Android Application Hacking - Penetration and Reversing Mobile Apps

Israel Chorzevski, AppSec Labs | July 24-25



Overview

Day 1:

Introduction to Android security
  • Mobile application threat model - What makes mobile application security so different?
  • The Android linux OS security
  • The Dalvik VM
  • The Android security mechanisms
  • Application file system isolation & insecure file access
  • The permission model
  • Database isolation
  • The Android emulator VS. physical device
  • The debug bridge
  • Rooting
  • AppUse VM
  • Lab - Android Emulator, ADB and Database Isolation
  • Lab - build your own malware app and steal other app files
  • Homework

Static analysis - Reverse engineering & patching the application binaries
  • The APK file package
  • APK extraction - Investigating layout, manifest, permissions and binaries
  • Extracting the content of the classes.dex file
  • Using smali/baksmali Dalvik assembler/disassembler
  • Decompilation
  • Using dex2jar
  • Reverse engineer the app and change its behavior
  • Decompile / disassmble the dex classes using smali/baksmali
  • Code patching - Modifying the code
  • Recompile
  • Resign the APK
  • Lab - Recovering protected secrets
  • Lab - Application patching
  • Homework

Application dynamic runtime analysis
  • Monitoring process activity
  • Observing file access
  • Monitoring network connectivity
  • Analyzing logs using logcat
  • Memory dumps and analysis
  • Smali Debugging
  • Setting breakpoints
  • Native debugging with IDA and GDB
  • Runtime instrumentation and manipulation using ReFrameworker
  • Lab - Memory dumps and objects analysis
  • Lab - Bypass Application Restrictions without Modifying Any Code
  • Homework


Day 2:
Traffic analysis and manipulation
  • Common vulnerabilities related to traffic
  • Proxies and sniffers
  • Sensitive information transmission
  • Importing SSL certificates & trusted CA's
  • Bypassing server certificate validations
  • Exposing insecure traffic
  • Validating server certificates and avoiding man-in-the-middle
  • SSL Pinning
  • Using the HostnameVerifier class
  • Using SSL with the HttpsURLConnection class
  • Client side certificate authentication
  • Lab - Parameter Manipulation Using a Proxy
  • Lab - Bypassing SSL Pinning
  • Homework


Component & IPC security
  • Major component types – Activity, Service, Content provider, Broadcast receiver
  • The intent structure
  • The intent filter
  • Component permissions and visibility
  • Authenticating Callers of Components
  • Binder interface
  • Pending intents
  • Direct component invocation by unauthorized apps
  • Unprotected content providers
  • Sticky broadcasts
  • Securely activating components
  • Avoiding access to restricted screens
  • Lab - Invoking Internal Activities Using Malicious Intents
  • Lab – attacking broadcast receivers
  • Homework

Identifying code level vulnerabilities
  • Verifying caller identity
  • Whitebox approach using a code review
  • Locating interesting code
  • How to perform
  • Detecting common code level vulnerabilities
  • Using Lint
  • Lab – security code review
  • Homework

Who Should Take this Course

Members of the security / software development team:
  • Security penetration testers
  • Security researchers
  • Architects

Student Requirements

Before attending this course, students should be familiar with:
  • Common security concepts
  • Basic knowledge of the Linux OS
  • Development background and basic knowledge of the Android development platform

What Students Should Bring

Please make sure that each machine has:
  • At least 2GB of RAM (4GB is highly recommended)
  • 30GB of free HD space
  • Vmware player (free) or vmware workstation (commercial)

What Students Will Be Provided With

  • Slides booklet
  • Labs booklet
  • Licensed AppUse Android VM containing all tools, runtime, target apps, scripts, etc.
  • Certificate of completion
  • Access to AppSec Labs' LMS (learning management system), at https://appsec-labs.com/education/)

Trainers

Israel Chorzevski, CTO at AppSec Labs, has over ten years of security research and security vulnerability assessment experience. He has been leading the mobile and IOT research and development at AppSec Labs for the last five years, including R&D of AppUse and iNalyzer tools for pentesting android and iOS apps, which are used by thousands of security professionals around the world. Israel is famous for his cutting edge attitude and emphasis on new technologies, sharing his knowledge via courses, lectures and conferences around the globe (OWASP, DefCon group, etc.).