Xtreme Android Exploitation Lab

Trainer Name: Anant Shrivastava & Anto Joseph
Title: Xtreme Android Exploitation Lab
Duration: 2 Days
Dates: 1st - 2nd March

Objective

Xtreame Android Exploitation Lab is a 2 days fast paced hands-on session. The class is revamped to provide students with hands-on exposure which they can start applying immediately after the session. This training will teach you

• How to decompile an android application and understand obfuscated code
• Intercept traffic from android application even with protections like HTTPS certificate validation and SSL Pinning
• How to defeat root detection
• Perform manual and automated static analysis
• Perform automated analysis using tools like drozer and Mobile Security Framework and more
• Perform application hooking and dynamic instrumentation using Xposed Framework including writing own custom xposed module.
• Analyze HTML5 Applications
• Fuzzing Android for memory corruption vulnerabilities
• Perform Remote Code Executions
• Write your own tools / scripts to automate analysis

And much more. The entire lab is designed in a scenario based situation where we will perform the same attacks that an attacker can do to gain access. Multiple applications have been developed to mimic real life vulnerabilities and multiple real world applications will be analyzed and exploited.

Each attendee will be provided with complete testing environment preconfigured for application assessment. The environment will consist of Android Tamer distribution customized for NullCon Training and customized Android Emulator images pre-configured with security tools. Attendees will learn and understand how to make best use of Android Tamer for android application penetration testing, directly from its creator.

All attendees will also be provided access to a continuous learning portal which will allow them to continue learning newer security developments even after finishing the training session. The portal also provides options to collaborate amongst the present and current students and also to interact with the trainer.

At the end of the class, there will be a final CTF challenge where the attendees will have to identify security vulnerabilities and exploit them in a real world application.

Course Outline Day wise

Day 1

• Understand android application code.
• How to Decompile android application.
1. How to handling obfuscated code
2. How Dalvik Works
• Traffic interception of android applications
1. How to handle SSL protections (cert validation, SSL Pinning)
2. How to intercept non HTTP Traffic
• Defeating Root detection.
• HTML5 Application analysis
• Static analysis of application

Day 2

• Manual and Automated dynamic analysis
• Application hooking and dynamic instrumentation with writing your own module
• Fuzzing Android (core and applications)
• CTF challenge to be solved based on learnings during class. (expected to write a code or use proper tools)

Preview

We will post a video soon.

What to bring?

• Windows 7/8 , Ubuntu 12.x +  (64 bit Operating System), MacOSX (Maverick or later)
• Intel / AMD Hardware Virtualization enabled Operating System
• Administrative access on your laptop with external USB allowed
• Atleast 20+ GB free hard disk space
• Atleast 4 GB RAM (more the better)
• Genymotion installed (Downloadable from http://genymotion.com)
• VirtualBox Installed (Downloadable from http://www.virtualbox.org)

Prerequisites

• Basic familiarity of Linux usage
• Python scripting knowledge is a plus, but not essential

Who Should Attend?

• Security Professionals
• Web Application Pentesters
• Application Developers
• People interested to start doing Android security

What to expect?

• Intense, fast paced learning using a combination of scenarios, case studies, hacker tools
• Reversing and auditing of Android applications
• Finding vulnerabilities and exploiting them
• Hands-on with different Android components from security perspective
• A custom CTF to end the two days of training

What not to expect?

To be an Android Hacking Expert/Ninja in a matter of 2 days. Even though this training would take you to a considerably high level in Android Security/Exploitation, and impart you with all the necessary skills needed, you need to work on your own and use the skills learnt in the training class to continue your Android Security explorations.

About the Trainer

Anant Shrivastava (@anantshri)

Anant Shrivastava is an information security professional with 7+ yrs of corporate experience with expertise in Mobile, application and Linux Security. He has trained ~300 delegates at various conferences (BlackHat USA - 15, BlackHat Europe - 15, RuxCon 2015, c0c0n 2015, Nullcon - 2015, g0s - 2013, c0c0n - 2013, NullCon - 2012). He holds various industry recognized certifications such as SANS GWAPT (GIAC Certified Web Application Testing and RHCE (RedHat certified Engineer). He is co-author for OWASP Testing guide version-4. He is credited with multiple responsible public disclosures (refer www.osvdb.org/creditees/10234-anant-shrivastava). He also maintains an Android Security distribution called Android Tamer (www.androidtamer.com) and also runs a responsible disclosure program for open source software under the name CodeVigilant (www.codevigilant.com). He can be contact at [email protected]

Anto Joseph (@antojosep007)

Anto Joseph is a Security Engineer for Citrix with 4 + years of expertise in Mobile , Systems and Web . He is a strong supporter of Free & Open Information Security Education. His area of interest includes Web,Mobile and Systems. He is currently researching on Android and IOT Security .He has talked and conducted Trainings  in various security conferences like c0c0n 2015 , XorConf 2015 , GroundZero 2015  etc and has good expertise in Practical Security. His code / works could be seen @ https://github.com/antojoseph .