About The Training

This course is tailored for individuals seeking to elevate their expertise in Android Application Security. It offers an in-depth look at real-world penetration testing, extending beyond the OWASP Top 10 to cover hands-on techniques for bypassing security checks encountered in actual applications. Through practical exercises and real-world scenarios, this training prepares attendees to handle the complex challenges faced while pen-testing modern Android applications.

Basic; Intermediate

Day 1 begins with the first module, which contains an Introduction to Android Internals, where participants will explore Android’s architecture, file system, security models, permissions, and key tools like ADB. The module also covers the essentials of APK compilation (how APKs are compiled, which can aid in understanding decompilation more easily) and Android application internals. Following this, the second module will help set up the Pentest Environment, set up an emulator/physical device, and walk participants through configuring tools such as APKTool, JadX, and BurpSuite, which are essential for Static and Dynamic analysis of Android applications.

Day 2 begins with Reverse Engineering, the module helps participants gain insights into Reversing Android applications. Starting with the fundamentals of Reverse Engineering, opening APKs with JadX-GUI, and a basic understanding of Smali syntax. Participants will also learn how to bypass key security measures like Root Detection and Emulator Detection, by Smali modification, and understand various countermeasures such as Code Obfuscation and Google Play integrity to defend against this. The subsequent module introduces Frida, a powerful dynamic instrumentation toolkit, where attendees will set up Frida, understand its internal workings, and demonstrate methods for bypassing Root detection and SSL pinning using Frida scripts. Additionally, they will be introduced to Runtime Application Self-Protection (RASP) libraries, equipping them with the knowledge to identify RASP detection mechanisms in mobile applications from a defensive standpoint.

Day 3 begins with an introduction to the OWASP Mobile Security Testing Guide (MASTG) and Mobile Application Security Verification Standard (MASVS). These recognized frameworks will provide participants with a solid foundation for developing test plans for a mobile application penetration test. The training concludes with Hands-On Challenges, where participants will apply the knowledge and skills they have acquired throughout the course to bypass client-side protections, such as Root Detection, SSL pinning, and other security measures, in a practical exercise using a pre-selected Android application.

Laptop with at least 16 GB RAM (Windows Preferred)
Administrator access in Windows (for Installation of tools)
Virtualization Enabled in BIOS
50 GB of free disk space
Burpsuite installed (for dynamic analysis)

Basic Knowledge of Java/Kotlin
Familiarity with Android OS
Java and JDK installed on the system

Penetration Testers
Beginners in Mobile Application Security
Anyone curious about hacking and securing Android applications

Understanding the basics of Android Penetration Testing
Hands-on practice on Reverse Engineering Applications
Hands-on practice on Bypass Client-Side checks such as Root Detection, SSL Pinning, etc.
Hands-on practice on Runtime Manipulation
Post Training Documentation

Course Slides and Notes
APK files for Hands-On Practice
Post Training Documentation

Being an Expert in three days
Android Application Development