This hands-on course will focus on the techniques and tools for testing the security of Android mobile applications, and researching their inner working for the 3rd year in a row at Black Hat USA. During this course, students will learn about important topics such as the Android Security model, the Android runtime, how to perform static analysis, traffic manipulation, memory dumps, debugging, code modification and dynamic analysis from zero knowledge of the APK to completely knowing "how they tick" and how they can be exploited. Students of this course will learn how to operate and make the best of the AppUse custom VM for Android application penetration testing, from its own creators.
By taking this course you will be able to research and perform penetration testing on Android mobile applications and expose potential vulnerabilities in the tested application such as insecure storage, traffic manipulation, malicious intents, authentication and authorization problems, client side SQLi, bad cryptography, and more. Besides learning how Android apps can be hacked, you might also use this knowledge for other purposes such as Android researching, Android Malware analysis, secure coding and so on.
Course Syllabus
Day 1:
Introduction to Android security
- Mobile application threat model - What makes mobile application security so different?
- The Android linux OS security
- The Dalvik VM
- The Android security mechanisms
- Application file system isolation & insecure file access
- The permission model
- Database isolation
- The Android emulator VS. physical device
- The debug bridge
- Rooting
- AppUse VM
- Lab - Android Emulator, ADB and Database Isolation
- Lab - build your own malware app and steal other app files
- Homework
Static analysis - Reverse engineering & patching the application binaries
- The APK file package
- APK extraction - Investigating layout, manifest, permissions and binaries
- Extracting the content of the classes.dex file
- Using smali/baksmali Dalvik assembler/disassembler
- Decompilation
- Using dex2jar
- Reverse engineer the app and change its behavior
- Decompile / disassmble the dex classes using smali/baksmali
- Code patching - Modifying the code
- Recompile
- Resign the APK
- Lab - Recovering protected secrets
- Lab - Application patching
- Homework
Application dynamic runtime analysis
- Monitoring process activity
- Observing file access
- Monitoring network connectivity
- Analyzing logs using logcat
- Memory dumps and analysis
- Smali Debugging
- Setting breakpoints
- Native debugging with IDA (building signatures, types etc.)
- Runtime instrumentation and manipulation using ReFrameworker
- Lab - Memory dumps and objects analysis
- Lab - Bypass Application Restrictions without Modifying Any Code
- Homework
Day 2:
Traffic analysis and manipulation
- Common vulnerabilities related to traffic
- Proxies and sniffers
- Sensitive information transmission
- Importing SSL certificates & trusted CA's
- Bypassing server certificate validations
- Exposing insecure traffic
- Validating server certificates and avoiding man-in-the-middle
- SSL Pinning
- Using the HostnameVerifier class
- Using SSL with the HttpsURLConnection class
- Client side certificate authentication
- Lab - Parameter Manipulation Using a Proxy
- Lab - Bypassing SSL Pinning
- Homework
Component & IPC security
- Major component types Activity, Service, Content provider, Broadcast receiver
- The intent structure
- The intent filter
- Component permissions and visibility
- Authenticating Callers of Components
- Binder interface
- Pending intents
- Direct component invocation by unauthorized apps
- Unprotected content providers
- Sticky broadcasts
- Securely activating components
- Avoiding access to restricted screens
- Lab - Invoking Internal Activities Using Malicious Intents
- Lab attacking broadcast receivers
- Homework
Identifying code level vulnerabilities
- Verifying caller identity
- Whitebox approach using a code review
- Locating interesting code
- How to perform
- Detecting common code level vulnerabilities
- Using Lint
- Lab security code review
- Homework
Members of the security / software development team:
- Security penetration testers
- Android developers
- Malware researchers
Before attending this course, students should be familiar with:
- Common security concepts
- Basic knowledge of the Linux OS
- Development background and basic knowledge of the Android development platform
Please make sure that each machine has:
- At least 4GB of RAM (8GB is highly recommended)
- 15GB of free HD space
- Vmware player (free) or vmware workstation (commercial)
