MA
Uploaded byMinali Arora
438 views

Getting started with Android pentesting

Minali Arora is a cyber security professional with 6 years of experience in application and network pentesting, bash scripting, and red teaming. She is also a part-time bug bounty hunter and blogger. The document discusses Android security architecture, testing methodologies, common vulnerabilities, and security tips for developers. It covers topics such as Android security model, application components, static and dynamic testing tools, and the OWASP top 10.

Technology
Related topics:
Cyber-Security
MINALI ARORA
 A cyber security professional with almost 6 years of experience  Demostrated areas of work- Application & Network Pentesting, Bash Scripting and Red Teaming  Part time bug bounty hunter and blogger https://medium.com/@minaliarora  Follow me on twitter: @AroraMinali
 Android Overview  Android Architecture  Android Security Model  Android App Testing  OWASP Top 10  Security tips for Developers
 Android’s Security Model consists of two parts: ◦ UID Separation ◦ Sandboxing Linux Kernel offers unique UID and GID for each application at run time. Thus, an application runs in its own sandbox environment and does not affect any other apps running.
AndroidManifest.XML Classes.dex Resources.arsc Assets Folder Lib Folder META-INF Folder Res Folder Other Files
 Root your device (If you choose an emulator, then make sure that it is already rooted)  Allow unknown sources (Settings->Security)  Install the application  Connect the device/emulator to a proxy setup (for e.g. Burp)
Methodology of testing an Android application can be broadly divided into two categories:  Static Testing  Dynamic Testing While static testing includes reversing an android application and reading the code, Dynamic testing includes analyzing the network traffic
 Android SDK: A software development kit containing API libraries and developer tools to build, test and debug Android apps In our context , more important ones are adb, apktool, and the emulator
 Android Debug Bridge: Command line tool to communicate with emulator instance or connected physical/virtual device  Useful Commands:  adb devices  adb connect  adb shell  adb install  adb push/pull
 apktool: is used to decode and reverse engineer android application Command: apktool d <apk file>
 dex2jar –converts dex file to jar containing reconstructed source code which can be viewed in jdgui
 AndroidManifest.xml- This file contains all application components and application permissions
 Drozer  Burp Suite  Droidbox  MobSF  Inspeckage
 Drozer: One of the most chosen tools for Android security testing. A security testing framework, great to determine app attack surface and interact with it.
Most common vulnerabilities found during Android application testing:  OTP bypass  Authentication bypass  IDOR  Information Leakage  Privilege Escalation
 Store data safely  Enforce secure communication  Use web view objects carefully  Provide the right permissions to application  Update security provider to protect against exploits  Share only sensitive data to cache files  Use shared preferences in private mode https://developer.android.com/topic/security/best- practices
Getting started with Android pentesting

More Related Content

PDF
Android pentesting
byMykhailo Antonishyn
 
PPTX
Android Application Penetration Testing - Mohammed Adam
byMohammed Adam
 
PDF
APIsecure 2023 - Android Applications and API Hacking, Gabrielle Botbol
byapidays
 
PDF
Android application penetration testing
byRoshan Kumar Gami
 
PPTX
Pentesting Android Apps
byAbdelhamid Limami
 
PPTX
Android pentesting
byMykhailo Antonishyn
 
PDF
Android application security testing
byMykhailo Antonishyn
 
PPTX
Mobile Application Security Testing (Static Code Analysis) of Android App
byAbhilash Venkata
 
Android pentesting
byMykhailo Antonishyn
 
Android Application Penetration Testing - Mohammed Adam
byMohammed Adam
 
APIsecure 2023 - Android Applications and API Hacking, Gabrielle Botbol
byapidays
 
Android application penetration testing
byRoshan Kumar Gami
 
Pentesting Android Apps
byAbdelhamid Limami
 
Android pentesting
byMykhailo Antonishyn
 
Android application security testing
byMykhailo Antonishyn
 
Mobile Application Security Testing (Static Code Analysis) of Android App
byAbhilash Venkata
 

What's hot

PDF
Android Security & Penetration Testing
bySubho Halder
 
PPTX
Android security
byMobile Rtpl
 
PDF
Secure Coding and Threat Modeling
byMiriam Celi, CISSP, GISP, MSCS, MBA
 
PPTX
Android Penetration Testing - Day 1
byMohammed Adam
 
PPTX
Vulnerability Management: What You Need to Know to Prioritize Risk
byAlienVault
 
PPTX
Android security
byMidhun P Gopi
 
PDF
Introduction to MITRE ATT&CK
byArpan Raval
 
PPTX
OWASP Top 10 2021 Presentation (Jul 2022)
byTzahiArabov
 
PDF
Final Project Report-SIEM
byRangan Yoga
 
PDF
Privilege escalation from 1 to 0 Workshop
byHossam .M Hamed
 
PPTX
Bug Bounty 101
byShahee Mirza
 
PPTX
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
byRomansh Yadav
 
PPTX
Security testing fundamentals
byCygnet Infotech
 
ODP
OWASP Secure Coding
bybilcorry
 
PDF
Bug Bounty Hunter Methodology - Nullcon 2016
bybugcrowd
 
PDF
OSINT- Leveraging data into intelligence
byDeep Shankar Yadav
 
PDF
Mobile Application Penetration Testing
byBGA Cyber Security
 
PPT
Pentesting Using Burp Suite
byjasonhaddix
 
PDF
Threat hunting 101 by Sandeep Singh
byOWASP Delhi
 
PPTX
Bsides 2019 - Intelligent Threat Hunting
byDhruv Majumdar
 
Android Security & Penetration Testing
bySubho Halder
 
Android security
byMobile Rtpl
 
Secure Coding and Threat Modeling
byMiriam Celi, CISSP, GISP, MSCS, MBA
 
Android Penetration Testing - Day 1
byMohammed Adam
 
Vulnerability Management: What You Need to Know to Prioritize Risk
byAlienVault
 
Android security
byMidhun P Gopi
 
Introduction to MITRE ATT&CK
byArpan Raval
 
OWASP Top 10 2021 Presentation (Jul 2022)
byTzahiArabov
 
Final Project Report-SIEM
byRangan Yoga
 
Privilege escalation from 1 to 0 Workshop
byHossam .M Hamed
 
Bug Bounty 101
byShahee Mirza
 
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
byRomansh Yadav
 
Security testing fundamentals
byCygnet Infotech
 
OWASP Secure Coding
bybilcorry
 
Bug Bounty Hunter Methodology - Nullcon 2016
bybugcrowd
 
OSINT- Leveraging data into intelligence
byDeep Shankar Yadav
 
Mobile Application Penetration Testing
byBGA Cyber Security
 
Pentesting Using Burp Suite
byjasonhaddix
 
Threat hunting 101 by Sandeep Singh
byOWASP Delhi
 
Bsides 2019 - Intelligent Threat Hunting
byDhruv Majumdar
 

Similar to Getting started with Android pentesting

PPTX
Getting started with android
byVandana Verma
 
PDF
The art of android hacking by Abhinav Mishra (0ctac0der)
byOWASP Delhi
 
PDF
The art of android hacking
byAbhinav Mishra
 
PDF
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
byFelipe Prado
 
PPTX
Rapid Android Application Security Testing
byNutan Kumar Panda
 
PDF
Android "Fight Club" : In pursuit of APPiness -- null Humla Delhi Chapter
byAbhinav Mishra
 
PPTX
Android village @nullcon 2012
byhakersinfo
 
PPTX
Mobile application security
byShubhneet Goel
 
PPTX
Mobile Application Security
byIshan Girdhar
 
PDF
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
byArea41
 
PPTX
[Wroclaw #1] Android Security Workshop
byOWASP
 
PDF
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
byRomansh Yadav
 
PPTX
Hacker Halted 2014 - Reverse Engineering the Android OS
byEC-Council
 
PPTX
Untitled 1
bySergey Kochergan
 
PDF
Introduction to Android Development and Security
byKelwin Yang
 
PPTX
Security testing of mobile applications
byGTestClub
 
PDF
Testing Android Security - Jose Manuel Ortega Candel - Codemotion Amsterdam 2016
byCodemotion
 
PDF
Testing Android Security Codemotion Amsterdam edition
byJose Manuel Ortega Candel
 
PDF
Android security and penetration testing | DIVA | Yogesh Ojha
byYogesh Ojha
 
PDF
Reading Group Presentation: Why Eve and Mallory Love Android
byMichael Rushanan
 
Getting started with android
byVandana Verma
 
The art of android hacking by Abhinav Mishra (0ctac0der)
byOWASP Delhi
 
The art of android hacking
byAbhinav Mishra
 
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
byFelipe Prado
 
Rapid Android Application Security Testing
byNutan Kumar Panda
 
Android "Fight Club" : In pursuit of APPiness -- null Humla Delhi Chapter
byAbhinav Mishra
 
Android village @nullcon 2012
byhakersinfo
 
Mobile application security
byShubhneet Goel
 
Mobile Application Security
byIshan Girdhar
 
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
byArea41
 
[Wroclaw #1] Android Security Workshop
byOWASP
 
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
byRomansh Yadav
 
Hacker Halted 2014 - Reverse Engineering the Android OS
byEC-Council
 
Untitled 1
bySergey Kochergan
 
Introduction to Android Development and Security
byKelwin Yang
 
Security testing of mobile applications
byGTestClub
 
Testing Android Security - Jose Manuel Ortega Candel - Codemotion Amsterdam 2016
byCodemotion
 
Testing Android Security Codemotion Amsterdam edition
byJose Manuel Ortega Candel
 
Android security and penetration testing | DIVA | Yogesh Ojha
byYogesh Ojha
 
Reading Group Presentation: Why Eve and Mallory Love Android
byMichael Rushanan
 

Recently uploaded

PDF
Session 2 - Specialized AI Associate Series: Orchestrator Deep-Dive and UiPa...
byDianaGray10
 
PDF
Unit 3 DS - Distributed Data Storage and Retrieval - PowerPoint Content.pdf
byayesha butalia
 
PDF
Web Mapping 101: Creating Dynamic Web Maps with Geospatial Data
bySafe Software
 
PDF
From Infrastructure to Insight: Technical Pathways to Value in Europe’s Compu...
byMindtrek
 
PDF
CIDT: Blockchain, DeFi & Product Engineering - MVPs in 4 Weeks with a Senior-...
byTetianaBuchynska1
 
PPTX
TechVerse Kent (Combining Tech, AI, Innovation and Creativity)
byKritarthDevli
 
PDF
Session 1 - Agentic Automation Building the Enterprise Agent of Tomorrow
byDianaGray10
 
PDF
A business case for open source: From lock-in to value.pdf
byMindtrek
 
PPTX
CLOUD STUDY JAM 2025 GOOGLE DEVELOPER GROUPS ON CAMPUS NSEC
byasutoshkumar560
 
PDF
The Role of Human Experiences (HX) in GenAI Adoption
byDr. Tathagat Varma
 
PPTX
Building Europe with Open LLMs - Manu Setälä.pptx
byMindtrek
 
PDF
Ask Me Anything About AI Assist: Practical Answers for Real Workflows
bySafe Software
 
PDF
How computers tell who they are using TPM2.pdf
byMindtrek
 
PDF
TrustArc Webinar - The Future of Third-Party Privacy Risk: Trends, Tactics & ...
byTrustArc
 
PDF
Manage VMs on Kubernetes - Introduction to KubeVirt - Meetup MUC 10.2025
byTobias Schneck
 
PPTX
sap 2016-09-14_PP_MRPType_VB_Blogged.pptx
byAmira Jemi
 
PDF
Dream Companion Reviews, Pricing, & Alternatives
byDream Companion
 
PDF
A Guide to Microsoft Azure's Scalable and Secure Cloud Solutions
byTeleglobal International
 
PPTX
Behind the Scenes at Netflix: Distributed Systems & NoSQL Architecture.
byayesha butalia
 
PPTX
SIH Presentation praniawar2o25 cse.pptx
bysamikshamatkar91
 
Session 2 - Specialized AI Associate Series: Orchestrator Deep-Dive and UiPa...
byDianaGray10
 
Unit 3 DS - Distributed Data Storage and Retrieval - PowerPoint Content.pdf
byayesha butalia
 
Web Mapping 101: Creating Dynamic Web Maps with Geospatial Data
bySafe Software
 
From Infrastructure to Insight: Technical Pathways to Value in Europe’s Compu...
byMindtrek
 
CIDT: Blockchain, DeFi & Product Engineering - MVPs in 4 Weeks with a Senior-...
byTetianaBuchynska1
 
TechVerse Kent (Combining Tech, AI, Innovation and Creativity)
byKritarthDevli
 
Session 1 - Agentic Automation Building the Enterprise Agent of Tomorrow
byDianaGray10
 
A business case for open source: From lock-in to value.pdf
byMindtrek
 
CLOUD STUDY JAM 2025 GOOGLE DEVELOPER GROUPS ON CAMPUS NSEC
byasutoshkumar560
 
The Role of Human Experiences (HX) in GenAI Adoption
byDr. Tathagat Varma
 
Building Europe with Open LLMs - Manu Setälä.pptx
byMindtrek
 
Ask Me Anything About AI Assist: Practical Answers for Real Workflows
bySafe Software
 
How computers tell who they are using TPM2.pdf
byMindtrek
 
TrustArc Webinar - The Future of Third-Party Privacy Risk: Trends, Tactics & ...
byTrustArc
 
Manage VMs on Kubernetes - Introduction to KubeVirt - Meetup MUC 10.2025
byTobias Schneck
 
sap 2016-09-14_PP_MRPType_VB_Blogged.pptx
byAmira Jemi
 
Dream Companion Reviews, Pricing, & Alternatives
byDream Companion
 
A Guide to Microsoft Azure's Scalable and Secure Cloud Solutions
byTeleglobal International
 
Behind the Scenes at Netflix: Distributed Systems & NoSQL Architecture.
byayesha butalia
 
SIH Presentation praniawar2o25 cse.pptx
bysamikshamatkar91
 

Getting started with Android pentesting

  • 1.
  • 2.
     A cybersecurity professional with almost 6 years of experience  Demostrated areas of work- Application & Network Pentesting, Bash Scripting and Red Teaming  Part time bug bounty hunter and blogger https://medium.com/@minaliarora  Follow me on twitter: @AroraMinali
  • 3.
     Android Overview Android Architecture  Android Security Model  Android App Testing  OWASP Top 10  Security tips for Developers
  • 6.
     Android’s SecurityModel consists of two parts: ◦ UID Separation ◦ Sandboxing Linux Kernel offers unique UID and GID for each application at run time. Thus, an application runs in its own sandbox environment and does not affect any other apps running.
  • 8.
  • 10.
     Root yourdevice (If you choose an emulator, then make sure that it is already rooted)  Allow unknown sources (Settings->Security)  Install the application  Connect the device/emulator to a proxy setup (for e.g. Burp)
  • 12.
    Methodology of testingan Android application can be broadly divided into two categories:  Static Testing  Dynamic Testing While static testing includes reversing an android application and reading the code, Dynamic testing includes analyzing the network traffic
  • 15.
     Android SDK:A software development kit containing API libraries and developer tools to build, test and debug Android apps In our context , more important ones are adb, apktool, and the emulator
  • 16.
     Android DebugBridge: Command line tool to communicate with emulator instance or connected physical/virtual device  Useful Commands:  adb devices  adb connect  adb shell  adb install  adb push/pull
  • 17.
     apktool: isused to decode and reverse engineer android application Command: apktool d <apk file>
  • 18.
     dex2jar –convertsdex file to jar containing reconstructed source code which can be viewed in jdgui
  • 19.
     AndroidManifest.xml- Thisfile contains all application components and application permissions
  • 20.
     Drozer  BurpSuite  Droidbox  MobSF  Inspeckage
  • 21.
     Drozer: Oneof the most chosen tools for Android security testing. A security testing framework, great to determine app attack surface and interact with it.
  • 23.
    Most common vulnerabilitiesfound during Android application testing:  OTP bypass  Authentication bypass  IDOR  Information Leakage  Privilege Escalation
  • 26.
     Store datasafely  Enforce secure communication  Use web view objects carefully  Provide the right permissions to application  Update security provider to protect against exploits  Share only sensitive data to cache files  Use shared preferences in private mode https://developer.android.com/topic/security/best- practices