Introduction to Android security


        ?Mobile application threat model - What makes mobile application security so different

        The Android linux OS security

        The Dalvik VM

        The Android security mechanisms

        Application file system isolation & insecure file access

        The permission model

        Least privilege model

        Database isolation

        The Android emulator VS. physical device

        The debug bridge


        AppUse VM

        Lab - Android Emulator, ADB and Database Isolation

        Lab -   AppUse Dashboard, Mercury, and rooting

        Lab - build your own malware app and steal other app files


Reverse engineering & patching the application binaries

        The APK file package

        APK extraction  - Investigating layout, manifest, permissions and binaries

        Android components – activity, broadcast receiver, service, content provider

        Extracting the content of the classes.dex file

        Using smali/baksmali Dalvik assembler/disassembler

        Using jasmin/jasper JVM assembler/disassembler


        Using dex2jar

        Reverse engineer the app and change its behavior

        Decompile / disassmble the dex classes using smali/baksmali

        Modify the code


        Resign the APK

        Identifying interesting API calls

Identifying insecure Finding hard coded secrets in code

        Using Android Lint

        Lab - Application patching

        Lab - Recovering protected secrets

        Lab - knocking off restrictions



Traffic analysis & manipulation

        Intro to server side attacks

        Insecure remote Authentication – client id, IMEI, etc.

        Proxies and sniffers

        Sensitive information transmission

        Importing SSL certificates & trusted CA's

        Sensitive information transmission

        Bypassing server certificate validations

        Exposing insecure traffic

        Validating server certificates and avoiding man-in-the-middle

        SSL Pinning

        Using the HostnameVerifier class

        Using SSL with the HttpsURLConnection class

        Client side certificate authentication

        Lab - Parameter Manipulation

        Lab - Bypassing SSL Pinning


Component & IPC security

Major component types – Activity, Service, Content provider,  Broadcast receiver

        Components permissions model & the manifest file

        Component exposure levels – public & private

        The intent filter

Using manifest explorer

        IPC security using Intents

        Binder interface

        Pending intents

Direct component invocation by unauthorized apps

        Component permissions – Service, Activity, Content provider, Broadcast receivers

        Authenticating Callers of Components

        Sticky broadcasts

Securely activating components

Avoiding access to restricted screens

        Lab - Invoking components using malicious intents

        Lab - Dynamically registered components



Content provider security

        Introduction to content providers

        Content URIs

        Exported providers

        Provider permissions

        Using signature protection level

        Temporary permissions

        The SQLite DB

        Local SQL injections

        Parameterized queries

        Unprotected content providers

        Verifying caller identity

         Lab - Content Provider Vulnerabilities


Analyzing runtime analysis

        Monitoring process activity

        Observing file access

        Monitoring network connectivity

        Smali Debugging

        Setting breakpoints

        Native debugging with IDA (building signatures, types etc.)

        Memory dumping and analysis

        Calling native methods from another apps

         Analyzing logs using logcat

         Runtime instrumentation and manipulation using ReFrameworker

         Creating runtime hooks

        Lab - Memory dumps and objects analysis

        Lab - Smali Debugging) bypass HMAC validation)









Open Accessibilty Menu