# AVD - Android Virtual Device
{% hint style="success" %}
Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
{% endhint %}
Thank you very much to [**@offsecjay**](https://twitter.com/offsecjay) for his help while creating this content.
## What is
Android Studio allows to **run virtual machines of Android that you can use to test APKs**. In order to use them you will need:
* The **Android SDK tools** - [Download here](https://developer.android.com/studio/releases/sdk-tools).
* Or **Android Studio** (with Android SDK tools) - [Download here](https://developer.android.com/studio).
In Windows (in my case) **after installing Android Studio** I had the **SDK Tools installed in**: `C:\Users\\AppData\Local\Android\Sdk\tools`
In mac you can **download the SDK tools** and have them in the PATH running:
```bash
brew tap homebrew/cask
brew install --cask android-sdk
```
Or from **Android Studio GUI** as indicated in which will install them in `~/Library/Android/sdk/cmdline-tools/latest/bin/` and `~/Library/Android/sdk/platform-tools/` and `~/Library/Android/sdk/emulator/`
For the Java problems:
```java
export JAVA_HOME=/Applications/Android\ Studio.app/Contents/jbr/Contents/Home
```
## GUI
### Prepare Virtual Machine
If you installed Android Studio, you can just open the main project view and access: ***Tools*** --> ***AVD Manager.***
Then, click on ***Create Virtual Device***
***select** the phone you want to use* and click on ***Next.***
{% hint style="warning" %}
If you need a phone with Play Store installed select one with the Play Store icon on it!
{% endhint %}
In the current view you are going to be able to **select and download the Android image** that the phone is going to run:
So, select it and if it isn't downloaded click on the ***Download*** symbol next to the name (**now wait until the image is downloaded).**\
Once the image is downloaded, just select **`Next`** and **`Finish`**.
The virtual machine will be created. Now **every time that you access AVD manager it will be present**.
### Run Virtual Machine
In order to **run** it just press the ***Start button***.
## Command Line tool
First of all you need to **decide which phone you want to use**, in order to see the list of possible phones execute:
```
C:\Users\\AppData\Local\Android\Sdk\tools\bin\avdmanager.bat list device
d: 0 or "automotive_1024p_landscape"
Name: Automotive (1024p landscape)
OEM : Google
Tag : android-automotive-playstore
---------
id: 1 or "Galaxy Nexus"
Name: Galaxy Nexus
OEM : Google
---------
id: 2 or "desktop_large"
Name: Large Desktop
OEM : Google
Tag : android-desktop
---------
id: 3 or "desktop_medium"
Name: Medium Desktop
OEM : Google
Tag : android-desktop
---------
id: 4 or "Nexus 10"
Name: Nexus 10
OEM : Google
[...]
```
Once you have decide the name of the device you want to use, you need to **decide which Android image you want to run in this device.**\
You can list all the options using `sdkmanager`:
```bash
C:\Users\\AppData\Local\Android\Sdk\tools\bin\sdkmanager.bat --list
```
And **download** the one (or all) you want to use with:
{% code overflow="wrap" %}
```bash
C:\Users\\AppData\Local\Android\Sdk\tools\bin\sdkmanager.bat "platforms;android-28" "system-images;android-28;google_apis;x86_64"
```
{% endcode %}
Once you have downloaded the Android image you want to use you can **list all the downloaded Android images** with:
```
C:\Users\\AppData\Local\Android\Sdk\tools\bin\avdmanager.bat list target
----------
id: 1 or "android-28"
Name: Android API 28
Type: Platform
API level: 28
Revision: 6
----------
id: 2 or "android-29"
Name: Android API 29
Type: Platform
API level: 29
Revision: 4
```
At this moment you have decided the device you want to use and you have downloaded the Android image, so **you can create the virtual machine using**:
{% code overflow="wrap" %}
```bash
C:\Users\\AppData\Local\Android\Sdk\tools\bin\avdmanager.bat -v create avd -k "system-images;android-28;google_apis;x86_64" -n "AVD9" -d "Nexus 5X"
```
{% endcode %}
In the last command **I created a VM named** "*AVD9*" using the **device** "*Nexus 5X*" and the **Android image** "*system-images;android-28;google\_apis;x86\_64*".\
Now you can **list the virtual machines** you have created with:
```bash
C:\Users\\AppData\Local\Android\Sdk\tools\bin\avdmanager.bat list avd
Name: AVD9
Device: Nexus 5X (Google)
Path: C:\Users\cpolo\.android\avd\AVD9.avd
Target: Google APIs (Google Inc.)
Based on: Android API 28 Tag/ABI: google_apis/x86_64
The following Android Virtual Devices could not be loaded:
Name: Pixel_2_API_27
Path: C:\Users\cpolo\.android\avd\Pixel_2_API_27_1.avd
Error: Google pixel_2 no longer exists as a device
```
### Run Virtual Machine
We have already seen how you can list the created virtual machines, but **you can also list them using**:
```bash
C:\Users\\AppData\Local\Android\Sdk\tools\emulator.exe -list-avds
AVD9
Pixel_2_API_27
```
You can simply **run any virtual machine created** using:
{% code overflow="wrap" %}
```bash
C:\Users\\AppData\Local\Android\Sdk\tools\emulator.exe -avd "VirtualMachineName"
C:\Users\\AppData\Local\Android\Sdk\tools\emulator.exe -avd "AVD9"
```
{% endcode %}
Or using more advance options you can run a virtual machine like:
{% code overflow="wrap" %}
```bash
C:\Users\\AppData\Local\Android\Sdk\tools\emulator.exe -avd "AVD9" -http-proxy 192.168.1.12:8080 -writable-system
```
{% endcode %}
### Command line options
However there are **a lot of different command line useful options** that you can use to initiate a virtual machine. Below you can find some interesting options but can [**find a complete list here**](https://developer.android.com/studio/run/emulator-commandline)
**Boot**
* `-snapshot name` : Start VM snapshot
* `-snapshot-list -snapstorage ~/.android/avd/Nexus_5X_API_23.avd/snapshots-test.img` : List all the snapshots recorded
**Network**
* `-dns-server 192.0.2.0, 192.0.2.255` : Allow to indicate comma separated the DNS servers to the VM.
* **`-http-proxy 192.168.1.12:8080`** : Allow to indicate an HTTP proxy to use (very useful to capture the traffic using Burp)
* `-port 5556` : Set the TCP port number that's used for the console and adb.
* `-ports 5556,5559` : Set the TCP ports used for the console and adb.
* **`-tcpdump /path/dumpfile.cap`** : Capture all the traffic in a file
**System**
* `-selinux {disabled|permissive}` : Set the Security-Enhanced Linux security module to either disabled or permissive mode on a Linux operating system.
* `-timezone Europe/Paris` : Set the timezone for the virtual device
* `-screen {touch(default)|multi-touch|o-touch}` : Set emulated touch screen mode.
* **`-writable-system`** : Use this option to have a writable system image during your emulation session. You will need also to run `adb root; adb remount`. This is very useful to install a new certificate in the system.
## Rooting a Play Store device
If you downloaded a device with Play Store you are not going to be able to get root directly, and you will get this error message
```
$ adb root
adbd cannot run as root in production builds
```
Using [rootAVD](https://github.com/newbit1/rootAVD) with [Magisk](https://github.com/topjohnwu/Magisk) I was able to root it (follow for example [**this video**](https://www.youtube.com/watch?v=Wk0ixxmkzAI) **or** [**this one**](https://www.youtube.com/watch?v=qQicUW0svB8)).
## Install Burp Certificate
Check the following page to learn how to install a custom CA cert:
{% content-ref url="/pages/92u0An582zxLRvlJO7gk" %}
[Install Burp Certificate](/hacktricks/mobile-pentesting/android-app-pentesting/install-burp-certificate.md)
{% endcontent-ref %}
## Nice AVD Options
### Take a Snapshot
You can **use the GUI** to take a snapshot of the VM at any time:
{% hint style="success" %}
Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
{% endhint %}
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://angelica.gitbook.io/hacktricks/mobile-pentesting/android-app-pentesting/avd-android-virtual-device.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.