AL
Uploaded byAbdelhamid Limami
PPTX, PDF1,117 views

Pentesting Android Apps

This document discusses pentesting Android apps. It provides an overview of Android architecture and common attack surfaces, including the client software, communications channels, and server-side infrastructure. It describes setting up an environment for app analysis, exploiting vulnerabilities like insecure storage and logical flaws. The document demonstrates capturing network requests, reverse engineering apps, and provides developer tips to improve security like encrypting sensitive data and input sanitization.

Embed presentation

Downloaded 46 times
Pentesting Android Apps Abdelhamid Limami IT Security Consultant @ ITDefence
Overview  What is Android ?  Android Architecture  Android Applications Security  Environment Setup  Exploiting Apps Vulnerabilities  OWASP Top 10 Mobile  Demo(s)  Tips for Developers  Q&A
Past years…  Mobile Phones :  Phone calls  Sending text message or MMS  Alarm clock  Calculator & Calendar  Listen on Radio  Playing the snake game 
And Now…  Smart Phones !  Sending email  Watching Tv & Movies  Surf The internet  Booking Flights & Hotels  Online Banking transactions  Social Network (Facebook, Twitter, Instagram, Etc …)  3G , 4G , 5G Mobile Network & WIFI & NFC support
What is Android ?  Android is a Linux based platform developed by Google and the open handset alliance.  Application programming for it is done in java (include XML & support HTML).  The android operating system software stack consist of java applications running on a Dalvik virtual machine (DVK).  Applications similars to web apps.
Android Architecture
Android Applications Security
Attack Surfaces  Client Software on Android Device  Communications Channel  Server Side Infrastructure
Client Software  Packages are Installed from Play Store , Company Website, Third party apps/websites  Access All the files of the application in the local system (Need Root)  Can be Tampered , Decomplied & Reverse Engineered
Client Software  What exactly should I look for ?  Files on the local file system  Application authentication & authorization  Error Handling & Session Management  Logic Flaws  Decompiling and Analyzing
Communications Channel  Channel between the client and the server (HTTP(s), 3G…)  Testing with HTTP Proxy (Burp, ZAP) to intercept and manipulate data  If the application does not use the HTTP protocol, can use transparent TCP and UDP proxy like Mallory
Communications Channel What exactly Should I look For ?  Sniff sensitive information  Replay attack vulnerabilities  Secure transfer of sensitive information
Server-Side Infrastructure  Vulns in the the web servers behind a mobile application:  OWASP TOP 10 Web (SQLI,RCE,CSRF…)  Perform host and service scans on the target system to identify running services :  Information gathering (whois,host,dns….)  Running services and version (scanning ports)  Infrastructure vulnerability scanning
Environment Setup
Environment Setup  Root Your Device !  Install Xposed + JustTrustMe (SSL Killer) / Android-SSL-TrustKiller  Configure your Proxy (Burp, Zap…)  Requirements:  A Computer   Java  Eclipse (include ADT plugin) – Android Studio  Android SDK
Exploiting Apps Vulnerabilities
App Analysis  Insecure Storage  Capturing Requests  Reversing the Application Package  Logical Flaws / Malicious activities
Reading Stored Data  Android Applications store the data in /data/data/[PACKAGE_NAME]  sharedpreferences  Context.MODE_PRIVATE  Context.MODE_WORLD_READABLE  Context.MODE_WORLD_WRITEABLE  Files may be stored using the filesystem at /data/data/[PACKAGE_NAME]/files/filename  Storage in the SQLite databases
Local Data Storage flaws
Capturing Requests  Capture HTTP requests & responses  Parameter Manipulation and Data Tampering.  Set up a proxy in between the server & the client to intercept.
Capturing Requests
Reverse Engineering  Reverse Engineer the application logic and source code  Identify the flaws in the code base to exploit them  Look for sensitive data like passwords, encryption algorithms and keys of DB(s) JD-GUI Dex2Jar .apk .dex .class .java
Reverse Engineering
Logical Flaws  Insecure Login:
Malicious Activities  Identity Decloaking:
OWASP Top 10 Mobile
Showtime !
Developer Tips
Secure Your App !  Do Not store sensitive data locally (login creds, pwd, DB …)  Do Not use weak encryption in your code (base64, md5 …)  Do Not send sensitive data in Plain text requests (Token , Sessions , logins)  Encrypt the stored data  If using a webserver protect it against application layer attacks  Sanitize inputs, use prepared statements (protection against client side injection)  Encode your code before producing or at least use an obfuscator
Thank You Q&A ?

More Related Content

PPTX
Android Application Penetration Testing - Mohammed Adam
byMohammed Adam
 
PPTX
Mobile Application Security Testing (Static Code Analysis) of Android App
byAbhilash Venkata
 
PPTX
Mobile Application Security
byIshan Girdhar
 
PPTX
Buffer overflow attacks
byJoe McCarthy
 
PPTX
Security testing
byKhizra Sammad
 
PDF
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
byAjin Abraham
 
PDF
Vulnerability Assessment and Penetration Testing Report
byRishabh Upadhyay
 
PDF
penetration testing
byShitesh Sachan
 
Android Application Penetration Testing - Mohammed Adam
byMohammed Adam
 
Mobile Application Security Testing (Static Code Analysis) of Android App
byAbhilash Venkata
 
Mobile Application Security
byIshan Girdhar
 
Buffer overflow attacks
byJoe McCarthy
 
Security testing
byKhizra Sammad
 
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
byAjin Abraham
 
Vulnerability Assessment and Penetration Testing Report
byRishabh Upadhyay
 
penetration testing
byShitesh Sachan
 

What's hot

PDF
Android pentesting
byMykhailo Antonishyn
 
PDF
Android Security & Penetration Testing
bySubho Halder
 
PDF
Web App Security Presentation by Ryan Holland - 05-31-2017
byTriNimbus
 
PPTX
Secure Coding 101 - OWASP University of Ottawa Workshop
byPaul Ionescu
 
PPTX
Android security
byMidhun P Gopi
 
PDF
Mobile Application Penetration Testing
byBGA Cyber Security
 
PPTX
Android pentesting the hackers-meetup
bykunwaratul hax0r
 
PPTX
Android pentesting
byMykhailo Antonishyn
 
PPTX
MobSF: Mobile Security Testing (Android/IoS)
byAgile Testing Alliance
 
PPTX
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
byAjin Abraham
 
PPTX
Pentesting Android Applications
byCláudio André
 
PPTX
Security operation center (SOC)
byAhmed Ayman
 
PDF
APIsecure 2023 - Android Applications and API Hacking, Gabrielle Botbol
byapidays
 
PDF
Vulnerability Management
byasherad
 
PPT
Application Security
byReggie Niccolo Santos
 
PPTX
Security Operations Center (SOC) Essentials for the SME
byAlienVault
 
PDF
DevSecOps and the CI/CD Pipeline
byJames Wickett
 
PPTX
Secure SDLC Framework
byRishi Kant
 
PPTX
Cyber Threat Hunting Workshop
byDigit Oktavianto
 
PDF
Security testing presentation
byConfiz
 
Android pentesting
byMykhailo Antonishyn
 
Android Security & Penetration Testing
bySubho Halder
 
Web App Security Presentation by Ryan Holland - 05-31-2017
byTriNimbus
 
Secure Coding 101 - OWASP University of Ottawa Workshop
byPaul Ionescu
 
Android security
byMidhun P Gopi
 
Mobile Application Penetration Testing
byBGA Cyber Security
 
Android pentesting the hackers-meetup
bykunwaratul hax0r
 
Android pentesting
byMykhailo Antonishyn
 
MobSF: Mobile Security Testing (Android/IoS)
byAgile Testing Alliance
 
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
byAjin Abraham
 
Pentesting Android Applications
byCláudio André
 
Security operation center (SOC)
byAhmed Ayman
 
APIsecure 2023 - Android Applications and API Hacking, Gabrielle Botbol
byapidays
 
Vulnerability Management
byasherad
 
Application Security
byReggie Niccolo Santos
 
Security Operations Center (SOC) Essentials for the SME
byAlienVault
 
DevSecOps and the CI/CD Pipeline
byJames Wickett
 
Secure SDLC Framework
byRishi Kant
 
Cyber Threat Hunting Workshop
byDigit Oktavianto
 
Security testing presentation
byConfiz
 

Viewers also liked

PDF
Andriod Pentesting and Malware Analysis
byn|u - The Open Security Community
 
PDF
Pentesting Mobile Applications (Prashant Verma)
byClubHack
 
PDF
Pentesting con android - Nipper Toolkit Web Scan
byDylan Irzi
 
PDF
[2014/10/06] HITCON Freetalk - App Security on Android
byDEVCORE
 
PPTX
Android pen test basics
byOWASPKerala
 
PDF
My Null Android Penetration Session
byAvinash Sinha
 
PDF
How to Setup A Pen test Lab and How to Play CTF
byn|u - The Open Security Community
 
PDF
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
byAnant Shrivastava
 
PPTX
Owasp Mobile Risk Series : M4 : Unintended Data Leakage
byAnant Shrivastava
 
PDF
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
byAnant Shrivastava
 
PPT
Android ppt
byblogger at indiandswad
 
Andriod Pentesting and Malware Analysis
byn|u - The Open Security Community
 
Pentesting Mobile Applications (Prashant Verma)
byClubHack
 
Pentesting con android - Nipper Toolkit Web Scan
byDylan Irzi
 
[2014/10/06] HITCON Freetalk - App Security on Android
byDEVCORE
 
Android pen test basics
byOWASPKerala
 
My Null Android Penetration Session
byAvinash Sinha
 
How to Setup A Pen test Lab and How to Play CTF
byn|u - The Open Security Community
 
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
byAnant Shrivastava
 
Owasp Mobile Risk Series : M4 : Unintended Data Leakage
byAnant Shrivastava
 
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
byAnant Shrivastava
 
Android ppt
byblogger at indiandswad
 

Similar to Pentesting Android Apps

PDF
Security testing in mobile applications
byJose Manuel Ortega Candel
 
PPTX
Mobile application security
byShubhneet Goel
 
PDF
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
byRomansh Yadav
 
PDF
Android App Hacking - Erez Metula, AppSec
byDroidConTLV
 
PPTX
Untitled 1
bySergey Kochergan
 
PPTX
Security testing of mobile applications
byGTestClub
 
PPTX
Security Vulnerabilities in Mobile Applications (Kristaps Felzenbergs)
byTestDevLab
 
PPT
Mobile code mining for discovery and exploits nullcongoa2013
byBlueinfy Solutions
 
PDF
Droidcon it-2014-marco-grassi-viaforensics
byviaForensics
 
PDF
Android "Fight Club" : In pursuit of APPiness -- null Humla Delhi Chapter
byAbhinav Mishra
 
PDF
Attacking and Defending Mobile Applications
byJerod Brennen
 
PPTX
Virtue Security - The Art of Mobile Security 2013
byVirtue Security
 
PPTX
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
byRomansh Yadav
 
PDF
Android security and penetration testing | DIVA | Yogesh Ojha
byYogesh Ojha
 
PDF
Android Pentesting
byn|u - The Open Security Community
 
PDF
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
byFelipe Prado
 
PPTX
Building a Mobile Security Program
byDenim Group
 
PDF
Android Hacking
byantitree
 
PPTX
Android security by ravi-rai
byRavi Rai
 
PDF
Introduction to Android Development and Security
byKelwin Yang
 
Security testing in mobile applications
byJose Manuel Ortega Candel
 
Mobile application security
byShubhneet Goel
 
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
byRomansh Yadav
 
Android App Hacking - Erez Metula, AppSec
byDroidConTLV
 
Untitled 1
bySergey Kochergan
 
Security testing of mobile applications
byGTestClub
 
Security Vulnerabilities in Mobile Applications (Kristaps Felzenbergs)
byTestDevLab
 
Mobile code mining for discovery and exploits nullcongoa2013
byBlueinfy Solutions
 
Droidcon it-2014-marco-grassi-viaforensics
byviaForensics
 
Android "Fight Club" : In pursuit of APPiness -- null Humla Delhi Chapter
byAbhinav Mishra
 
Attacking and Defending Mobile Applications
byJerod Brennen
 
Virtue Security - The Art of Mobile Security 2013
byVirtue Security
 
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
byRomansh Yadav
 
Android security and penetration testing | DIVA | Yogesh Ojha
byYogesh Ojha
 
Android Pentesting
byn|u - The Open Security Community
 
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
byFelipe Prado
 
Building a Mobile Security Program
byDenim Group
 
Android Hacking
byantitree
 
Android security by ravi-rai
byRavi Rai
 
Introduction to Android Development and Security
byKelwin Yang
 

Recently uploaded

PDF
Generating Structured Outputs from Unstructured Content Using LLMs
byEnterprise Knowledge
 
PDF
Taxonomy Principles to Support Knowledge Management at a Not-for-Profit
byEnterprise Knowledge
 
PDF
The CISO_Transformation_Playbook From Cost Centre to Chief Trust Officer
bysajjasridhar1990
 
PDF
What is Voice User Interface (VUI) Definition & Examples.pdf
byDesign Studio UI UX
 
DOCX
Quercus semecarpifolia is widely recognized as a keystone species in alpine a...
byMadan Bhandari university and St. Xavier's college , Maitighar
 
PDF
The_Boardroom_Cyber_Playbook_Research_Edition
bySaraDavis91
 
PPTX
Why 2026 Could Be a Turning Point for Decentralized Exchanges.pptx
bycalliemorgan193
 
PDF
Using Change Data Capture (CDC) to Ingest Data into Apache Kafka
byGiovanni Marigi
 
PPTX
Information about Trusted Platform Module(TPM)
bynewtoknow techs
 
PDF
apidays Paris 2025 |Turning Exposed Uris Bulletproof: Securing APIs with HAPr...
byapidays
 
PPT
Information and Communication Technologies and Power
byJeffrey Hart
 
PDF
Industrial RFID Landscape for 2025 - Readers, Tags, Antennas, Printers, etc
byRich Rogers
 
PPTX
Sensors-and-Actuators-in-IoT-Systems.pptx
byMuhammedNihal54
 
PDF
The Rise of AI Fashion Tools and Innovations in 2026
bymockitseo
 
PPTX
AN Introduction to UNIX File System—An Approach
bysonjuktaweb
 
PPTX
Pizza Chain Market Data Scraping for Better Insights Report.pptx
byWeb Data Crawler
 
PDF
Building Software in the AI Era: Spec-Driven Development with Kiro IDE
byHaim Michael
 
PDF
Achieving Interoperability in Healthcare IT: A Strategic Guide
byHart, Inc.
 
PDF
splunk-peak-threat-hunting-framework.pdf
bylobster6719
 
PDF
DataLiva-LivaGRC- Business Software for Governance, Risk, and Compliance
byMustafa Kuğu
 
Generating Structured Outputs from Unstructured Content Using LLMs
byEnterprise Knowledge
 
Taxonomy Principles to Support Knowledge Management at a Not-for-Profit
byEnterprise Knowledge
 
The CISO_Transformation_Playbook From Cost Centre to Chief Trust Officer
bysajjasridhar1990
 
What is Voice User Interface (VUI) Definition & Examples.pdf
byDesign Studio UI UX
 
Quercus semecarpifolia is widely recognized as a keystone species in alpine a...
byMadan Bhandari university and St. Xavier's college , Maitighar
 
The_Boardroom_Cyber_Playbook_Research_Edition
bySaraDavis91
 
Why 2026 Could Be a Turning Point for Decentralized Exchanges.pptx
bycalliemorgan193
 
Using Change Data Capture (CDC) to Ingest Data into Apache Kafka
byGiovanni Marigi
 
Information about Trusted Platform Module(TPM)
bynewtoknow techs
 
apidays Paris 2025 |Turning Exposed Uris Bulletproof: Securing APIs with HAPr...
byapidays
 
Information and Communication Technologies and Power
byJeffrey Hart
 
Industrial RFID Landscape for 2025 - Readers, Tags, Antennas, Printers, etc
byRich Rogers
 
Sensors-and-Actuators-in-IoT-Systems.pptx
byMuhammedNihal54
 
The Rise of AI Fashion Tools and Innovations in 2026
bymockitseo
 
AN Introduction to UNIX File System—An Approach
bysonjuktaweb
 
Pizza Chain Market Data Scraping for Better Insights Report.pptx
byWeb Data Crawler
 
Building Software in the AI Era: Spec-Driven Development with Kiro IDE
byHaim Michael
 
Achieving Interoperability in Healthcare IT: A Strategic Guide
byHart, Inc.
 
splunk-peak-threat-hunting-framework.pdf
bylobster6719
 
DataLiva-LivaGRC- Business Software for Governance, Risk, and Compliance
byMustafa Kuğu
 

Pentesting Android Apps

  • 1.
    Pentesting Android Apps AbdelhamidLimami IT Security Consultant @ ITDefence
  • 2.
    Overview  What isAndroid ?  Android Architecture  Android Applications Security  Environment Setup  Exploiting Apps Vulnerabilities  OWASP Top 10 Mobile  Demo(s)  Tips for Developers  Q&A
  • 3.
    Past years…  MobilePhones :  Phone calls  Sending text message or MMS  Alarm clock  Calculator & Calendar  Listen on Radio  Playing the snake game 
  • 4.
    And Now…  SmartPhones !  Sending email  Watching Tv & Movies  Surf The internet  Booking Flights & Hotels  Online Banking transactions  Social Network (Facebook, Twitter, Instagram, Etc …)  3G , 4G , 5G Mobile Network & WIFI & NFC support
  • 5.
    What is Android?  Android is a Linux based platform developed by Google and the open handset alliance.  Application programming for it is done in java (include XML & support HTML).  The android operating system software stack consist of java applications running on a Dalvik virtual machine (DVK).  Applications similars to web apps.
  • 6.
  • 7.
  • 8.
    Attack Surfaces  ClientSoftware on Android Device  Communications Channel  Server Side Infrastructure
  • 9.
    Client Software  Packagesare Installed from Play Store , Company Website, Third party apps/websites  Access All the files of the application in the local system (Need Root)  Can be Tampered , Decomplied & Reverse Engineered
  • 10.
    Client Software  Whatexactly should I look for ?  Files on the local file system  Application authentication & authorization  Error Handling & Session Management  Logic Flaws  Decompiling and Analyzing
  • 11.
    Communications Channel  Channelbetween the client and the server (HTTP(s), 3G…)  Testing with HTTP Proxy (Burp, ZAP) to intercept and manipulate data  If the application does not use the HTTP protocol, can use transparent TCP and UDP proxy like Mallory
  • 12.
    Communications Channel What exactlyShould I look For ?  Sniff sensitive information  Replay attack vulnerabilities  Secure transfer of sensitive information
  • 13.
    Server-Side Infrastructure  Vulnsin the the web servers behind a mobile application:  OWASP TOP 10 Web (SQLI,RCE,CSRF…)  Perform host and service scans on the target system to identify running services :  Information gathering (whois,host,dns….)  Running services and version (scanning ports)  Infrastructure vulnerability scanning
  • 14.
  • 15.
    Environment Setup  RootYour Device !  Install Xposed + JustTrustMe (SSL Killer) / Android-SSL-TrustKiller  Configure your Proxy (Burp, Zap…)  Requirements:  A Computer   Java  Eclipse (include ADT plugin) – Android Studio  Android SDK
  • 16.
  • 17.
    App Analysis  InsecureStorage  Capturing Requests  Reversing the Application Package  Logical Flaws / Malicious activities
  • 18.
    Reading Stored Data Android Applications store the data in /data/data/[PACKAGE_NAME]  sharedpreferences  Context.MODE_PRIVATE  Context.MODE_WORLD_READABLE  Context.MODE_WORLD_WRITEABLE  Files may be stored using the filesystem at /data/data/[PACKAGE_NAME]/files/filename  Storage in the SQLite databases
  • 19.
  • 20.
    Capturing Requests  CaptureHTTP requests & responses  Parameter Manipulation and Data Tampering.  Set up a proxy in between the server & the client to intercept.
  • 21.
  • 22.
    Reverse Engineering  ReverseEngineer the application logic and source code  Identify the flaws in the code base to exploit them  Look for sensitive data like passwords, encryption algorithms and keys of DB(s) JD-GUI Dex2Jar .apk .dex .class .java
  • 23.
  • 24.
  • 25.
  • 26.
  • 27.
  • 28.
  • 29.
    Secure Your App!  Do Not store sensitive data locally (login creds, pwd, DB …)  Do Not use weak encryption in your code (base64, md5 …)  Do Not send sensitive data in Plain text requests (Token , Sessions , logins)  Encrypt the stored data  If using a webserver protect it against application layer attacks  Sanitize inputs, use prepared statements (protection against client side injection)  Encode your code before producing or at least use an obfuscator
  • 30.