██████╗ ██╗ █████╗ ██████╗
██╔══██╗██║ ██╔══██╗██╔══██╗
███████║██║ ███████║██████╔╝
██╔══██║██║ ██╔══██║██╔══██╗
██║ ██║███████╗██║ ██║██████╔╝
╚═╝ ╚═╝╚══════╝╚═╝ ╚═╝╚═════╝
Zero-Studio Android pentest lab. One command. Rooted. Pinned-cert-bypassed. Burp-piped.
developed by hits · built by human + AI (Opus 4.6)
alab boots a rooted Pixel 6 emulator (Android 13, API 33), pushes frida-server, installs the Burp CA as a system cert, routes all device traffic through Burp, and gives you a clean CLI to install/decompile/intercept any APK — without Android Studio, without Genymotion, without VMware.
$ alab start
[*] Starting Pixel6_API33_root...
[+] Emulator PID: 88421
[*] Waiting for device to boot...
[+] Device booted.
[*] Enabling root...
[+] Root: uid=0
[+] Proxy → Burp 10.0.2.2:8080
[+] Zygisk ON · DenyList ON
[+] Ready. Run alab screen to mirror display.- One-command bring-up —
alab start→ boots, roots, proxies, zygisks - 🎯 Hunt mode —
alab hunt com.x.yruns APK pull → jadx → apkleaks → manifest → exported components → REPORT.md, fully automated - 🩺 Doctor —
alab doctorvalidates KVM, SDK, frida version sync, Burp listener, every tool, with the exact remediation command per failed check - 🔄 Frida-sync —
alab frida-syncauto-downloads the rightfrida-serverfor your host frida-tools and device ABI - System-cert Burp install — TLS intercept with no app-level proxy
- Magisk + Zygisk + DenyList — pre-wired for root-detection-bypass
- Full bypass bundle —
alab unpin-full <pkg>chains SSL + root + RASP in one Frida load - APK toolchain — jadx, apktool, dex2jar, apkleaks, androguard (handles split APKs)
- Frida 17.2.14 — host tools + server binary pinned to matching version
- CLI agent ready — drop-in configs for Claude Code & Gemini CLI
- Cross-platform — Linux, macOS (Apple Silicon + Intel), Windows (WSL2 + native)
- Tab completion — bash/zsh; tab-completes installed packages live from the device
git clone https://github.com/hits313/alab.git ~/tools/android-lab
cd ~/tools/android-lab && chmod +x start-lab.sh
# Follow §2 in docs/ALAB-INSTALL.md for SDK + AVD setup
echo "alias alab='bash ~/tools/android-lab/start-lab.sh'" >> ~/.zshrc && source ~/.zshrcbrew install openjdk@17 python@3.11 wget android-platform-tools scrcpy
git clone https://github.com/hits313/alab.git ~/tools/android-lab
# Follow §3 in docs/ALAB-INSTALL.md (note: arm64-v8a sysimg on Apple Silicon)WSL2 (recommended): wsl --install -d Ubuntu-22.04, then follow the Linux flow inside WSL.
Native: see §4 in docs/ALAB-INSTALL.md — winget + Git Bash.
📄 Full install guide: docs/ALAB-INSTALL.md · docs/ALAB-Framework-Guide.pdf
| Phase | Command | What it does |
|---|---|---|
| Boot | alab start |
Boot AVD, auto-root, proxy on, zygisk on |
| Boot | alab setup |
Full chain: root + frida + burp-cert + proxy |
| Boot | alab status |
Device · root · magisk · frida · proxy |
| Health | alab doctor |
Env health check — KVM/SDK/frida sync/Burp |
| Health | alab version |
alab + frida + magisk + AVD versions |
| Frida | alab frida |
Push + start frida-server |
| Frida | alab frida-sync |
Auto-grab frida-server matching host tools |
| Intercept | alab burp-cert |
Install Burp CA as system cert + reboot |
| Intercept | alab proxy-on / proxy-off |
Toggle Burp proxy |
| Intercept | alab certs |
List trusted CAs + Burp cert status |
| Unpin | alab unpin com.bank.app |
objection SSL unpin |
| Unpin | alab unpin-frida com.bank.app |
Frida multi-stack SSL unpin |
| Unpin | alab unpin-full com.bank.app |
SSL + root + RASP (chained) |
| APK | alab install app.apk [splits...] |
install -r / install-multiple |
| APK | alab pull-apk com.x.y |
Pull APK (handles splits) |
| APK | alab decompile app.apk |
jadx → /tmp/jadx-<name>/ |
| APK | alab strings app.apk |
apkleaks — secrets + endpoints |
| APK | alab manifest app.apk |
Dump AndroidManifest.xml |
| APK | alab grep <pkg> <regex> |
grep decompiled sources |
| Hunt | alab hunt com.x.y |
Auto recon → REPORT.md at ~/hunt// |
| Device | alab logcat com.x.y |
Filtered live logcat |
| Device | alab pull-data com.x.y |
Pull /data/data/<pkg> |
| Device | alab snapshot {save|load|list} |
AVD state snapshots |
| Magisk | alab denylist-add com.x.y |
Hide root from package |
Run alab with no args for the full menu.
A curated bundle ships under frida-scripts/ — production-quality bypasses for both Android and iOS. Each script credits its upstream sources inline.
| Script | What it bypasses |
|---|---|
root-bypass.js |
RootBeer · su binary · Magisk paths · build tags · SafetyNet basic |
rasp-bypass.js |
Anti-debug · anti-emulator · anti-Frida · anti-Xposed · ptrace · self-kill |
ssl-multi-unpin.js |
OkHttp3/4 · Conscrypt · TrustKit · NSC · React-Native · Cordova · Cronet |
biometric-bypass.js |
BiometricPrompt · FingerprintManager forced-success |
webview-debug.js |
Force setWebContentsDebuggingEnabled(true) for chrome://inspect |
| Script | What it bypasses |
|---|---|
jailbreak-bypass.js |
File/URL-scheme/fork/dyld/IOSSecuritySuite JB checks |
ssl-bypass.js |
BoringSSL · SecTrustEvaluate · AFNetworking · TrustKit |
anti-frida-bypass.js |
sysctl P_TRACED · port 27042 · dyld frida-* cloak |
alab unpin com.bank.app # objection one-liner
bash unpin.sh com.bank.app full # Android: SSL + root + RASP
bash unpin.sh com.bank.ios ios-full # iOS: JB + SSL + anti-FridaOr chain manually with Frida:
frida -U -f com.target.app \
-l frida-scripts/android/root-bypass.js \
-l frida-scripts/android/rasp-bypass.js \
-l frida-scripts/android/ssl-multi-unpin.js \
--no-pauseSee frida-scripts/README.md for the full inventory and credits.
These scripts adapt techniques from the following public projects. Star their repos — that's where the research lives.
| Project | Source |
|---|---|
| iddoeldor / frida-snippets | https://github.com/iddoeldor/frida-snippets |
| httptoolkit / frida-interception-and-unpinning | https://github.com/httptoolkit/frida-interception-and-unpinning |
| sensepost / objection | https://github.com/sensepost/objection |
| WithSecureLabs / android-keystore-audit | https://github.com/WithSecureLabs/android-keystore-audit |
| dki / ios10-ssl-bypass | https://codeshare.frida.re/@dki/ios10-ssl-bypass/ |
| nabla-c0d3 / ssl-kill-switch2 | https://github.com/nabla-c0d3/ssl-kill-switch2 |
| Areizen / iOS-Jailbreak-Detection-Bypass | https://github.com/Areizen/iOS-Jailbreak-Detection-Bypass |
| r0ysue / AndroidSecurityStudy | https://github.com/r0ysue/AndroidSecurityStudy |
| Ch0pin / medusa | https://github.com/Ch0pin/medusa |
| Areizen / Android-Application-Pentest-Roadmap | https://github.com/Areizen/Android-Application-Pentest-Roadmap |
| Frida Codeshare community | https://codeshare.frida.re |
Patterns drawn from the projects above retain their original licenses (MIT / Apache-2.0 / Frida-codeshare terms). Original alab code is MIT.
Both Claude Code and Gemini CLI can drive alab end-to-end. Sample workflow:
Boot the lab, install /tmp/target.apk, decompile it with jadx, list all exported activities, start frida-server, hook all
java.net.URLconstructors, and capture traffic through Burp.
The agent sequences alab commands, parses decompiled output, writes Frida hooks, and drops findings into ~/hunt/<target>/. Pre-grant permissions via .claude/settings.json — see §7 in the install guide.
| Component | Version |
|---|---|
| AVD | Pixel 6 · Android 13 · API 33 · google_apis |
| Emulator accel | KVM (Linux) · HVF (macOS) · Hyper-V (Windows) |
| Frida | 17.2.14 host + server |
| objection | latest |
| jadx | 1.5.0 |
| dex2jar | v2.4 |
| apktool | 2.5.0 |
| Magisk | v28.1 + Zygisk + DenyList |
| Burp | Community / Pro (system-cert install) |
alab/
├── start-lab.sh # main dispatcher (the `alab` command)
├── unpin.sh # SSL/RASP/root unpin wrapper
├── magisk-root.sh # Magisk install helper
├── CHANGELOG.md
├── completions/
│ └── alab.bash # bash/zsh tab completion
├── frida-scripts/
│ ├── README.md
│ ├── android/ # root-bypass, rasp-bypass, ssl-multi-unpin, biometric, webview
│ ├── ios/ # jailbreak-bypass, ssl-bypass, anti-frida-bypass
│ └── universal-ssl-unpin.js
├── docs/
│ ├── ALAB-INSTALL.md # full install + ops guide
│ └── ALAB-Framework-Guide.pdf
├── LICENSE
└── README.md
alab is for authorized security testing only — bug bounty programs (BBP) you are in-scope on, your own apps, CTF challenges, or penetration tests with written permission. Do not use this framework against systems you do not have authorization to test. The author is not responsible for misuse.
MIT — see LICENSE.
developed by hits · built by human + AI (Opus 4.6)
install guide · PDF · issues