Trainer Name: Anant Shrivastava

Title: Securing Android Applications

Duration: 3 Days

Dates: Sept. 6, 2022 To Sept. 8, 2022

Training Objectives

This course focuses on the application development process and attempts to establish various a flow where security is not an afterthought but rather a built-in part of the process. To be clear this is not another “let’s fill CI/CD with tools” training. We will be focusing on understanding what threat landscape is exposed to an application, threat model different application scenarios and then we will work on various tools, techniques, and procedures that people need to follow to achieve a solid security posture on the application.

Major areas covered are

  • Application Threat Modeling
  • Application Source code Review
  • Identifying weaknesses
  • Adding Security to CI / CD Pipeline for the application
  • Security beyond just tools

Training level: Basic; Intermediate

Training Outline

Securing Android Application

  • Android ecosystem threat modeling
  • Understanding the development process and how to do Secure SDLC
  • OWASP MASVS and its usage along with additional observations
  • Establish defense methodology and strategy
  • Identify various issues in code via static code analysis (semgrep and other tools)
  • Introduction to CI / CD Pipeline for Android applications
  • Identifying various tools to be placed in the CI / CD pipeline
    • SAST
    • DAST
    • Third-party library tracking

Exercise: Each tool discussed will have an exercise in it to identify various flaws in its applications.

CTF: Multiple challenges will be made available to students during the whole course

  • An application specification will be provided, and students will have to threat model the application.
  • CI / CD pipeline will be provided where students must add various tools and fix identified issues.

Application examples would be near replicas of real-life examples of issues made public in the past 2 years.

What to Bring?

Laptop with:

  • 80+ GB free hard disk space
  • 8+ GB RAM
  • VirtualBox / VMWare installed on the machine
  • Administrative access to the system and BIOS
  • External USB access allowed

Setup instructions will be sent over as part of pre-course communication. On-site help can be provided with regards to VM Setup but would absolutely need administrative access on laptop OS as well as BIOS.

Training Prerequisites

The course assumes basic familiarity with command-line and Linux. A user-level understanding of Android phones is good to have knowledge.

Who Should Attend?

  • Android Developers
  • Android application architects
  • Product security engineers

What Attendees will get?

  • Very Detailed step-by-step instruction manual for all challenges covered during the class.
  • A Slide deck containing the slides covered during the class
  • A set of Virtual Machine with all required tools pre-configured
  • Knowledge Management Vault compatible with Obsidian / Logseq

What to Expect?

  • How to set baseline security in android application
  • How to integrate security into CI / CD Pipeline for Android Applications
  • How to establish defenses for the android application

What not to Expect?

Becoming a zero to hero in 3 days of training. This training provides you with the path and guidance needed to walk the path. Students will have to walk the path on their own. The trainer will guide but the efforts will be needed from the students.

About the Trainer

Anant Shrivastava is the founder of Cyfinoid Research which specializes in cyber security research. Previously he was a Technical Director at NotSoSecure Global Services, a boutique cyber security consultancy firm. He has been active in the Android security field since the early days of Android development (2011). He has been a trainer & a speaker at various international conferences (BlackHat-USA/ASIA/EU, Nullcon, c0c0n & many more). Anant also leads Open Source projects: Tamer & CodeVigilant. He also maintains the archive portal named Hacking Archives of India. In his free time, he likes to take part in open communities spreading information security knowledge such as the null community, Garage4Hackers, hasgeek & OWASP. His work can be found at