DAY 1
Introduction to Android security
?Mobile application threat model - What makes mobile application security so different
The Android linux OS security
The Dalvik VM
The Android security mechanisms
Application file system isolation & insecure file access
The permission model
Least privilege model
Database isolation
The Android emulator VS. physical device
The debug bridge
Rooting
AppUse VM
Lab - Android Emulator, ADB and Database Isolation
Lab - AppUse Dashboard, Mercury, and rooting
Lab - build your own malware app and steal other app files
Reverse engineering & patching the application binaries
The APK file package
APK extraction - Investigating layout, manifest, permissions and binaries
Android components – activity, broadcast receiver, service, content provider
Extracting the content of the classes.dex file
Using smali/baksmali Dalvik assembler/disassembler
Using jasmin/jasper JVM assembler/disassembler
Decompilation
Using dex2jar
Reverse engineer the app and change its behavior
Decompile / disassmble the dex classes using smali/baksmali
Modify the code
Recompile
Resign the APK
Identifying interesting API calls
Identifying insecure Finding hard coded secrets in code
Using Android Lint
Lab - Application patching
Lab - Recovering protected secrets
Lab - knocking off restrictions
DAY 2
Traffic analysis & manipulation
Intro to server side attacks
Insecure remote Authentication – client id, IMEI, etc.
Proxies and sniffers
Sensitive information transmission
Importing SSL certificates & trusted CA's
Sensitive information transmission
Bypassing server certificate validations
Exposing insecure traffic
Validating server certificates and avoiding man-in-the-middle
SSL Pinning
Using the HostnameVerifier class
Using SSL with the HttpsURLConnection class
Client side certificate authentication
Lab - Parameter Manipulation
Lab - Bypassing SSL Pinning
Component & IPC security
Major component types – Activity, Service, Content provider, Broadcast receiver
Components permissions model & the manifest file
Component exposure levels – public & private
The intent filter
Using manifest explorer
IPC security using Intents
Binder interface
Pending intents
Direct component invocation by unauthorized apps
Component permissions – Service, Activity, Content provider, Broadcast receivers
Authenticating Callers of Components
Sticky broadcasts
Securely activating components
Avoiding access to restricted screens
Lab - Invoking components using malicious intents
Lab - Dynamically registered components
DAY 3
Content provider security
Introduction to content providers
Content URIs
Exported providers
Provider permissions
Using signature protection level
Temporary permissions
The SQLite DB
Local SQL injections
Parameterized queries
Unprotected content providers
Verifying caller identity
Lab - Content Provider Vulnerabilities
Analyzing runtime analysis
Monitoring process activity
Observing file access
Monitoring network connectivity
Smali Debugging
Setting breakpoints
Native debugging with IDA (building signatures, types etc.)
Memory dumping and analysis
Calling native methods from another apps
Analyzing logs using logcat
Runtime instrumentation and manipulation using ReFrameworker
Creating runtime hooks
Lab - Memory dumps and objects analysis
Lab - Smali Debugging) bypass HMAC validation)
