Course Outline
Android is becoming increasingly present in all aspects of our lives, from phones and televisions to fridges and point of sale devices. As the use of Android continues to grow, so do concerns about security and privacy. This has led to a greater need for security assessments and the secure operation of the Android application ecosystem.
This course aims to provide guidance for application security engineers and penetration testers on how to secure the Android application ecosystem. It does cover various aspects of Android security, including analysing and assessing the security of Android applications, identifying vulnerabilities and weaknesses, and implementing security controls. The course provides hands-on experience and practical knowledge for professionals to effectively secure Android applications and protect against threats. The ultimate goal is to equip participants with the necessary skills and knowledge to ensure the security and privacy of the Android ecosystem.
Course focuses on the android application ecosystem covering both attack & defence side of the application development process. Starting with attack we cover the various attacks possible on android application and then we provide answers to various challenges routinely encountered by android security engineers / pen testers:
- Traffic interception (http/https/web socket/non-http)
- Root detection bypass
- Static & dynamic analysis
- Perform dynamic instrumentation (Frida / Magisk)
- Analysing non Java/ Kotlin apps (React Native and Flutter)
Then we shift gears and focus on defending the applications and major areas covered are
- Application Threat Modelling
- Identifying weaknesses
- Adding Security into CI / CD Pipeline for the application
- Analysis of the results (centralised dashboard and prioritizations)
The aim is not to create zero to hero, but to provide a methodical approach with which the participants could perform any android application assessment. We provide students with access to learning portal (cloud VM’s), a soft copy of slides, detailed answer sheets as well as AMI’s to continue learning after class.
Course Syllabus
Basics
- Understanding OS Architecture
- Android Permission model
- Inter process communication
- (Intents / Binders, Deep linking)
- Application Structure
Attack
- Attack surface mapping
- MITRE ATT&CK & OWASP MSTG
- Traffic Interception (http/https)
- root detection bypass
- Deobfuscating application code
- Dynamic instrumentation
- Static & dynamic analysis
- Hybrid app assessment (reactnative, flutter, .net)
Defend
- Threat Modeling
- OWASP MASVS
- Defense Strategies
- CI / CD Pipeline
- Static analysis SAST via semgrep
- Dynamic analysis DAST
- 3rd Party Library Tracking
- Supply Chain Security
Previous Run of this class
This class has ran successfully at BlackHat USA 2022
- https://www.blackhat.com/us-22/training/schedule/index.html#attack-and-defend-android-applications-25660
- https://www.blackhat.com/us-22/training/schedule/index.html#attack-and-defend-android-applications-256601645123759
Testimonials
I’m a beginner level but was easy for me to understand all the topics because it was very clear the examples for each topic. Thanks for the help.
Attendee @ BlackHat USA 22
Great delivery, very attentive, excellent knowledge base provided. The provision of material is a highlight.
Attendee @ BlackHat USA 22
The presenters conveyed a significant amount of knowledge and I’m walking away with good value for $. Excellent work and great training
Attendee @ BlackHat USA 22
How to attend
Cyfinoid offers its trainings via multiple international conference such as BlackHat USA and others.