About The Training
Berlin 2025 | Trainings
- AI Security: Terminating The Terminator
- AdversaryOps: Engineering Red Team Tradecraft
- Application Security Tool Stack - How to Discover Vulnerabilities in Software
- Building Secure Firmware: Best Practices and Labs
- Cloud Red Team Tactics for Attacking and Defending Azure
- Cyber Threat Intelligence Bootcamp: Hands-on Labs & Real-World Scenarios
- Hacking Android Applications
- Hacking Modern Web & Desktop apps: Master the Future of Attack Vectors
- Slaying the RE Dragon: Mastering Reverse Engineering
< Training Title />
Hacking Android Applications
< Training Schedule />
Start Date: Mar 02, 2026
End Date: Mar 04, 2026
< Training Objectives />
This course is tailored for individuals seeking to elevate their expertise in Android Application Security. It offers an in-depth look at real-world penetration testing, extending beyond the OWASP Top 10 to cover hands-on techniques for bypassing security checks encountered in actual applications. Through practical exercises and real-world scenarios, this training prepares attendees to handle the complex challenges faced while pen-testing modern Android applications.
< Training Level />
Basic; Intermediate
< Training Outlines />
Day 1 begins with the first module, which contains an Introduction to Android Internals, where participants will explore Android’s architecture, file system, security models, permissions, and key tools like ADB. The module also covers the essentials of APK compilation (how APKs are compiled, which can aid in understanding decompilation more easily) and Android application internals. Following this, the second module will help set up the Pentest Environment, set up an emulator/physical device, and walk participants through configuring tools such as APKTool, JadX, and BurpSuite, which are essential for Static and Dynamic analysis of Android applications.
Day 2 begins with Reverse Engineering, the module helps participants gain insights into Reversing Android applications. Starting with the fundamentals of Reverse Engineering, opening APKs with JadX-GUI, and a basic understanding of Smali syntax. Participants will also learn how to bypass key security measures like Root Detection and Emulator Detection, by Smali modification, and understand various countermeasures such as Code Obfuscation and Google Play integrity to defend against this. The subsequent module introduces Frida, a powerful dynamic instrumentation toolkit, where attendees will set up Frida, understand its internal workings, and demonstrate methods for bypassing Root detection and SSL pinning using Frida scripts. Additionally, they will be introduced to Runtime Application Self-Protection (RASP) libraries, equipping them with the knowledge to identify RASP detection mechanisms in mobile applications from a defensive standpoint.
Day 3 begins with an introduction to the OWASP Mobile Security Testing Guide (MASTG) and Mobile Application Security Verification Standard (MASVS). These recognized frameworks will provide participants with a solid foundation for developing test plans for a mobile application penetration test. The training concludes with Hands-On Challenges, where participants will apply the knowledge and skills they have acquired throughout the course to bypass client-side protections, such as Root Detection, SSL pinning, and other security measures, in a practical exercise using a pre-selected Android application.
< WHAT TO BRING? />
Laptop with at least 16 GB RAM (Windows Preferred)
Administrator access in Windows (for Installation of tools)
Virtualization Enabled in BIOS
50 GB of free disk space
Burpsuite installed (for dynamic analysis)
< Training PREREQUISITE />
Basic Knowledge of Java/Kotlin
Familiarity with Android OS
Java and JDK installed on the system
< WHO SHOULD ATTEND? />
Penetration Testers
Beginners in Mobile Application Security
Anyone curious about hacking and securing Android applications
< WHAT TO EXPECT? />
Understanding the basics of Android Penetration Testing
Hands-on practice on Reverse Engineering Applications
Hands-on practice on Bypass Client-Side checks such as Root Detection, SSL Pinning, etc.
Hands-on practice on Runtime Manipulation
Post Training Documentation
< WHAT ATTENDEES WILL GET? />
Course Slides and Notes
APK files for Hands-On Practice
Post Training Documentation
< WHAT NOT TO EXPECT? />
Being an Expert in three days
Android Application Development
< About the Trainer />
Ali Jujara is a Senior Security Consultant who leads the Mobile Application Security Team at Payatu. With over five years of experience in Mobile Application Security, he specializes in both Android and iOS application penetration testing, he is also well-versed in Web Application Security and Code Reviews, bringing extensive industry expertise to his role.
He is currently researching RASP (Runtime Application Self-Protection) libraries and helping companies improve their detection signatures, contributing to advancements in application defense mechanisms. Additionally, he is a skilled trainer who has delivered training sessions on Mobile AppSec for various clients overseas and has presented talks at local chapters such as Null Pune and OWASP Pune. In his spare time, he leads the Null chapter in Pune, which is a community for security enthusiasts that hosts talks and offers opportunities for networking under one roof.