Mobile Security Testing Hands-On - Android Edition

beginner
hands-on

Android App Security Workshop

This course teaches you how to analyse an Android app for security vulnerabilities, by going through the different phases of testing, including dynamic testing, static analysis and reverse engineering. The instructors will share their experiences and many small tips and tricks to attack mobile apps.

At the beginning of the course we start by giving an overview of the Android Platform and it’s Security Architecture. It is no longer mandatory for students to bring their own Android device, instead a cloud-based virtualized Android device will be provided for each student.

TARGET AUDIENCE

According to the feedback we have collected from our previous trainings, students who have mobile application development and application penetration testing experience enjoyed and benefited the most from the course.

DELIVERABLES

  • Training Slides
  • Access to Private Github repo that contains
  • Tools and Scripts used during the training
  • Several Android Apps that are used for the exercises

REQUIREMENTS

  • Laptop with minimum 30 GB Hard Disk Space & 8 GB RAM with administrative privileges
  • Updated Virtual-box installed
  • 2 Functional USB Ports

Topics will be covered

  • Frida crash course to kick-start with dynamic instrumentation on Android apps
  • Function Hooking in a Hybrid app framework (Flutter) to reverse engineer custom Keystore implementation and bypass SSL pinning
  • Identifying and exploiting a real word deeplink vulnerability
  • Application repackaging to defeat Network Security Configuration
  • Usage of dynamic Instrumentation with Frida to break end-to-end encryption (Frida/Brida)
  • bypass Frida detection mechanisms
  • bypass multiple root detection mechanisms
At the end of the course, small groups will be created and time will be given to investigate an app with the newly learned skills. Every team is then encouraged to make a short presentation about the analysed vulnerability.

What you will get from this session :

After successful completion of this course, students will have a better understanding of how to test for vulnerabilities in iOS apps, how to mitigate them and how to execute tests consistently. The course is based on the OWASP Mobile Security Testing Guide (MSTG) and the OWASP Mobile AppSec Verification Standard (MASVS) and is conducted by one of the authors himself. The OWASP MSTG is a comprehensive and open source guide about mobile security testing for Android.

About Trainer :

Sven made several stops at big consultant companies and small boutique firms in Germany and Singapore and became specialised in Application Security and has supported and guided software development projects for Mobile and Web Applications during the whole SDLC. Besides his day job Sven is one of the core project leaders and authors of the OWASP Mobile Security Testing Guide and OWASP Mobile Application Security Verification Standard and has created the OWASP Mobile Hacking Playground. Sven is giving talks and workshops about Mobile and Web Application Security worldwide to different audiences, ranging from developers to students and penetration testers.