is physically connecting a bunch of Android smartphones to a PC or Mac and debugging them. This combination does offer a plethora of control options for pentesting, and for many testing scenarios, a higher degree of swiftness you can’t get from typical Android emulators. Even if you don’t have access to multiple devices, then Android Studio’s built-in virtual device (AVD) has typically been the go-to for such testing jobs. Rooting the AVD is possible and it integrates perfectly with the debuggers, so everything works out of the box. But if you’re running Windows 11 and you want to dip your toes into the Android app pentesting, you can easily do so without relying on emulators or VMs, courtesy of Windows Subsystem for Android (WSA).
According to Michael Higgo from Orange Cyberdefense, one could potentially use WSA for Android security testing in the same manner as on a physical Android device. Higgo, who is the Lead Security Analyst at SensePost, recently published a short blog post with some general details on how to conduct Android application security testing on WSA. When it comes to assessing the security posture of an Android application, utilizing a runtime mobile exploration toolkit like Objection in conjunction with Windows Subsystem for Android makes the job quite streamlined for a security researcher.
The Android subsystem of Windows 11 is powered by the same technology that makes the second generation of Windows Subsystem for Linux a reality. Thanks to the seamless Hyper-V-assisted virtualization, WSA is significantly faster than any other Android emulator out there. Moreover, you can sideload apps on WSA, or even modify the underlying system image in order to install Play Store and other Google apps. In a nutshell, it totally makes sense to use Windows Subsystem for Android as a uniform and reproducible pentesting platform.
If you’re into traffic intercepting, then you’ll be happy to know that Higgo‘s article covers that angle as well. After installing a launcher in WSA, one can access the network settings section of the Android layer. Next, you can install a certificate authority and set up custom proxy to intercept the traffic using web vulnerability scanner tools like Burp suite.
To know more about Android security testing using WSA, take a look at the Michael Higgo‘s blog post. Whether you’re a professional security researcher or you simply want to tinker around Windows Subsystem for Android, this is a great way to explore the world of penetration testing on Android applications.