Android Application Hacking - PenTesting Mobile Apps

Erez Metula, AppSec Labs | August 2-3 & 4-5

On This Page


Day 1

Introduction to Android Security & AppUse

Mobile application threat model - What makes mobile application security so different?
• The Android linux OS security
• The Dalvik VM
• The Android security mechanisms
• Application file system isolation
• The permission model
• Least privilege model
• Database isolation
• The Android emulator VS. physical device
• The AppUse VM ("Android Pen-test Platform Unified Standalone Environment")
• The Android Debug Bridge (ADB)
• The logcat interface
• LAB: Android Emulator, ADB and Database Isolation

Coffee break

Traffic Analysis and Manipulation
• Intro to server side attacks - SQL injection, XSS
• Insecure remote Authentication - client id, IMEI, etc.
• Insecure session management
• authorization
• Traffic interception
• Using proxies and sniffers
• Importing SSL certificates & trusted CA's
• Sensitive information transmission
• Bypassing server certificate validations
• Exposing insecure traffic
• LAB: HTTP/HTTPS Sniffing and Proxying
• LAB: Parameter Manipulation

Meal break (lunch)

Insecure data K11storage
• Exploring deployed application files at the /data/data directory
• The file system security model
• Insecure file system permissions
• Insecure storage of sensitive data in files
• The SDcard
• The SQLite Database storage
• Using sqlite browser
• Application shared preferences storage
• Storage of sensitive data at the server side
• Secrets in code
• Insecure log exposure
• Bad cryptography

Coffee break

• LAB: Exposing insecure data storage
• LAB: Insecure Configuration

Day 2

Reverse engineering the application binaries
• The APK file package
• APK extraction - Investigating layout, manifest, permissions and binaries
• Extracting the content of the classes.dex file
• Using smali/baksmali Dalvik assembler/disassembler
• Using jasmin/jasper JVM assembler/disassembler
• Decompilation
• Using dex2jar
• Identifying interesting API calls - file access, networking, SDcard access, SQLite, etc
• Identifying insecure code - certificate validation bypass, insecure xml parsing, clipboard access, geo-location, address book, client xss and html injection, etc.
• Finding hard coded secrets in code
• Using Android Lint
• Code patching and modification
• Recreating and resigning the modified APK
• LAB: Binary decompilation & disassembly
• LAB: Finding hard-coded secrets in code
• LAB: Application patching

Coffee break

Android application components security
• Major component types - Activity, Service, Content provider, Broadcast receiver
• The Intent message
• Components and the manifest file
• Using manifest explorer
• Component permissions and visibility
• Activating components
• Accessing restricted screens
• Attacking content providers and client side sql injection
• Direct component invocation by unauthorized apps
• LAB: invoking components using malicious intents

Meal break (lunch)

Analyzing Runtime Analysis
• Monitoring process activity
• Observing file access
• Monitoring network connectivity
• Debugging
• Setting breakpoints
• Memory dumping and analysis
• Analyzing logs using logcat

Coffee break

• LAB: Application logging
• LAB: Monitoring file access
• LAB: Memory analysis

• Teaching Method(s) Used For Course (lecture, hands-on labs, demonstrations, group exercises, etc.): 6 training modules (lectures) + at least one hands on lab for each module
• Labs are performed on our unique "AppUse" android penetration testing platform (

Who Should Take This Course

Members of the security / software development team:
• Security penetration testers
• Android developers

Student Requirements

Before attending this course, students should be familiar with:
• Common security concepts
• Basic knowledge of the Linux OS
• Development background and basic knowledge of the Android development platform

What Students Should Bring

Please make sure that each machine has:
• At least 2GB of RAM (4GB is highly recommended)
• 15GB of free HD space
• Vmware player (free) or vmware workstation (commercial)
• Wireless connectivity in the class - a dedicated router accessible from the class' network Android device & cables - optional

What Students Will Be Provided With

• Slides booklet
• Labs booklet
• AppUse Android VM (DVD) containing all tools, runtime, target apps, scripts, etc.
• Certificate of completion
• Access to AppSec Labs' LMS (learning management system), at


Erez Metula is a world renowned application security expert, spending most of his time finding software vulnerabilities and teaching developers how they should avoid them. Erez has an extensive hands-on experience performing security assessments, code reviews and secure development trainings for worldwide organizations, and had previously talked at international security conferences such as Black Hat, Defcon, OWASP, RSA, SOURCE, CanSecWest and more. His latest research on Managed Code Rootkits, presented at major conferences throughout the world, was published recently as a book by Syngress publishing. He is the founder of AppSec Labs, where he focuses on advanced application security topics. Erez holds an MSc in computer science and he is CISSP.