Creating Rooted AVD in Android Studio
For a security enthusiast, a rooted android device is essential to perform dynamic assessments of android applications. They either rely on a physical device, or a virtual device. The disadvantage of going for a physical device is the cost it incurs, the malfunctioning you may cause when rooting the device if a step goes wrong, or worse, leaving your device non-functional / bricked. A bricked device essentially means that the device will not function at all, unless remediating measures are taken, i.e., flashing Android ROM (which in my experience is very tedious process, which may or may not yield desired results).
To avoid issues like these, it is recommended to have a virtual device. Unlike a physical device, you can create a device to your liking and desired test cases, varying RAM and storage, varying operating systems, and architectural styles of these android devices.
While Genymotion is the most favored emulator the community prefers, Android Studio does not come with a pre-rooted Android Virtual Device (AVD). Seeing Genymotion rooted AVD made me think if it was possible to root AVD in Android Studio in Ubuntu, and that was the motivation behind creation of this blog.
Disclaimer: For this post, I’m using Ubuntu OS ver. 18.04. You can run the same in a virtual machine, provided your virtual machine supports nested virtualization. To have that enabled, you need to make sure to enable Intel VT-x support in your virtualization application, otherwise, you cannot run Genymotion / Android Studio in a VM. It should look something like this in VMWare
Installation process of Android Studio remains identical across all flavours of Linux, except few minor differences. I’m skipping the explanation of the same, since it is an easy process and there are plenty other blogs that explain it.
Most of the resources that I used and the steps that I’ll be performing for Android AVD rooting have been taken from https://github.com/0xFireball/root_avd/. However, the persistence of the rooting procedure may / may not be there in subsequent restarts, and I’ll explain to have a persistent, rooted AVD at your disposal.
- Ubuntu 18.04: You can choose any operating system. However, I’m using Ubuntu Linux 18.04.4 LTS, hence I’ll be explaining the process on Ubuntu. The process, however, remains mostly unchanged on other distributions.
- Android Studio: While creating this post, I have Android Studio version 4.0
- Android command-line tools: Upon installation of Android Studio, your $HOME directory will contain an Android folder that contains various tools such as Android Debug Bridge (adb), Emulator management tool (emulator), and others. This would be required since we do not want to launch our AVD from Android Studio every time and we would like to install Android Packages, aka APKs, in our AVD.
- Applications: For this blog, I’m using the following applications to be installed in my AVD:
a. Superuser — Application that allows privileged (su) access in Android. Download.
b. Drozer agent — Drozer should be installed in host machine, i.e., Ubuntu in my case. Download.
c. Frida-server binary — The binary should be selected as per the architecture of AVD and version of Frida installed. At this point, I have 12.9.4 installed. Download.
d. Xposed Framework — Framework for modules that can change the behavior of system and applications without touching any APK. Download
e. Inspeckage — A tool developed to offer dynamic analysis of Android applications. By applying hooks to functions of the Android API, Inspeckage will help you understand what an Android application is doing at runtime. Download
f. Any root checker application. Download.
g. The main component — SU binary. Depending upon the architecture you are going to use for the AVD, you need to select the correct one from the GitHub repository .
- Launch Android Studio and select “Start a new Android Studio project”
- For this post, I’m going for “No activity” option, since I do not require any code.
- Give any name to your project, and click on Finish
- Once your new project loads, click on “AVD Manager”.
- A new window pops up. This window is the Android Virtual Device Manager console where you can create a new AVD. Click on “Create virtual device”.
- You’ll be asked to configure your AVD, such as selecting some predefined hardware/form factor of the device or create a new hardware / form factor profile. Right now, I’m going for a Pixel 3 profile, however, you can choose any profile as per your liking. Once selected, click “Next”.
- Next, you’ll be asked to choose an image for your AVD. This step is important since you want to select the desired architecture (x86 / x86–64), as well as the desired operating system. On the Github page, the author has mentioned using a 7.1.1 x86 development image having Google APIs. The reason simply being the installation of the “Google Play” image (aka stock ROM) does not allow spawning a root shell on the virtual device when we issue the “adb root” command. This is because, by design, the adb root command works in development builds only. Alternatively, if you want to run a stock image, you can enable “Developer Options” and perform certain actions, as mentioned in the link. For now, I’ll go with an x86 image of Android 7.1.1 having Google APIs
- Provide a name to the AVD you are creating
- Since it’s a virtual device you are creating you can modify certain characteristics of the AVD such as RAM, Storage, processor count, and SD card (if you want to assign the same). I’m providing 4 cores, 2GB RAM, 4GB storage, and 0.5GB SD Card. Once done, click “Finish”.
- Your virtual device is ready. You can close Android Studio since it’s no longer required. From now, you can launch your AVD from the command line. To start your AVD, issue the following command:
emulator -avd testAVD 11. Here testAVD is the name of the device I assigned at the point of creation AVD Rooting :- Now that my AVD is working, we can start the process of rooting it. I’ll turn off my AVD and start it again with the following command
emulator -avd testAVD -writable-system -selinux disabled -qemu -enable-kvm emulator -avd testAVD -writable-system
The -writable-system switch ensures that whatever changes we are making in the /system folder of AVDs, it is persistent through reboots. This can also be seen as a warning message sent by emulator My suggestion is to create an alias of the command like this:
I’ve kept all my APKs along with frida-server and su binary in Downloads folder. Installing APKs is easy. Simply use the following command:
adb install <apk2>.apk
Using this, we’ll install some APKs
Before proceeding further, I must inform that the image that I chose was an x86 Android image, hence I have downloaded the su binary from the following link:
Kindly proceed with caution and download the correct su binary as per the architecture you have chosen to create your AVD.
Once you download the correct su binary, the following commands are to be executed on a new terminal window to enable root access and install su binary:
adb root && adb remount
adb push su /system/xbin/suadb shell chmod 06755 /system/xbin/su
adb shell su --install
adb shell su --daemon&
adb shell setenforce 0
Once you complete all these steps, go to your AVD and open the SuperUser application. It will prompt you to update the su binary. This shows that we were successfully able to root our AVD.
once you click on Continue, it will prompt you to update the binary either via the TWRP method or the Normal method. Select the Normal method.
Click on OK and proceed ahead. In case you get a prompt of update failure, click on continue and then check your root status with the root checker application. It should still show you that root access is working fine.
It may happen that once the su binary is updated, you would be tempted to reboot your device. But do not perform that action. All changes done for rooting may revert back and the device shall not boot up. Instead, create a snapshot of the working device from the Extended controls option
And that’s it. Whenever you want to have a clean AVD which has all your applications installed, along with working root, simply perform the following actions:
1. Launch the emulator: $HOME/Android/Sdk/emulator/emulator -avd testAVD -writable-system -selinux disabled -qemu -enable-kvm 2. Restore the saved snapshot 3. Run the following commands: a. adb root && adb remount b. adb shell su --daemon&
In the next blog, I’ll show how to configure applications such as Drozer, Frida, Inspeckage, etc.