Skip to content

Android Application Security Testing with OWASP Zap on Linux

When it comes to bug bounties a lot of the web applications that are in scope are already under heavy reconnaissance by a large number of Bug Bounty hunters. So how do you get ahead of the pack, and get those sweet Bounties? Applications running on Android are not hunted as much due to the extra layer of complexity on getting it set up. So how do you get set up? Lets jump into the world of Android Application Security Testing with OWASP Zap.

OWASP Zap is a fantastic piece of opensource tooling that is great for the Bug Bounty Hunter. I have a number of guides on getting started with it. Take a look.

If, like me, you are visual person, I also prepared a video.

Software Set Up

Before you get started with Android Application Testing we need to get all the pieces together and do some configuration. Lets get started.

Operating System

I am running my set up on Ubuntu LTS Linux (22.04). Any modern Linux distribution should work fine.

Android Studio

You need to create a virtual environment to run the Android Virtual Device (avd). And Android Studio is perfect for this. So it’s pretty straight forward to install. You just download, extract and run it. However this is not a guide on how to install Android Studio. But it is very straight forward to do so.

Note: Android Studio also installs the Android Development Kit (Sdk) into your home drive. So it will it go into the directory ~/Android/Sdk/. It gives you an option during the initial setup if you want to change this location. For the rest of this post I will assume you didn’t change this location, as its required later on.


You will need Zap installed. I have already covered the installation of Zap over on an other post. You will find it here. Once installed come right back here.

Android Debug Bridge

The Android Debug Bridge or “adb” for short, is the tool we use on the command line to interact with our Android Virtual Device (avd)

This can be installed with the below commands

sudo apt update
sudo apt install adb

Create an Android Virtual Device

Once Android Studio is installed, proceed to launch it. You should be presented with a window like the below.

Android Application Testing
Android Studio

You will want to create a new Android Virtual Device (avd). So click on the “Create virtual device” link.

New Virtual Device

This is the stage where you have to pick the hardware you want to emulate in your AVD. I picked the Pixel 5 as it was an older model, which was less resource hungry, and would work fine on my PC. Go ahead and click Next

Android Security Testing  OWASP Zap
Pick your Android

Now the version of Android has to be selected. I chose an older version of Android as I wasn’t testing Android, only the apps. So far it has worked great on my virtual environment.


  • The next button will not allow you to proceed until you download the version of Android you will use. Just click the little downward arrow beside the Version and it will start. Then you can continue and hit next.
  • Do not pick any combination that will install the “Google play store”. This version is locked down and will produce an error when you try to make the /system folder writable later on.
Naming your System

On this screen you can choose a name. Although it is supported, avoid putting spaces into the name of the AVD. It can cause some extra effort when using the command line later. Click the “Finish” button to complete the install.

Now its time to head on over to the command line and start our next layer of configuration.

Rooting the avd

The Android virtual device needs to be rooted, why? Because we need to install the CA cert from OWASP proxy as System Trusted cert and not just a user added Cert. There is a big difference and you can only do it on a device where there is read/write access on the /system folder.

The “emulator” command

The “emulator” command is installed as part of the Android SDK and should be (if you kept the default when you launched Android Studio), installed into ~/Android/Sdk. It is used to manage (start/stop) the AVD from the command line.

Using the terminal, browse to the folder ~/Android/Sdk.

cd ~/Android/Sdk
Android Security Testing  OWASP Zap
Android SDK Folder

Tip: When using the “emulator” command, always stay in this directory. However, you can configure all your PATH environment variables, but I didn’t see a need to.

If you would like to do this, the below should work

export PATH=$PATH:$HOME/Android/Sdk/platform-tools
export PATH=$PATH:$HOME/Android/Sdk/emulator

So first run the command so that you can see it’s working.

Android SDK

The “emulator” command can list all the available Android Virtual Devices.

./emulator/emulator -list-avds
list available AVD

Here you can see the Android Virtual Device we created earlier.

Starting up the AVD

The avd can be started with the emulator command.

./emulator/emulator -avd apptest101 -writable-system

Lets take a look at the options.

-avdThe Android Virtual Device we will work with
-writable-systemBy default the /system folder is read only. We need to be able to modify this in order to add our Zap CA file.
emulator Options

Run the command to see the AVD start up.

Android Application Testing
Android AVD

You should be able to see your virtual Android phone on your desktop and you can interact with it using your mouse.

The “adb” command

The mouse is not the only way to interact with this virtual device. There is also a command called adb (Android Debug Bridge) that allows you to interact with it via the command line. Running the below “devices” option will show available Android Devices that we can interact with.

adb devices
available devices

As there is only one device running we don’t have to select a device. This can be tested by getting a command shell on the AVD.

adb shell
adb shell

You can quite with the exit command

Android Security Testing  OWASP Zap
To Quit

Make “/system” writable

To add the CA cert for OWASP zap we need to make the /system folder writable. Since Android 7 (nougat) Trusted System CA Certificates are a bit harder to add and applications will ignore user added ones by default. We can get around this by adding the zap CA cert as one of the Trusted System Certificates and this can only be done on a device where “/system” is writable. So lets do it.

From the command line make sure all “adb” commands are run as root.

adb root
adb as root

Now disable the “Android Verified Boot (AVB)“.

Tip: If you do not do this step, the AVD will become unbootable.

adb shell avbctl disable-verification
Disable Boot Verification

Now disable the dm-verity checking on USERDEBUG builds.

Tip: If you do not do this step the “remount” option for adb will fail.

adb disable-verity
Disable Berity

Tip: If the previous two steps are not done the reboot will fail and you will need to restart from the beginning.

Now reboot the device.

adb reboot
Reboot the AVD

All going well and you followed the instructions, the device should reboot. This can take a few minutes.

Once the Android Virtual Device is back, run the “adb root” command again. This ensures our commands are run a the “root” user.

adb root
adb as root

And finally a remount command.

adb remount

The “remount” option to adb will remount the file system containing the /system folder as read/write and we can proceed with adding the CA cert as a system Trusted Certificate later.

Adding the User CA Certificate

Once “/system” is ready for writing, its time to add our CA Certificate from zap. First open the Zaps option page, and go to Server Certificates in the Network section.

Android Security Testing  OWASP Zap
Zap CA Certificate

Click the save button an put it some where you can find later. I put it into the /tmp/cert/ directory and called it “owasp_zap_root_ca.cer”.

Save the Cert.

The “adb push” command can be used to upload the CA Certificate onto the Virtual Android device.

adb push /tmp/cert/owasp_zap_root_ca.cer /sdcard/Download
Upload the CA Certificate
Upload the CA Certificate

At this stage we have to go onto the Virtual Android Device and add the Cert via the Graphic Interface.

Open the “Settings” menu and go to the “Security” Section.

Android Security Testing  OWASP Zap
Security Settings

Then onto the “Encryption & credentials” menu. Open the “Install a certificate” menu and then select “CA certificate”

Then pick the the cert we uploaded earlier. It will be in your Download folder. There might be a warning but install it anyway.

Update Proxy Settings on the Android Virtual Device

Now there is a user certificate loaded we can test if its working. On the AVD you will find the settings menu under the three dots.

Options for the Virtual Device

Go to the Network section and set your Proxy to be the same as in OWASP Zap.

Proxy Settings

In Zap you can find this information under “Tools, Options, Network, Local Servers/Proxy” section.

Zap Proxy settings

Make sure the ports are the same.

Testing the user uploaded Certificate

Testing the certificates is as easy as launching the browser and testing you can go to websites and that they are being captured in the Zap history window.

As you can see in the screen shot below, was captured perfectly.

Android Security Testing  OWASP Zap
Working as expected

However good this is for web browsers, it will not work for applications. Google restricted user uploaded CA certs so they will not work with applications. Lucky we have a way around this.

Making Apps Trust the OWASP Zap CA certificate

Since we previously have made the “/” file system read/write in our AVD we can just copy the cert we uploaded to a location that Android stores its system Trusted certs. When we added our user CA Certificate earlier on, Android changed the name of it. We need to find this file and copy it to right place.

The below command will pull the folder with all the user uploaded CA Certificates into our current working directory.

adb pull /data/misc/user/0/cacerts-added/
The user uploaded CA Certificates

In the directory “cacerts-added/” we can find the cert we uploaded, which was renamed to “73ca5096.0”

We can just copy this file into the directory “/system/etc/security/cacerts/”

adb push 73ca5096.0 /system/etc/security/cacerts/73ca5096.0
Push our new file

At this stage are nearly done, and all that is left is testing that its all working.

Android Application Security Testing with Zap

What better way to confirm that the Android Application Security testing is ready ,than just installing an app and watching it progress in the Zap history window. We can use the f-droid application to test with. Download it somewhere local and you can install it with adb.

adb install ./F-Droid.apk
Install F-Droid

This will install F-Droid is

Its installed

Now Launch the app.

Android Security Testing  OWASP Zap
Zap History

Straight away in the history section of Zap you can now see all https/http traffic of the application we just launched in our Android Virtual Device.

Wrap Up

This concludes this long write up on Android Application Security Testing with OWASP Zap. I hope you got some value out of it and please some a comment below or look me up on Twitter.


Published inBug BountyCTFGetting Started With CTF ChallengesIT & SecurityLinux