Day 1:
Introduction to Android security
- Mobile application threat model - What makes mobile application security so different?
- The Android linux OS security
- The Dalvik VM
- The Android security mechanisms
- Application file system isolation & insecure file access
- The permission model
- Database isolation
- The Android emulator VS. physical device
- The debug bridge
- Rooting
- AppUse VM
- Lab - Android Emulator, ADB and Database Isolation
- Lab - build your own malware app and steal other app files
- Homework
Static analysis - Reverse engineering & patching the application binaries
- The APK file package
- APK extraction - Investigating layout, manifest, permissions and binaries
- Extracting the content of the classes.dex file
- Using smali/baksmali Dalvik assembler/disassembler
- Decompilation
- Using dex2jar
- Reverse engineer the app and change its behavior
- Decompile / disassmble the dex classes using smali/baksmali
- Code patching - Modifying the code
- Recompile
- Resign the APK
- Lab - Recovering protected secrets
- Lab - Application patching
- Homework
Application dynamic runtime analysis
- Monitoring process activity
- Observing file access
- Monitoring network connectivity
- Analyzing logs using logcat
- Memory dumps and analysis
- Smali Debugging
- Setting breakpoints
- Native debugging with IDA and GDB
- Runtime instrumentation and manipulation using ReFrameworker
- Lab - Memory dumps and objects analysis
- Lab - Bypass Application Restrictions without Modifying Any Code
- Homework
Day 2:
Traffic analysis and manipulation
- Common vulnerabilities related to traffic
- Proxies and sniffers
- Sensitive information transmission
- Importing SSL certificates & trusted CA's
- Bypassing server certificate validations
- Exposing insecure traffic
- Validating server certificates and avoiding man-in-the-middle
- SSL Pinning
- Using the HostnameVerifier class
- Using SSL with the HttpsURLConnection class
- Client side certificate authentication
- Lab - Parameter Manipulation Using a Proxy
- Lab - Bypassing SSL Pinning
- Homework
Component & IPC security
- Major component types – Activity, Service, Content provider, Broadcast receiver
- The intent structure
- The intent filter
- Component permissions and visibility
- Authenticating Callers of Components
- Binder interface
- Pending intents
- Direct component invocation by unauthorized apps
- Unprotected content providers
- Sticky broadcasts
- Securely activating components
- Avoiding access to restricted screens
- Lab - Invoking Internal Activities Using Malicious Intents
- Lab – attacking broadcast receivers
- Homework
Identifying code level vulnerabilities
- Verifying caller identity
- Whitebox approach using a code review
- Locating interesting code
- How to perform
- Detecting common code level vulnerabilities
- Using Lint
- Lab – security code review
- Homework
Members of the security / software development team:
- Security penetration testers
- Security researchers
- Architects
Before attending this course, students should be familiar with:
- Common security concepts
- Basic knowledge of the Linux OS
- Development background and basic knowledge of the Android development platform
Please make sure that each machine has:
- At least 2GB of RAM (4GB is highly recommended)
- 30GB of free HD space
- Vmware player (free) or vmware workstation (commercial)
