About The Training

This course is tailored for individuals seeking to elevate their expertise in Android Application Security. It offers an in-depth look at real-world penetration testing, extending beyond the OWASP Top 10 to cover hands-on techniques for bypassing security checks encountered in actual applications. Through practical exercises and real-world scenarios, this training prepares attendees to handle the complex challenges faced while pen-testing modern Android applications.

Basic - Intermediate 

Day 1 begins with the first module which contains an Introduction to Android Internals, where participants will explore Android’s architecture, file system, security models, permissions, and key tools like ADB. The module also covers the essentials of APK compilation (how APKs are compiled, this can aid in understanding decompilation more easily) and Android application internals. Following this, the second module will help set up the Pentest Environment, set up an emulator/physical device, and walk participants through configuring tools such as APKTool, JadX, and BurpSuite, which are essential for Static and Dynamic analysis of Android applications.

Day 2 begins with Reverse Engineering, the module helps participants gain insights on Reversing Android applications. Starting with the fundamentals of Reverse Engineering, opening APKs with JadX-GUI, and a basic understanding of Smali syntax. Participants will also learn how to bypass key security measures like Root Detection, and Emulator Detection, by Smali modification and understand various countermeasures such as Code Obfuscation and Google Play integrity to defend against this. Post this, The Runtime Analysis module will introduce Frida, a powerful dynamic instrumentation toolkit. It will cover how to set up Frida, how Frida works internally, and demonstrate techniques for bypassing Root detection and SSL pinning using Frida scripts. Participants will also be introduced to Runtime Application Self-Protection (RASP) libraries, helping them gain a solid understanding of RASP detection in mobile applications from a defensive standpoint.

Day 3 starts with the introduction of OWASP Mobile Security Testing Guide (MASTG) and Mobile Application Security Verification Standard (MASVS), this will help participants establish a learning path that they can later use to develop a comprehensive test plan in preparation for a penetration test. The training concludes with a Hands-On Challenge, where participants get to choose an application of their choice and apply their knowledge in practical scenarios to bypass client-side protections such as Root Detection, SSL pinning, etc.

• Laptop with at least 16 GB RAM (Windows Preferred)
• Administrator access in Windows (for Installation of tools)
• Virtualization Enabled in BIOS
• 50 GB of free disk space
• Burpsuite installed (for dynamic analysis)

• Basic Knowledge of Java
• Basic understanding of the Android Operating System
• Java and JDK installed on the system

• Penetration Testers
• People who want to get started with Mobile Application Security
• Anyone curious about hacking and securing Android applications

• Understanding the basics of Android Penetration Testing
• Hands-on practice on Reverse Engineering Applications
• Hands-on practice on Bypass Client-Side checks such as Root Detection, SSL Pinning, etc.
• Hands-on practice on Runtime Manipulation
• Post Training Documentation 

• Course slides and notes
• APK files for Hands-On Practice
• Post-training reference material

• Being an expert in three days
• Android Application Development