Deep Dive Android Workshop

A presentation at c0c0n 2015 in in Kochi, Kerala, India by Anant Shrivastava

OBJECTIVE Android is the leading Operating system. It is used not just in Smartphones / Tablet but also is used as base for interactive Television, gaming console and lot more systems. The obvious resultant is that there is a large focus towards developing applications for this platform and to maintain its security. This workshop aims to equip information security professionals with knowledge about Android Operating system and how to ensure that the application are followin best security practices. Students of this course will learn how to operate and make the best of the Android Tamer Virtual machine environment specifically designed for android penetration testing, from its creator. After taking this course you will be in a position to comfortably assess Android mobile application. You will be able to identify potential security issues as well as suggest possible remediations for issues such as Insecure Data Storage, Insufficient Transport Layer Protection, Unintended Data Leakage, Poor Authorization and Authentication, Broken Cryptography, Client Side Injection, Security Decisions Via Untrusted Inputs, Improper Session Handling, Lack of Binary Protections and more. COURSE CONTENT • Understand Android o Operating System Overview o File system Overview o Security Model • Understand Android Application o Application Components o Application Structure o The SDK and Android Tools o Developing a basic application • Penentration Testing Setup and methodology o Introduction to Android Tamer o Setting up the environment o Penetation testing approach o Reverse Engineering basics o Rooting basics o Manual Pentesting o Automated Pentesting via Drozer o Dynamic Instrumentation via Xposed Framework • Being secure o Writing Secure Code o Writing Python Scripts for automating android pentests o Checklist for android applications PRE-REQUISITE • Basic familiarity of Linux usage • Python scripting knowledge is a plus, but not extremely required PARTICIPANTS REQUIREMENTS/WHAT TO BRING • Windows 7/8 , Ubuntu 12.x +, Macbook (2011 or above model) • Administrative access on your laptop with external USB allowed • Laptop Processor should support Virtualization • Atleast 20+ GB free hard disk space • 4 GB or more RAM • Genymotion installed (Downloadable from http://goo.gl/uGvWFM) DURATION 1 day WHAT TO EXPECT • Getting started with Android Security • Reversing and Auditing of Android applications • Finding vulnerabilities and exploiting them • Hands-on with different Android components from security perspective WHAT NOT TO EXPECT To be an Android Hacking Expert/Ninja in a matter of 1 Day. Even though this training would take you to a considerably high level in Android Security/Exploitation, and impart you with all the necessary skills needed, you need to work on your own and use the skills learnt in the training class to continue your Android Security explorations. WHO SHOULD ATTEND • Security Professionals • Web Application Pentesters • Application Developers • People interested to start into Android security

Buzz and feedback

Here’s what was said about this presentation on Twitter.