Attack and Defend Android Applications | Nullcon Berlin 2022

Trainer Name: Anant Shrivastava

Title: Attack and Defend Android Applications

Dates: April 5, 2022 To April 7, 2022

Time: 9 a.m. To 5:30 p.m. CEST

Venue: NH Hotel, Alexanderplatz, Berlin-Germany




Note: Regarding COVID-19 safety, Nullcon will seek to ensure a safe event, as the health and safety of our exhibitors, delegates, speakers, and staff will always be our number one priority. Nullcon will follow all applicable health regulations required by the local and government authorities.

Training Objective

This course focuses on the android application ecosystem and takes a holistic 360 degree view of the environment to cover both offense and defense side of the application development process.

We start by focusing on attack. We provide answers to various challenges routinely encountered by android pen testers / security engineers such as

  • Intercept the traffic (http/https/web socket/non-http)
  • Bypass root detection
  • Perform static and dynamic analysis of the application
  • Perform dynamic instrumentation (Frida / Xposed / Magisk)
  • Analyse non Java/ Kotlin application

Then we shift gears and focus on defending the applications and major areas covered are

  • Application Threat Modelling
  • Identifying weaknesses
  • Adding Security into CI / CD Pipeline for the application

Both sections have a capstone CTF to strengthen the learning in that specific section. The aim is not to create zero to hero, but provide a methodical approach with which the participants could perform any android application assessment. We provide students with access to learning portal and a soft copy of slides, detailed answer sheets and Virtual machine environments.

Training level: Basic to Intermediate

Training Outline

This course takes a focused approach to android application security. We start by identifying various ways by which we could attack an android application and then cover various scenarios in which android application pen testers will struggle.

  • How to intercept the traffic (http/https/websocket/non-http)
  • How to bypass root detection
  • How to perform static and dynamic analysis of the application
  • How to perform dynamic instrumentation (Frida / Xposed / Magisk)
  • How to analyse HTML 5 and non-Java/ Kotlin application

We cap the attack section by performing a CTF where previously unknown application is given with various attack scenarios exploitable for it. And students perform a CTF style game to identify as many weaknesses in as small timeframe as possible.

Then we shift gears and focus on defending the applications and major areas covered are

  • Application Threat Modeling
  • Application Source code Review
  • Identifying weaknesses
  • Adding Security into CI / CD Pipeline for the application

This section has a capstone challenge with a intentionally vulnerable application which needs is integrated in CI/CD pipeline. Attendees will add security tooling and fix the flaws discovered in that process.

The aim is not to create zero to hero, but provide a methodical approach with which the participants could perform any android application assessment. We provide students with access to learning portal and a soft copy of slides, detailed answer sheets and Virtual machine environments.

Course Outline

Android Basics

  • OS Architecture
  • Android Permission model and recent advancements in android 10-12
  • Inter process communication (Intents / Binders, Deeplinking)
  • Application Structure
  • JNI Bridging

Exercise: Setup build environment and build a basic application with a deeplink registered (base code provided)

  • Attacking Android Application
    • Attacking Android applications
      • Attack surface mapping for the application
      • Introduction to common references Att&ck and OWASP MSTG
    • Answers to Tricky Questions
      • How to Intercept the traffic (http/https / websocket/ non-http)
      • How to bypass root detection
      • How to perform deobfuscation and where it might fail
      • How to perform dynamic instrumentation via Frida / Xposed + Magisk
      • How to perform static or dynamic analysis of applications
      • How to test non kotlin / Java applications (HTML5/ PWA/ .net or more)

      Exercise : Each question is accompanied by atleast one challenge. There are more if scenarios are tricky such as interception and rooting
    • Attack CTF : Exploit a fresh application and identify various flaws in the application
  • Defending Android Application
    • Android Eco system Thread modeling from defense prespective (a slightly deep version of attack surface mapping)
    • Introduction to OWASP MASVS and its usage along with additional observations
    • Establish defense methodology and strategy
    • Identify various issues in code via static code analysis (semgrep and other tools)
    • Identify third party dependencies in android applications
    • Introduction to CI / CD Pipeline for Android applications
    • Identifying various tools to be placed in the CI / CD pipeline (SAST/ DAST/ Third party library tracking)

    • Exercise : Each tool discussed will have an exercise around it to identify various flaws in applications. Application examples would be real life examples of issues made public in past 2 years.
    • Defend CTF : A application CI / CD pipeline will be provided where students have to add various tools and fix identified issues.

What to Bring

Laptop with:

  • 80+ GB free hard disk space
  • 8+ GB RAM
  • VirtualBox / VMWare installed on the machine
  • Administrative access on the system and BIOS
  • External USB access allowed

Detailed Course Setup instructions will be sent a few weeks prior to the class

Training Prerequisites

Course assumes basic familiarity with command line and Linux

Who Should Attend

Resident android security engineers, android devops engineer, mobile application developers, pentesters or anyone interested in android security

What to expect

  • How to attack real world Android applications.
  • How to integrate security into CI / CD Pipeline for Android Applications
  • How to establish defenses for the android application

What attendee will get

  • Very Detailed step by step instruction manual for all challenges covered during the class.
  • A Slide deck containing the slides covered during the class
  • A set of Virtual Machine with all required tools pre configured

What not to expect

If you are interested in lecture style session this might not be the session for you. Also this class will clearly focus on the android application pen testers / developers and not kernel / device level researchers.

About the Trainer

Anant Shrivastava is an information security professional with ~14yrs of corporate experience with expertise in Network, Mobile, Application and Linux Security. During his career has been a speaker and a trainer at various international conferences (Black Hat -USA, ASIA, EU, Nullcon, c0c0n and many more). Anant also leads Open Source projects Android Tamer (www.androidtamer.com) and CodeVigilant (www.codevigilant.com). He also maintains the archive portal : hackingarchivesofindia.com. In his free time, he likes to take part in open communities targeted towards spreading information security knowledge such as null (null.community). His work can be found at anantshri.info