• Online Training
  • Training
  • Understanding and Exploiting Android Applications

Understanding and Exploiting Android Applications

Rewanth Cool and Hrushikesh Kakade

register Now
Rewanth Cool and Hrushikesh Kakade.gif

Trainer Names: Rewanth Cool and Hrushikesh Kakade
Title: Understanding and Exploiting Android Applications
Duration: 4 Days
Dates: 13th - 16th August 2020
Time: 10.00 AM to 2.00 PM
Type: Online Training on Zoom platform

Overview

With over 2.5 billion devices and millions of apps, Android is ruling the market. Developers have additional responsibility to protect the information and integrity of their users. Considering these high numbers, preventive measures should be taken to secure Android applications used by people across the globe.

This course aims to focus on providing the necessary hands-on experience to developers, penetration testers, security consultants, and enthusiasts to secure or test Android Applications. Our course is packed with theory, followed by hands-on labs and multiple CTFs. You will be performing advanced static and dynamic analysis, dynamic instrumentation, hacking APKs at a low level, playing with multiple debuggers, secure code review, securing Android applications, and many other interesting topics. By the end of this training, you will be able to perform security assessments of any android application for potential vulnerabilities.

Course Outline

Day 1

  • Introduction
  • Setting the context
  • Linux Internals
    • Boot Process
    • Filesystems
    • Processes
  • Android Internals
    • Android Architecture
    • Security Architecture
  • Application Internals
    • Application Structure
    • Application Components
  • Environment Setup
  • Android Debugging
    • Android Debug Bridge
    • LAB: ADB Challenges

Day 2

  • Static Analysis
    • Application reversing
    • Smali 101
    • Analyzing Smali codes
    • LAB: Smali Challenges
  • Dynamic Analysis
    • SSL Pinning
    • LAB: SSL Pinning Challenges
    • Introduction to JDB (JDWP)
    • LAB: JDB Challenges
    • Introduction to Frida
    • LAB: Frida Challenges

Day 3

  • Automated Analysis
    • Introduction to automated analysis
    • Drozer
    • LAB: Drozer Challenges
  • Mobile OWASP Top 10
    • OWASP Mobile vulnerabilities
    • LAB: Exploiting OWASP Mobile vulnerabilities
  • Secure Mobile Coding
    • Integrity Check
    • Installer Verification
    • Emulator Check
    • Debuggable Check
    • Certificate Pinning
    • Root Detection
    • LAB: Perform code review of a vulnerable application

Day 4

  • Secure Mobile Coding (Cont…)
    • Improper Platform Usage
    • Permissions
    • Logging
    • Hardcoded Values
    • Insecure Data Storage
    • Input Validation
    • LAB: Perform code review of a vulnerable application
  • CTF
    • CTF 1 - Reversing and Method Hooking
    • CTF 2 - Advanced Frida Lab
    • CTF 3 - Hacking Android Game
    • CTF 4 - Advanced Smali Challenges

By the end of this course, you will

  • Have a deep understanding with Android Internals
  • Learn multiple ways to perform static analysis
  • Gain skills to analyze Android applications at runtime
  • Achieve solid working experience with dynamic instrumentation
  • Gain hands-on knowledge through labs, trial and error, and real-world simulations.
  • Understand the offensive and defensive part of application security w.r.t Android
  • Have the ability to assess the security risk of any Android application
  • Learn secure coding review of Android applications

Capture the flag

We will end the training with a hands-on CTF for all the attendees. The challenges are meant to evaluate key concepts and skills that you consumed during the training. By repeating them in a challenge format you will be able to self-evaluate how much of the knowledge has been retained and what are the concepts that you need to practice more.

  • Hands-on challenges for the attendees
  • Walkthrough of all the challenges

Who Should Attend?

  • Members of the security/software development team
  • Penetration testers
  • Security researchers
  • Android developers
  • Anyone interested in learning Android application security

What to Bring

  • Laptop with 60+ GB free hard disk space 8+ GB RAM
  • Windows 8.1+ OR Ubuntu 16.x + (64 bit Operating System)
  • Intel / AMD Hardware Virtualization enabled Operating System
  • Administrative access on your laptop
  • An open mind for intense fast paced learning
  • Attitude to think out of the box

Prerequisites

  • Should be able to read Java and Javascript
  • Basic knowledge of the Linux OS
  • Basic knowledge of the Android development (optional)

Takeaways

  • Copy of all course materials including instructor slide deck, tools, cheat sheets and walkthrough guides
  • VM with all the challenges and tools installed which could be used anytime for Mobile Application security assessments

About Trainers

Rewanth Cool

Rewanth Cool is a security ninja, open-source contributor, and Security Consultant at Payatu. He is passionate about DevSecOps, Application, and Container Security. He added 17,000+ lines of code to Nmap (famous as Swiss Army knife of network utilities).

Rewanth speaks at multiple international security conferences around the world including Hack In The Box (Dubai and Amsterdam: 2018 & 2019), CRESTCon UK (2019), PHDays (2019), Bsides (2019), null and multiple others.

He was recognized as one of the MVP researchers on Bugcrowd (2018) and identified vulnerabilities in several organizations. He also published an IEEE research paper on an offensive attack in Machine Learning and Security. He was also a part of the renowned Google Summer of Code program.

LinkedIn: https://www.linkedin.com/in/rewanthcool/

Twitter: @Rewanth_Cool

Hrushikesh Kakade

Hrushikesh Kakade is a Payatu bandit who specializes in advanced assessments of Mobile Security (Android and iOS), Network Infrastructure Security, DevSecOps, Container security, Web security, and Cloud security. Hrushikesh is a member of the Synack Red Team and is a holder of renowned OSCP (Offensive Security Certified Professional) certification. 

He is an active member of local Cybersecurity chapters and has delivered multiple talks and workshops. He is an Open Source Contributor and has a keen understanding of Linux Internals. He has received multiple CVEs to his name for finding vulnerabilities in different applications. 

LinkedIn: https://www.linkedin.com/in/hrushikeshkakade/

Twitter: @hkh4cks

Copyright © 2019-20 | Nullcon India | International Security Conference | All Rights Reserved