Training Objectives

This course starts by talking about the basics of android and then goes into attacking android applications focusing on vulnerabilities and how to secure against them. Another part of the course focuses on the application development process and attempts to establish various flows where security is not an afterthought but rather a built-in part of the process. To be clear this is not another “let’s fill CI/CD with tools” training. We will be focusing on understanding what threat landscape is exposed to an application, threat-model different application scenarios and then we will work on various tools, techniques, and procedures that people need to follow to achieve a solid security posture on the application.

Major areas covered are

Basics of android.
Android-specific vulnerabilities and how to secure against them.
Identifying weaknesses
Adding Security to CI / CD Pipeline for the application
Security beyond just tools

Training level: Basic; Intermediate

Training Outline

Attacking Android applications

Introduction to Android
Android System Architecture
Android Security Model
File system Overview
Understanding Application components and security in detail
Setting up the environment
Developing a basic Hello World application
Android Application Structure
Application Signing basics
Intro to PenTesting and Tools
Static and Dynamic Analysis
Reverse Engineering and Various Obfuscation Techniques
Rooting basics, Root detection, and Bypass
OWASP Top 10 and Application Security Issues -
- Weak Authorizations
- Issues related to Activities, intents, broadcast receivers
- Exploiting Backup and debuggable apps
- Exploiting Javascript Interfaces
- SSL Pinning, Bypass, and Hooking(Internal working of pinning implementations)
- React Native Application Security
- Issues related to Deeplinks
Hands-on on Vulnerable Android App
Security Assessments using Frida, objection(In-Depth on how to write Frida scripts for custom use-cases)
Security Automation tools.
Challenges
Traversing reverse-engineered code to find more complicated vulnerabilities.

Securing Android Application

Understanding the development process and how to do Secure SDLC
OWASP MASVS and its usage along with additional observations
Establish defense methodology and strategy
Identify various issues in code via static code analysis (semgrep and other tools)
Introduction to CI / CD Pipeline for Android applications
Identifying various tools to be placed in the CI / CD pipeline
- SAST
- DAST
- Third-party library tracking

CTF: Multiple challenges will be made available to students during the whole course Best practices while coding android applications.

What to Bring?

Laptop with:

80+ GB free hard disk space
8+ GB RAM
VirtualBox / VMWare installed on the machine
Administrative access to the system and BIOS
External USB access allowed

Setup instructions will be sent over as part of pre-course communication. On-site help can be provided with regards to VM Setup but would absolutely need administrative access on laptop OS as well as BIOS.

Training Prerequisites

The course assumes basic familiarity with command-line and Linux. A user-level understanding of Android phones is good to have knowledge.

Who Should Attend?

Android Developers
Android application architects
Product security engineers

What Attendees will get?

Very Detailed step-by-step instruction manual for all challenges covered during the class.
A Slide deck containing the slides covered during the class
A set of Virtual Machine with all required tools pre-configured

What to Expect?

How to attack android applications, including vulnerabilities from owasp and beyond.
Securing android application, what not to do.
How to set baseline security in android application
How to establish defenses for the android application

What not to Expect?

Becoming a zero to hero in 3 days of training. This training provides you with the path and guidance needed to walk the path. Students will have to walk the path on their own. The trainer will guide but the efforts will be needed from the students.

TRAINING