Introduction

Android is becoming increasingly present in all aspects of our lives, from phones and televisions to fridges and point of sale devices. As the use of Android continues to grow, so do concerns about security and privacy. This has led to a greater need for security assessments and the secure operation of the Android application ecosystem.

This course aims to provide guidance for application security engineers and penetration testers on how to secure the Android application ecosystem. It does cover various aspects of Android security, including analysing and assessing the security of Android applications, identifying vulnerabilities and weaknesses, and implementing security controls. The course provides hands-on experience and practical knowledge for professionals to effectively secure Android applications and protect against threats. The ultimate goal is to equip participants with the necessary skills and knowledge to ensure the security and privacy of the Android ecosystem.

Course focuses on the android application ecosystem covering both attack & defence side of the application development process. Starting with attack we cover the various attacks possible on android application and then we provide answers to various challenges routinely encountered by android security engineers / pen testers:

  • Traffic interception (http/https/web socket/non-http)
  • Root detection bypass
  • Static & dynamic analysis
  • Perform dynamic instrumentation (Frida / Magisk)
  • Analysing non Java/ Kotlin apps (React Native and Flutter)
  • How to add security into CI / CD pipeline for the application

The aim is not to create zero to hero, but to provide a methodical approach with which the participants could perform any android application assessment. We provide students with access to learning portal (cloud VM’s), a soft copy of slides, detailed answer sheets as well as AMI’s to continue learning after class.

Table of Contents

  1. Basics
    • Understanding OS Architecture
    • Android Permission model
    • Inter process communication
    • (Intents / Binders, Deep linking)
    • Application Structure
  2. Application Assessment
    • Attack surface mapping
    • MITRE ATT&CK & OWASP MSTG
    • Traffic Interception (http/https)
    • root detection bypass
    • Deobfuscating application code
    • Dynamic instrumentation
    • Static & dynamic analysis
    • Hybrid app assessment (reactnative, flutter, .net)
  3. CI / CD Pipeline
    • Static analysis SAST via semgrep
    • Dynamic analysis DAST
    • 3rd Party Library Tracking
    • Supply Chain Security

Pre-Requisites :

Course assumes basic familiarity with command-line and Linux. A user level understanding of Android phones is good to have knowledge.

Our labs are cloud-based, and a browser should be sufficient. However, we will still suggest the following hardware specs:
  • Laptop with working browser and unrestricted internet access ( at least port 80 and 443. However, some web-socket connections might be required.)
  • We would still recommend bringing a laptop with full administrative access in case any troubleshooting is required.

Please ensure if any HIDS or Firewall is installed, we have admin access to disable in case it interferes with the lab setup.

Hardware / Software / Internet Requirements

  • Our labs are cloud based which means a strong Internet connection is a requirement for all students.

Duration

2 days

Who should attend?

  • Resident Android security engineers,
  • Android DevOps engineer,
  • Mobile application developers,
  • Pentesters or
  • Anyone interested in Android security

What to expect?

The aim is not to create zero to hero but to provide a methodical approach with which any Android application assessment could be performed by the participants. Students are provided with access to a learning portal and a soft copy of slides, detailed answer sheets, and access to AMI's for the environment.

Student will learn
  • How to attack real-world Android applications
  • How to integrate security into CI / CD Pipeline for Android Applications

What not to expect?

  • Becoming a uber leet pro hacker who can hack android devices by just staring at them :P