- Online Training
- Training
- Understanding and Exploiting Android Applications
Trainer Names: Rewanth Cool and Hrushikesh Kakade
Title: Understanding and Exploiting Android Applications
Duration: 4 Days
Dates: 13th - 16th August 2020
Time: 10.00 AM to 2.00 PM IST
Type: Online Training on Zoom platform
Overview
With over 2.5 billion devices and millions of apps, Android is ruling the market. Developers have additional responsibility to protect the information and integrity of their users. Considering these high numbers, preventive measures should be taken to secure Android applications used by people across the globe.
This course aims to focus on providing the necessary hands-on experience to developers, penetration testers, security consultants, and enthusiasts to secure or test Android Applications. Our course is packed with theory, followed by hands-on labs and multiple CTFs. You will be performing advanced static and dynamic analysis, dynamic instrumentation, hacking APKs at a low level, playing with multiple debuggers, secure code review, securing Android applications, and many other interesting topics. By the end of this training, you will be able to perform security assessments of any android application for potential vulnerabilities.
Course Outline
Day 1
- Introduction
- Setting the context
- Linux Internals
- Boot Process
- Filesystems
- Processes
- Android Internals
- Android Architecture
- Security Architecture
- Application Internals
- Application Structure
- Application Components
- Environment Setup
- Android Debugging
- Android Debug Bridge
- LAB: ADB Challenges
Day 2
- Static Analysis
- Application reversing
- Smali 101
- Analyzing Smali codes
- LAB: Smali Challenges
- Dynamic Analysis
- SSL Pinning
- LAB: SSL Pinning Challenges
- Introduction to JDB (JDWP)
- LAB: JDB Challenges
- Introduction to Frida
- LAB: Frida Challenges
Day 3
- Automated Analysis
- Introduction to automated analysis
- Drozer
- LAB: Drozer Challenges
- Mobile OWASP Top 10
- OWASP Mobile vulnerabilities
- LAB: Exploiting OWASP Mobile vulnerabilities
- Secure Mobile Coding
- Integrity Check
- Installer Verification
- Emulator Check
- Debuggable Check
- Certificate Pinning
- Root Detection
- LAB: Perform code review of a vulnerable application
Day 4
- Secure Mobile Coding (Cont…)
- Improper Platform Usage
- Permissions
- Logging
- Hardcoded Values
- Insecure Data Storage
- Input Validation
- LAB: Perform code review of a vulnerable application
- CTF
- CTF 1 - Reversing and Method Hooking
- CTF 2 - Advanced Frida Lab
- CTF 3 - Hacking Android Game
- CTF 4 - Advanced Smali Challenges
By the end of this course, you will
- Have a deep understanding with Android Internals
- Learn multiple ways to perform static analysis
- Gain skills to analyze Android applications at runtime
- Achieve solid working experience with dynamic instrumentation
- Gain hands-on knowledge through labs, trial and error, and real-world simulations.
- Understand the offensive and defensive part of application security w.r.t Android
- Have the ability to assess the security risk of any Android application
- Learn secure coding review of Android applications
Capture the flag
We will end the training with a hands-on CTF for all the attendees. The challenges are meant to evaluate key concepts and skills that you consumed during the training. By repeating them in a challenge format you will be able to self-evaluate how much of the knowledge has been retained and what are the concepts that you need to practice more.
- Hands-on challenges for the attendees
- Walkthrough of all the challenges
Who Should Attend?
- Members of the security/software development team
- Penetration testers
- Security researchers
- Android developers
- Anyone interested in learning Android application security
What to Bring
- Laptop with 60+ GB free hard disk space 8+ GB RAM
- Windows 8.1+ OR Ubuntu 16.x + (64 bit Operating System)
- Intel / AMD Hardware Virtualization enabled Operating System
- Administrative access on your laptop
- An open mind for intense fast paced learning
- Attitude to think out of the box
Prerequisites
- Should be able to read Java and Javascript
- Basic knowledge of the Linux OS
- Basic knowledge of the Android development (optional)
Takeaways
- Copy of all course materials including instructor slide deck, tools, cheat sheets and walkthrough guides
- VM with all the challenges and tools installed which could be used anytime for Mobile Application security assessments
About Trainers
Rewanth Cool
Rewanth Cool is a security ninja, open-source contributor, and Security Consultant at Payatu. He is passionate about DevSecOps, Application, and Container Security. He added 17,000+ lines of code to Nmap (famous as Swiss Army knife of network utilities).
Rewanth speaks at multiple international security conferences around the world including Hack In The Box (Dubai and Amsterdam: 2018 & 2019), CRESTCon UK (2019), PHDays (2019), Bsides (2019), null and multiple others.
He was recognized as one of the MVP researchers on Bugcrowd (2018) and identified vulnerabilities in several organizations. He also published an IEEE research paper on an offensive attack in Machine Learning and Security. He was also a part of the renowned Google Summer of Code program.
LinkedIn: https://www.linkedin.com/in/rewanthcool/
Twitter: @Rewanth_Cool
Hrushikesh Kakade
Hrushikesh Kakade is a Payatu bandit who specializes in advanced assessments of Mobile Security (Android and iOS), Network Infrastructure Security, DevSecOps, Container security, Web security, and Cloud security. Hrushikesh is a member of the Synack Red Team and is a holder of renowned OSCP (Offensive Security Certified Professional) certification.
He is an active member of local Cybersecurity chapters and has delivered multiple talks and workshops. He is an Open Source Contributor and has a keen understanding of Linux Internals. He has received multiple CVEs to his name for finding vulnerabilities in different applications.
LinkedIn: https://www.linkedin.com/in/hrushikeshkakade/
Twitter: @hkh4cks