- Home
- CFP
- Registration
- Training
- Schedule
- Speakers
- CXO Track
- CTF
- Exhibition
- Live Bug Hunting
- Hack Young
- Resume Clinic
- Media Pass
- Sponsors
- For You
- Venue
- Volunteer
- Nullcon Goa Sep 2022
- Training
- Securing Android Applications
Trainer Name: Ankur Bhargava
Title: Securing Android Applications
Duration: 3 Days
Dates: Sept. 6, 2022 To Sept. 8, 2022
TRAINING OBJECTIVES
This course starts by talking about the basics of android and then goes into attacking android applications focusing on vulnerabilities and how to secure against them. Another part of the course focuses on the application development process and attempts to establish various flows where security is not an afterthought but rather a built-in part of the process. To be clear this is not another “let’s fill CI/CD with tools” training. We will be focusing on understanding what threat landscape is exposed to an application, threat-model different application scenarios and then we will work on various tools, techniques, and procedures that people need to follow to achieve a solid security posture on the application.
Major areas covered are
- Basics of android.
- Android-specific vulnerabilities and how to secure against them.
- Identifying weaknesses
- Adding Security to CI / CD Pipeline for the application
- Security beyond just tools
Training level: Basic; Intermediate
TRAINING OUTLINE:
Attacking Android applications
- Introduction to Android
- Android System Architecture
- Android Security Model
- File system Overview
- Understanding Application components and security in detail
- Setting up the environment
- Developing a basic Hello World application
- Android Application Structure
- Application Signing basics
- Intro to PenTesting and Tools
- Static and Dynamic Analysis
- Reverse Engineering and Various Obfuscation Techniques
- Rooting basics, Root detection, and Bypass
- OWASP Top 10 and Application Security Issues -
- Weak Authorizations
- Issues related to Activities, intents, broadcast receivers
- Exploiting Backup and debuggable apps
- Exploiting Javascript Interfaces
- SSL Pinning, Bypass, and Hooking(Internal working of pinning implementations)
- React Native Application Security
- Issues related to Deeplinks
- Hands-on on Vulnerable Android App
- Security Assessments using Frida, objection(In-Depth on how to write Frida scripts for custom use-cases)
- Security Automation tools.
- Challenges
- Traversing reverse-engineered code to find more complicated vulnerabilities.
Securing Android Application
- Understanding the development process and how to do Secure SDLC
- OWASP MASVS and its usage along with additional observations
- Establish defense methodology and strategy
- Identify various issues in code via static code analysis (semgrep and other tools)
- Introduction to CI / CD Pipeline for Android applications
- Identifying various tools to be placed in the CI / CD pipeline
- SAST
- DAST
- Third-party library tracking
CTF: Multiple challenges will be made available to students during the whole course Best practices while coding android applications.
WHAT TO BRING?
Laptop with:
- 80+ GB free hard disk space
- 8+ GB RAM
- VirtualBox / VMWare installed on the machine
- Administrative access to the system and BIOS
- External USB access allowed
Setup instructions will be sent over as part of pre-course communication. On-site help can be provided with regards to VM Setup but would absolutely need administrative access on laptop OS as well as BIOS.
TRAINING PREREQUISITES:
The course assumes basic familiarity with command-line and Linux. A user-level understanding of Android phones is good to have knowledge.
WHO SHOULD ATTEND?
- Android Developers
- Android application architects
- Product security engineers
WHAT ATTENDEES WILL GET?
- Very Detailed step-by-step instruction manual for all challenges covered during the class.
- A Slide deck containing the slides covered during the class
- A set of Virtual Machine with all required tools pre-configured
WHAT TO EXPECT?
- How to attack android applications, including vulnerabilities from owasp and beyond.
- Securing android application, what not to do.
- How to set baseline security in android application
- How to establish defenses for the android application
WHAT NOT TO EXPECT?
Becoming a zero to hero in 3 days of training. This training provides you with the path and guidance needed to walk the path. Students will have to walk the path on their own. The trainer will guide but the efforts will be needed from the students.
About Trainer
Ankur Bhargava is leading the Product Security team at PhonePe. With many years of experience in this field, Mobile and REST API Security became his forte. He is also well versed in different flavors of Security such as Application, Network, and API testing. He has been speaking at many conferences in India, viz Cocon, Ground Zero, and Nullcon on topics like 'PDF Exploitation', 'Mobile Automation Framework', and 'Android Security. He also provided training at Nullcon, c0c0n in 2012, and 2013,2020,2021 on Android Security. He also presented an Android security automation tool called ‘Mafia’ in Blackhat EU 2017. The tool was also presented in Blackhat USA 2018.