Course Code: mobileappsec
Duration: 35 hours
Prerequisites:

Basic knowledge of security.

Knowledge about the Android system.

Overview:

With the growing popularity of mobile devices, ensuring an appropriate level of security for applications designed for these devices is becoming increasingly important. What challenges does the Android system present to application creators? How can one effectively analyze Android applications for vulnerabilities?

In this training, we will show participants how to conduct penetration testing of mobile applications based on the OWASP MSTG methodology and the MASVS standard.

By the end of this course, participants will be able to:

  • Decompile the application under analysis
  • Work with obfuscated code
  • Identify and exploit vulnerabilities in inter-process communication components
  • Bypass certificate pinning and analyze network traffic
  • Examine the security of WebView components
  • Analyze native library code and cross-platform applications
  • Test remote APIs used by the application

With a focus on practical mobile application vulnerabilities and methods for detecting them, this training will introduce developers and security researchers to issues related to Android security.

Course Format

  • Theoretical introduction to the architecture and security model of Android applications
  • Discussion of security testing techniques in a black box model along with practical exercises
  • Analysis of vulnerable code examples and ways attackers can exploit them.
Course Outline:

Day 1: Introduction to Android Security

  • introduction to the Android system
  • Android security model: application isolation, permission system
  • Android from a developer's perspective: Java, Kotlin, manifest, resources, IPC components, web API
  • applications from the inside: dex and apk file formats
  • Android and Linux: from a developer’s and a security researcher’s perspective
  • inside Android security: DAC, SELinux, partition mounting, dm-verity
  • rooting
  • basic tools: Android Studio, ADB, logcat
  • Android application security in theory: CVSS, MASVS, MSTG

Day 2: Reverse Engineering of Android Applications, Static Analysis, and IPC Security

  • what is reverse engineering (reversing)
  • reverse engineering using apktool: decoding resources, deassembling code
  • Dalvik virtual machine, dex bytecode, and Smali language
  • decompiling code to Java: Bytecode Viewer
  • working with decompiled code in Android Studio
  • analyzing the manifest for IPC
  • automated static analysis using MobSF
  • dynamic analysis of IPC attack surface using Drozer
  • vulnerabilities in IPC
  • preparing proof of concept: am, Drozer, Java/Kotlin

Day 3: Dynamic Analysis, Repacking, and Instrumentation

  • analyzing application logs
  • analyzing file system content
  • debuggable and backupable applications
  • working with a debugger
  • network traffic analysis: tcpdump, Burp Proxy
  • trusted certificates and certificate pinning
  • repacking: modifying application code or manifest, ziapligner, jarsigner
  • instrumentation: Frida and Objection

Day 4: WebView, Cross-Platform Applications, Native Libraries

  • WebView: HTML and JavaScript in Android applications
  • interactions between WebView and Java: filesystem access and JavascriptInterface
  • vulnerabilities in WebView: gaining access through escapes, XSS, or debuggable WebView
  • vulnerabilities in WebView: escalation through JavascriptInterface
  • cross-platform applications: theory
  • reverse engineering C# (Xamarin) applications using dotPeek and ILSpy
  • reverse engineering JavaScript (React Native) applications using react-native-decompiler
  • other cross-platform frameworks: Flutter (Dart), Ionic/Angular (JavaScript), and others
  • native libraries: C, C++, and machine code in Android applications
  • JNI: System.loadLibrary() and methods with the native keyword
  • reverse engineering native libraries using Ghidra

Day 5: Web API Security

  • web APIs in Android applications
  • API protocols: SOAP, REST, JSON-RPC, GraphQL, and others
  • OWASP API Top 10
  • intercepting communication with APIs using Burp Proxy
  • Burp Repeater: modifying API requests
  • vulnerabilities related to authentication: credential stuffing, login SQL injection, vulnerabilities in JWT
  • vulnerabilities related to access control: IDOR, mass assignment, access to administrative and debug functions
  • other vulnerabilities: SSRF, injection, excessive data in error messages, server vulnerabilities
  • discovering additional API features in definition files: WSDL, Swagger/OpenAPI, GraphQL SDL, etc.
  • automatically generating API requests: SoapUI, Postman
Sites Published:

Polska - Bezpieczeństwo aplikacji mobilnych (Android, cross platform, API)