How to Extract an Android .apk with Genymotion:
**If you already have an .apk file you want to test –> check out our Mobile Security Framework or Drozer tutorials.
Why would I want to extract an .apk file when I can download one online??
Well there are a number of security reasons involved, starting with the fact that you should not trust and click on every download link that says it contains the file you want. Then there is being a systematic, consistent, and thorough penetration tester. This tutorial will prepare your environment to not only Dynamically Test a mobile application (Usiong the Burp Proxy with Genymotion) but also to statically test the SAME .Apk file through other means.
First things first you will need and .ipa or .apk file. Basically for those of you who are new to Mobile Application testing these are just the files that store applications.
For the most part:
.ipa –> Apple iOS
.apk –> Android/Play Store
When testing iOS devices and extracting the application .ipa file it is required that you jailbreak a device in order to get the version of the application that has been installed onto your ipad/iphone that you are trying to test, I will update this article for a link once a newer jailbreak is released and I have a few minutes to demonstrate that process.
For today we will do a quick run through of how to extract an android .apk with the Genymotion Virtual Device Emulator.
*****Update on Genymotion 2.10.0+*****
Genymotion 2.10.0+ just became Geny 2.0 in my opinion. All you do is download Genymotion, Add a new virtual machine, and then in the top right hand corner you will see a GApps icon. (This tutorial used to be 3x as long!)
Click the Icon, accept the agreement, and install. Once the install is complete, power down the device, exit out of it and then start it all the way back up and Pachow, the Play store will be sitting right there ready to use.
**Having issues with your specific application working on Geny?**
Now it has come to my attention that at times some applications do not appear to function correctly on the Android Emulators (will not download from play store due to compatibility issues). This is where application side loading comes into play. What side loading means is that you will:
- Go to a site like apkmirror.com (They are run by Android Police, and are my go to trusted source for .apk files) and get your application. The cool part is that you will be able to Drag-and-Drop this .apk file into Genymotion
- First you must Download the ARM-Translation Package, by dragging the downloaded zip file into your Virtual Android Device (reboot afterwards). Then click and Drag your .APK package into your Genymotion Device.
- Restart it manually or by typing adb reboot (to learn how to install ADB, see our Drozer Setup Tutorial.)
First things first when going to get your Android .apk file. Hop on your mobile device or Genymotion Android Device and download ES File Explorer and the application in which you will be testing from the Google Play Store.
Once you pull up ES explorer as shown above, click on APPs find the application you want the .apk file for, press and hold the application and click back-up.
As you can see right above us ^^^ the backed up application was saved at /sdcard/backups/apps/ as we traverse ES explorer to that location we can see that we have successfully created an .apk file for the desired application.
Throw this file into your Google Drive/Dropbox account and do what you wish with it! What I personally recommend is that you:
- Use a proxy like burp and manually test this Mobile Application in Genymotion.
- Take a look into Mobile Security Framework to get a better idea of how this application is built and its functionality while analyzing its source code,
- Digging into the specific attack surfaces available by using Drozer.
- Setup a dynamic analysis environment using Burp Suite.
Have fun, learn lots, and hack on.
Cyber Incision Out.