Android Security and Exploitation for Pentesters is a course intended for people who want to get started into Android Security, or even who are a bit familiar with the Android security space but want to learn more about Android Application Security. This is a hands-on course where you will get to reverse applications, find security vulnerabilities, perform debugging and API hooking, use tools like Androguard and Drozer, and a lot more.
The course takes example of real world applications, as well as custom made vulnerable applications to give you an in-depth view of the security issues in Android applications. Once the course is completed, you should be able to take any android application, tear it apart and identify vulnerabilities in it. It will also serve as a really good starting point, if you want to dig deeper and research more into Android Security.
The course is equally useful for security researchers, pentesters as well as Mobile Application developers. The training course has been previously run at a number of international security conferences all over the world, and has been highly well received.
A non-exhaustive list of topics to be covered include:
- Introduction to Android
- Android Security Architecture
- Android Permissions
- Android Application Internals
- Setting up Genymotion
- Android Application Components
- DEX File Analysis
- Introduction to Android Debug Bridge
- Logging Based Vulnerabilities
- Reversing Android Applications
- Analyzing Android Malwares
- Analyzing Android Traffic
- Bypassing SSL Pinning
- Leaking Content Providers
- Introduction to Drozer
- Read based Content Provider vulnerability
- Advanced Drozer Usage
- Drozer Scripting
- Dropbox Content Provider Vulnerability
- Backup Based Vulnerability
- Client Side Injection
- Hooking Introduction and Setting up Insecure Bank
- Android Debugging with Andbug
- Debugging with JDB
- Automated Hooking with Introspy
- Cydia Substrate and Hooking
- Xposed Framework and Hooking
- Analysis and Scripting using AndroGuard
- Webview Based vulnerabilities
- Exploiting Webview with Metasploit
Android Security and Exploitation for Pentesters Course Videos
Aditya Gupta (@adi1391) is the founder and trainer of Attify, a mobile security firm, and leading mobile security expert and evangelist. Apart from being the lead developer and co-creator of Android framework for exploitation, he has done a lot of in-depth research on the security of mobile and hardware devices, including Android, iOS, and Blackberry, as well as BYOD Enterprise Security.
He is also the author of the popular Android security book “Learning Pentesting for Android” selling over 10000+ copies, since the time of launch in March 2014. He has also discovered serious web application security flaws in websites such as Google, Facebook, PayPal, Apple, Microsoft, Adobe, Skype, and many more. He has also published a research paper on ARM Exploitation titled “A Short Guide on ARM Exploitation.” In his previous work at Rediff.com, his main responsibilities were to look after web application security and lead security automation. He also developed several internal security tools for the organization to handle the security issues.
He has also previously spoken and trained at numerous international security conferences including Black Hat, Syscan, OWASP AppSec, Toorcon, Clubhack, Nullcon etc, along with many other corporate trainings on Mobile Security. He can be reached on adi [at] Attify [dot] com.
Books Authored by Aditya
Learning Pentesting for Android Devices (4.5 Stars on Amazon.com)
Learning Pentesting for Android is a practical and hands-on guide to take you from the very basic level of Android Security gradually to pentesting and auditing Android. It is a step-by-step guide, covering a variety of techniques and methodologies that you can learn and use in order to perform real life penetration testing on Android devices and applications. The book starts with the basics of Android Security and the permission model, which we will bypass using a custom application, written by us. Thereafter we will move to the internals of Android applications from a security point of view, and will reverse and audit them to find the security weaknesses using manual analysis as well as using automated tools.
We will then move to a dynamic analysis of Android applications, where we will learn how to capture and analyze network traffic on Android devices and extract sensitive information and files from a packet capture from an Android device. We will look into SQLite databases, and learn to find and exploit the injection vulnerabilities. Also, we will look into root exploits, and how to exploit devices to get full access along with a reverse connect shell. Finally, we will learn how to write a penetration testing report for an Android application auditing project.