Course Code: mobileappsec
Duration: 35 hours
Prerequisites:

Basic security knowledge.

System Knowledge Android.

Overview:

As mobile devices become more popular, it is becoming increasingly important to ensure that applications designed for them are properly secured. What challenges does Android pose to application developers? How can Android applications be effectively analyzed for vulnerabilities?

In this training, we will show participants how to conduct penetration tests of mobile applications based on the OWASP MSTG methodology and the MASVS standard.

At the end of this course participants will be able to:

  • Decompile the tested application
  • Work with obfuscated code
  • Recognize and exploit vulnerabilities in inter-process communication components
  • Bypass certificate pinning and analyze network traffic
  • Investigate the security of WebView components
  • Analyze the code of native libraries and cross-platform applications
  • Test the remote API used by the application

With an emphasis on practical mobile application vulnerabilities and methods for detecting them, this course will introduce developers and security researchers to Android security issues.

Course format

  • A theoretical introduction to the architecture and security model of Android applications
  • Discussion of black box application security testing techniques with practical exercises
  • Analysis of examples of vulnerable code and how they could be exploited by attackers.
Course Outline:

Day 1: Introduction to System Security Android

  • introduction to the system Android
  • security model Androida: application isolation, permission system
  • Android from a programmer's point of view: Java, Kotlin, manifest, resources, IPC components, web API
  • apps inside: dex and apk file formats
  • Android a Linux: from a developer's point of view and from a security researcher's point of view
  • securityAndroidand from the inside: DAC, SELinux, partition mounting, dm-verity
  • rooting
  • basic tools: Android Studio, ADB, logcat
  • security of Android applications in theory: CVSS, MASVS, MSTG

Day 2: Reverse engineering Android applications, static analysis and IPC security

  • what is reverse engineering (reversion)
  • reverse engineering with apktool: decoding resources, disassembling code
  • Dalvik virtual machine, dex bytecode and Smali language
  • code decompilation to language Java: Bytecode Viewer
  • working with decompiled code in Android Studio
  • Manifest analysis for IPC
  • automatic static analysis using MobSF
  • dynamic analysis of the IPC attack surface using Drozer
  • vulnerabilities in IPC
  • preparing proof of concept: am, Drozer, Java/Kotlin

Day 3: Dynamic analysis, repacking and instrumentation

  • application log analysis
  • file system content analysis
  • debuggable and backupable applications
  • working with the debugger
  • network traffic analysis: tcpdump, Burp Proxy
  • trusted certificates and certificate pinning
  • repacking: modifying application code or manifest, ziapligner, jarsigner
  • instrumentation: Frida and Objection

Day 4: WebView, cross-platform applications, native libraries

  • WebView: HTML and JavaScript in Android applications
  • interactions between WebView and Java: filesystem access and JavascriptInterface
  • WebView vulnerabilities: gaining access via escape, XSS or debugging WebView
  • WebView vulnerabilities: escalation via JavascriptInterface
  • cross-platform applications: theory
  • reverse engineering applications C# (Xamarin) using dotPeek and ILSpy
  • reverse engineer JavaScript (React Native) applications with react-native-decompiler
  • other cross-platform frameworks: Flutter (Dart), Ionic/Angular (JavaScript) and others
  • native libraries: C, C++ and machine code in Android applications
  • JNI: System.loadLibrary() and methods with the native keyword
  • reverse engineering native libraries using Ghidra

Day 5: Web API security

  • Web API in Android applications
  • protocols for web API: SOAP, REST, JSON-RPC, GraphQL and others
  • OWASP API Top 10
  • intercepting API communication using Burp Proxy
  • Burp Repeater: API query modification
  • authentication vulnerabilities: credential stuffing, login SQL injection, JWT vulnerabilities
  • vulnerabilities related to access control: IDOR, mass assignment, access to administrative and debug functions
  • other vulnerabilities: SSRF, injection, redundant data in error messages, server vulnerabilities
  • discovering additional API functions in definition files: WSDL, Swagger/OpenAPI, GraphQL SDL, etc.
  • automatic generation of API queries: SoapUI, Postman
Sites Published:

Polska - Bezpieczeństwo aplikacji mobilnych (Android, cross platform, API)