Tuesday, May 29, 2012

Setting up GoatDroid properly

GoatDroid is a vulnerable android application for mobile security enthusiasts to learn & practice. I used to face a lot of challenges using GoatDroid. Most of the times I had no clue as to what went wrong in my installation, which is giving me a particular error. This makes me write a blog documenting the correct steps for proper functioning of this application.

Most of the errors I got included "Something Weird Happened", "An unexpected error has occured", "Login Failed", "Unable to Register" and Blank/No error. So here are the steps to follow for a proper setup (ofcourse you will be using QuickStartGuide)-

  • Make sure your MySQL database is properly set, with Login Name as "goatboy", Password as "goatdroid" and Limit Connectivity to Hosts Matching "localhost". Also "goatboy" needs to have insert, delete, update, select on fourgoats database.
  • When you run the jar file first time, point the SDK Path to the SDK installation (....\android-sdk in Windows) and Virtual Devices Path to the avd directory (C:\Documents and Settings\<current-user>\.android\avd)
  • Once your application is well installed in the emulator, you need to get the "Destination Info" correct. You can use as the Destination IP with 8888 as the port number (Webservices is running on this port). Do not use Emulator considers as itself and as the host machine. This is explained in details here.
  • Register & Login, everything goes well now.
The above ones are those silly mistakes which result in the errors mentioned earlier. If these are done, properly you are set.

Now if anyone is not able to capture the traffic in a proxy, here are the steps-

Normally you set & port 8888 in "Destination Info" in emulator. But for setting the Burp Proxy v1.4.01, 
  • Run Burp Proxy on 7000 port, loopback should not be selected, "support invisible" should be enabled. Set the upstream proxy servers to host and port 8888.
  • Start the emulator with this command- emulator.exe -avd <name> -http-proxy
  • Set & port 7000 as "Destination Info" in the application running on emulator.
Ofcourse you can run Burp Proxy on your favorite port other that 8888, I preferred 7000.

Have Fun with Android and GoatDroid!


  1. I can't login because "Could not contact the remote service"? how can i configure?

  2. Make sure that the webservice is running properly and listening on port 8888. You can use netstat on Windows to verify this.

    Go to preferences and make sure that you enter "Destination Info" correctly as described above.

  3. hi Prashant,
    Thanks for the very useful info. I am facing problem using OWASP-GoatDroid-0.9 (this is the only goatdroid version i was able to get). I just wonder, i was not even able to go to http://code.google.com/p/owasp-goatdroid/wiki/QuickStartGuide for the quickguide as it always gave me "Your client does not have permission to get URL /p/owasp-goatdroid/wiki/QuickStartGuide from this server". I tried registering, but no luck. However, i was able to see the quickguide through cached pages.

    As per quick guide, i could not find fougoats database "fourgoats.sql' in OWASP-GoatDroid-0.9 folders. I also tried tried downloading goatdroid-beta-V0.1.2.jar, but could not download.

    When i used goatdroid-0.9 as defined in "https://github.com/jackMannino/OWASP-GoatDroid-Project/wiki/Getting-Started" i get the same message "Could not contact the remote service". I also tried creating MySql DB as mentioned by you and got the same msg. Nothing worked for me finally.

    Appreciate if you can guide.

  4. Thank you for the look into mobile application security testing, ! In forums I've participated in, users often say application security testing is not necessary because developers should have made their applications secure in the first place.

    Application security code review

  5. Thanks for your nice and very informative blog series I just love to read about Mobile application security, Keep sharing this kind of blogs with us.