Scribd
Upload
25 views35 pages

Android+Pentesting+101

The document outlines a course on Android penetration testing, covering key concepts such as static and dynamic analysis, and the structure of Android architecture. It details the process of identifying vulnerabilities in Android applications and the tools used for analysis. The course also emphasizes the importance of both reconnaissance and reporting in penetration testing.

Uploaded by

parrotngrok143
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
25 views35 pages

Android+Pentesting+101

The document outlines a course on Android penetration testing, covering key concepts such as static and dynamic analysis, and the structure of Android architecture. It details the process of identifying vulnerabilities in Android applications and the tools used for analysis. The course also emphasizes the importance of both reconnaissance and reporting in penetration testing.

Uploaded by

parrotngrok143
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 35

INTRODUCTION TO THE

COURSE
Structure of the course

Penetration Testing
Basic Android Concepts
Static Analysis
Dynamic analysis
CHAPTER-1

It describes the intentional launching of simulated


cyberattacks that seek out exploitable
vulnerabilities in computer systems, networks,
websites, and applications.
CHAPTER-1
Reconnaissance
STEP1 STEP2
Scanning

Exploitation
STEP3 STEP4
Escalation

Covering tracks
STEP5 STEP6
Reporting
CHAPTER-1

Android penetration testing is a process of finding


security vulnerabilities in an android application. It
is a systematic approach to searching for
weaknesses in an Android app, verifying the app's
security, and making sure it abides by the security
policies.
CHAPTER-1

Recon/Info
Gathering

REPORTING STATIC
ANALYSIS

DYNAMIC
ANALYSIS
CHAPTER-2

Android is a mobile operating system based on a


modified version of the Linux kernel and other open
source software, designed primarily for touchscreen
mobile devices such as smartphones and tablets.

BASIC ANDROID CONCEPTS


CHAPTER-2

ANDROID
ARCHITECTURE

BASIC ANDROID CONCEPTS


CHAPTER-2
LINUX KERNEL
It is the heart of android architecture. It manages all the available
drivers such as display drivers, camera drivers, Bluetooth drivers, audio
drivers, memory drivers, etc. which are required during the runtime.

Platform libraries

The Platform Libraries includes various C/C++ core libraries and Java
based libraries such as Media, Graphics, Surface Manager, OpenGL
etc. to provide a support for android development.

Application RunTime
Android Runtime environment is one of the most important parts of
Android. It contains components like core libraries and the Dalvik
virtual machine(DVM). Mainly, it provides the base for the application
framework and powers our application with the help of the core
libraries.
BASIC ANDROID CONCEPTS
CHAPTER-2
APPLICATION FRAMEWORK
Application Framework provides several important classes which are
used to create an Android application. It provides a generic abstraction
for hardware access and also helps in managing the user interface with
application resources. Generally, it provides the services with the help
of which we can create a particular class and make that class helpful
for the Applications creation.

Applications

Applications are the top layer of the android architecture. The pre-
installed applications like home, contacts, camera, gallery, etc, and
third-party applications downloaded from the play store like chat
applications, games, etc. will be installed on this layer only.

BASIC ANDROID CONCEPTS


CHAPTER-2

APK stands for Android Package (sometimes


Android Package Kit or Android Application
Package). An APK is an archive file, meaning that
it contains multiple files, plus some metadata
about them.
APK can be unpacked by Apktool, WinRAR, 7-zip,
and other unzipping tools.

BASIC ANDROID CONCEPTS


CHAPTER-2

BASIC ANDROID CONCEPTS


CHAPTER-2

ACTIVITIES
Activities are said to be the presentation layer of our applications. The UI of our application is built
around one or more extensions of the Activity class. By using Fragments and Views, activities set
the layout and display the output and also respond to the user’s actions.

SERVICES

Services are like invisible workers of our app. These components run at the backend, updating
your data sources and Activities, triggering Notification, and also broadcast Intents. They also
perform some tasks when applications are not active.

BASIC ANDROID CONCEPTS


CHAPTER-2

CONTENT PROVIDERS

It is used to manage and persist the application data also typically interacts with the SQL
database. They are also responsible for sharing the data beyond the application boundaries. The
Content Providers of a particular application can be configured to allow access from other
applications, and the Content Providers exposed by other applications can also be configured.

BROADCAST RECEIVERS

They are known to be intent listeners as they enable your application to listen to the Intents that
satisfy the matching criteria specified by us. Broadcast Receivers make our application react to
any received Intent thereby making them perfect for creating event-driven applications.

BASIC ANDROID CONCEPTS


CHAPTER-2

BASIC ANDROID CONCEPTS


CHAPTER-2

The process of converting the machine-


level/Assembly level language to High-level
language or pseudo source code.

BASIC ANDROID CONCEPTS


CHAPTER-2

A decompiler is a computer program that helps to


convert machine level/computer-readable code
to Pseudo source code/human-readable format.

There are many android decompilers, but most


used angd appropriate tools are Jadx-gui, GDA
and JEB decompilers

BASIC ANDROID CONCEPTS


CHAPTER-3

Static code analysis is a method of debugging by examining


source code before a program is run. It's done by analyzing a
set of code against a set (or multiple sets) of coding rules.
This type of analysis addresses weaknesses in source code
that might lead to vulnerabilities.

The static analysis gives an understanding of business logic,


it'll help to find hardcoded secrets or hardcoded IP and
credentials.

STATIC ANALYSIS
CHAPTER-3

STATIC ANALYSIS
CHAPTER-3

https://github.com/skylot/jadx/releases/tag/v1.3.1

https://github.com/charles2gan/GDA-android-
reversing-Tool/releases

https://www.pnfsoftware.com/jeb/community-
edition

STATIC ANALYSIS
CHAPTER-3

STATIC ANALYSIS
CHAPTER-3

https://mobsf.github.io/docs/#/

STATIC ANALYSIS
CHAPTER-3

STATIC ANALYSIS
CHAPTER-4

Dynamic analysis, also known as dynamic program analysis,


is the evaluation of a program or technology using real-time
data. Instead of taking code offline, vulnerabilities and
program behavior can be monitored while the program is
running, providing visibility into its real-world behavior.

To monitor the real-time data exchange between client and


server, to identify whether the sensitive data is in transit. Also
to identify the week endpoints.

DYNAMIC ANALYSIS
CHAPTER-4

BURPSUITE+GENYMOTION

DYNAMIC ANALYSIS
CHAPTER-4

Pinning is an optional mechanism that can be used to


improve the security of a service or site that relies on SSL
Certificates. Pinning allows you to specify a cryptographic
identity that should be accepted by users visiting your site

Certificate pinning was originally created to protect against


the threat of a rogue CA. Pinning also ensures that none of
your app's network data is compromised even if a user has a
malicious root certificate installed on their device

DYNAMIC ANALYSIS
CHAPTER-4

DYNAMIC ANALYSIS
CHAPTER-4

DYNAMIC ANALYSIS
CHAPTER-4

DYNAMIC ANALYSIS
CHAPTER-5

SUMMARY AND THANK YOU


CHAPTER-5

SUMMARY AND THANK YOU


CHAPTER-5

SUMMARY AND THANK YOU


CHAPTER-5

SUMMARY AND THANK YOU

You might also like