Android Penetration Testing 101
- Description
- Curriculum
- FAQ
- Reviews
Android Penetration Testing 101 course is designed mainly for beginners who want to start their journey in android security but have no idea how to create and where to start.
This course gives you complete knowledge beginning from the android architecture to the analysis of the android application with all the attack vectors you learned.
In this course, we have demonstrated static analysis of android applications concerning all the frameworks( Reactnative, Java, flutter, Cordova) with the help of unique tools such as Jadx, Jeb decompiler, and GDA decompiler. Along with that, we have demonstrated automated scanners like MOBSF from installation to the dynamic analysis of the app. Also, we have discussed the common vulnerabilities that can be identified during the static analysis and the endpoints that we can look for.
The most exciting part of any Penetration testing is Dynamic analysis; In this course, we discussed why mobile applications need dynamic analysis and its role in hunting vulnerabilities. We have demonstrated setting up the lab for dynamic analysis( we preferred a burp suite with genymotion).
The primary concept in the dynamic analysis is SSL-PINNING; we have discussed all the ideas regarding SSL-pinning and demonstrated bypassing methods of SSL in android.
We have discussed excellent dynamic illustration tools like Frida and objection and demonstrated the setup.
In the end, we have performed live dynamic analysis on the android application and discussed common vulnerabilities that, can be identified during the dynamic analysis, the endpoints that we can look for, and how to find sensitive information in the app’s database.
To make your pentesting smoother, we provided an Android pentesting checklist, which might come in handy during your Real-time analysis.
-
4
Android and its architectureThis Lecture gives the basic knowledge of android and its architecture.
-
5
What are APK and its structure?
This Lecture gives a basic understanding of the android apk and its structure.
-
6
Android Components and LifeCycle
This Lecture gives basic information on Android components and Lifecycle methods.
-
7
what are decompilation and decompilers?
In this lecture, we can understand what is decompiling process and what are decompilers.
-
8
what is Static Analysis? why is it important?
Here we have discussed Static analysis and its Importance in Penetration Testing.
-
9
Introduction to Static Analysis tools and their installations.
we discuss the various static analysis tools and their installation procedure.
Jax: https://github.com/skylot/jadx/releases
JEB: https://www.pnfsoftware.com/jeb/community-edition
GDA: https://github.com/charles2gan/GDA-android-reversing-Tool/releases
-
10
MOBSF: Installation and Introduction to MOBSF.
In this lecture, we have discussed how to install MOBSF and how to use MOBSF, features of MOBSF, and also how to perform Dynamic analysis on android apk in MOBSF.
MOBSF: https://mobsf.github.io/docs/#/
-
11
Common Vulnerabilities that can be found using static analysis
Here, we have discussed how to analyze the apk, we have shown static analysis of 3 different frameworks( Java, react, Cordova) and also discussed how to find weak codes and vulnerabilities.
-
12
Static analysis with APK Leaks
Github : https://github.com/dwisiswant0/apkleaks
-
13
Bonus: Automate the analysis of android components
Lets us automate the use of drozer to find vulnerabilities in android components.
Tool link: https://github.com/themalwarenews/drozscan
-
14
what is the dynamic analysis and why is it important.
In this video, we gonna discuss what is dynamic analysis and its importance.
-
15
Dynamic Analysis Lab Setup
we will set up a dynamic analysis lab using burp suite and genymotion.
Burpsuite: https://portswigger.net/burp/releases/professional-community-2021-12-1?requestededition=community
Genymotion: https://www.genymotion.com/download/
Yaazhini:https://www.vegabird.com/yaazhini/
-
16
what is SSL-PINNING, why is it important to integrate with the application?
Let us understand what is SSL-PINNING, why developers implement it in the applications.
-
17
Installation and Introduction to Frida and Frida-tools
let us understand some dynamic illustration tools.
Frida: https://frida.re/docs/android/
Objection: https://github.com/sensepost/objection/wiki
Frida Universal SSL Bypass script : https://codeshare.frida.re/@pcipolloni/universal-android-ssl-pinning-bypass-with-frida/
Frida-server: https://github.com/frida/frida/releases
-
18
Bypassing SSL-PINNING in 3 different ways.
Here is the bonus video on other ways to bypass SSL-PINNING.
Apk-mitm: https://github.com/shroudedcode/apk-mitm
-
19
Demonstration of Dynamic Analysis
In this video, let us discuss attack vectors in dynamic analysis and the endpoints we can look into during dynamic analysis.
mlogcat: https://mlogcat.tistory.com/
-
20
Bonus: Setting up Xposed framework
Configuring Xposed framework
Xposed Installer apk : https://forum.xda-developers.com/attachments/xposedinstaller_3-1-5-apk.4393082/
Xposed archive flash file : https://dl-xda.xposed.info/framework/sdk25/x86/xposed-v89-sdk25-x86.zip
Inspeckage : https://github.com/ac-pm/Inspeckage/releases
Xposed modules repo : https://repo.xposed.info/module
