SlideShare a Scribd company logo

Getting started with android

V
Vandana Verma

Minali Arora is a cyber security professional with 6 years of experience in application and network pentesting, bash scripting, and red teaming. She also works as a part-time bug bounty hunter and blogger. The document discusses Android security architecture, which uses UID separation and sandboxing to isolate apps from each other. It describes tools used for static and dynamic Android application testing such as apktool, dex2jar, and Drozer. Common vulnerabilities found include OTP bypass, authentication bypass, and privilege escalation. The document provides tips for developers to store data safely, enforce secure communication, and implement least privilege permissions.

Technology
1 of 27
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
MINALI ARORA
 A cyber security professional with almost 6 years of experience  Demostrated areas of work- Application & Network Pentesting, Bash Scripting and Red Teaming  Part time bug bounty hunter and blogger https://medium.com/@minaliarora  Loves to read about psychology  Follow me on twitter: @AroraMinali
 Android Overview  Android Architecture  Android Security Model  Android App Testing  OWASP Top 10  Security tips for Developers
Getting started with android
Getting started with android
 Android’s Security Model consists of two parts: ◦ UID Separation ◦ Sandboxing Linux Kernel offers unique UID and GID for each application at run time. Thus, an application runs in its own sandbox environment and does not affect any other apps running.
Getting started with android
AndroidManifest.XML Classes.dex Resources.arsc Assets Folder Lib Folder META-INF Folder Res Folder Other Files
Getting started with android
 Root your device (If you choose an emulator, then make sure that it is already rooted)  Allow unknown sources (Settings->Security)  Install the application  Connect the device/emulator to a proxy setup (for e.g. Burp)
Getting started with android
Methodology of testing an Android application can be broadly divided into two categories:  Static Testing  Dynamic Testing While static testing includes reversing an android application and reading the code, Dynamic testing includes analyzing the network traffic
Getting started with android
Getting started with android
 Android SDK: A software development kit containing API libraries and developer tools to build, test and debug Android apps In our context , more important ones are adb, aapt and the emulator
 Android Debug Bridge: Command line tool to communicate with emulator instance or connected physical/virtual device  Useful Commands:  adb devices  adb connect  adb shell  adb install  adb push/pull
 apktool: is used to decode and reverse engineer android application Command: apktool d <apk file>
 dex2jar –converts dex file to jar containing reconstructed source code which can be viewed in jdgui
 AndroidManifest.xml- This file contains all application components and application permissions
 Drozer  Burp Suite  Droidbox  MobSF  Inspeckage
 Drozer: One of the most chosen tools for Android security testing. A security testing framework, great to determine app attack surface and interact with it.
Getting started with android
Most common vulnerabilities found during Android application testing:  OTP bypass  Authentication bypass  IDOR  Information Leakage  Privilege Escalation
Getting started with android
Getting started with android
 Store data safely  Enforce secure communication  Use web view objects carefully  Provide the right permissions to application  Update security provider to protect against exploits  Share only sensitive data to cache files  Use shared preferences in private mode https://developer.android.com/topic/security/best- practices
Getting started with android

More Related Content

PDF
Getting started with Android pentesting
Minali Arora
 
PDF
Introduction to Android Development and Security
Kelwin Yang
 
PPT
Understanding Android Security
Asanka Dilruk
 
PPTX
Android security
Mobile Rtpl
 
PPTX
Android security
Midhun P Gopi
 
ODP
Android security in depth
Sander Alberink
 
PPT
Android Security
Suminda Gunawardhana
 
PPTX
Understanding android security model
Pragati Rai
 
Getting started with Android pentesting
Minali Arora
 
Introduction to Android Development and Security
Kelwin Yang
 
Understanding Android Security
Asanka Dilruk
 
Android security
Mobile Rtpl
 
Android security
Midhun P Gopi
 
Android security in depth
Sander Alberink
 
Android Security
Suminda Gunawardhana
 
Understanding android security model
Pragati Rai
 

What's hot (20)

PDF
Sperasoft talks: Android Security Threats
Sperasoft
 
PPTX
Android sandbox
Anusha Chavan
 
PPT
Analysis and research of system security based on android
Ravishankar Kumar
 
PDF
2015.04.24 Updated > Android Security Development - Part 1: App Development
Cheng-Yi Yu
 
PDF
Android Security & Penetration Testing
Subho Halder
 
PDF
Android Security - Common Security Pitfalls in Android Applications
BlrDroid
 
PDF
Andriod Pentesting and Malware Analysis
n|u - The Open Security Community
 
PDF
Deep Dive Into Android Security
Marakana Inc.
 
PDF
Android Security
Lars Jacobs
 
PPTX
Android Security
Arqum Ahmad
 
PDF
Android Security
Mehrnaz Amoon
 
PPT
Bypassing the Android Permission Model
Georgia Weidman
 
PDF
Android application security testing
Mykhailo Antonishyn
 
PPTX
Android Device Hardening
anupriti
 
PDF
Android Security Overview and Safe Practices for Web-Based Android Applications
h4oxer
 
PPTX
Security threats in Android OS + App Permissions
Hariharan Ganesan
 
PPTX
Android pen test basics
OWASPKerala
 
PPTX
Pentesting Android Apps
Abdelhamid Limami
 
PPTX
[Wroclaw #1] Android Security Workshop
OWASP
 
PDF
Android Camp 2011 @ Silicon India
Avinash Birnale
 
Sperasoft talks: Android Security Threats
Sperasoft
 
Android sandbox
Anusha Chavan
 
Analysis and research of system security based on android
Ravishankar Kumar
 
2015.04.24 Updated > Android Security Development - Part 1: App Development
Cheng-Yi Yu
 
Android Security & Penetration Testing
Subho Halder
 
Android Security - Common Security Pitfalls in Android Applications
BlrDroid
 
Andriod Pentesting and Malware Analysis
n|u - The Open Security Community
 
Deep Dive Into Android Security
Marakana Inc.
 
Android Security
Lars Jacobs
 
Android Security
Arqum Ahmad
 
Android Security
Mehrnaz Amoon
 
Bypassing the Android Permission Model
Georgia Weidman
 
Android application security testing
Mykhailo Antonishyn
 
Android Device Hardening
anupriti
 
Android Security Overview and Safe Practices for Web-Based Android Applications
h4oxer
 
Security threats in Android OS + App Permissions
Hariharan Ganesan
 
Android pen test basics
OWASPKerala
 
Pentesting Android Apps
Abdelhamid Limami
 
[Wroclaw #1] Android Security Workshop
OWASP
 
Android Camp 2011 @ Silicon India
Avinash Birnale
 
Ad

Similar to Getting started with android (20)

PPTX
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
Romansh Yadav
 
PDF
Android pentesting
Mykhailo Antonishyn
 
PPTX
Android village @nullcon 2012
hakersinfo
 
PPTX
Mobile application security
Shubhneet Goel
 
PPTX
Mobile Application Security
Ishan Girdhar
 
PDF
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
Felipe Prado
 
PDF
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
Area41
 
PDF
The art of android hacking by Abhinav Mishra (0ctac0der)
OWASP Delhi
 
PDF
The art of android hacking
Abhinav Mishra
 
PPTX
Hacker Halted 2014 - Reverse Engineering the Android OS
EC-Council
 
PPTX
Rapid Android Application Security Testing
Nutan Kumar Panda
 
PDF
Android "Fight Club" : In pursuit of APPiness -- null Humla Delhi Chapter
Abhinav Mishra
 
PPTX
Android pentesting
Mykhailo Antonishyn
 
PDF
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
Romansh Yadav
 
PPTX
Untitled 1
Sergey Kochergan
 
PDF
Reading Group Presentation: Why Eve and Mallory Love Android
Michael Rushanan
 
PDF
Testing Android Security Codemotion Amsterdam edition
Jose Manuel Ortega Candel
 
PDF
Testing Android Security - Jose Manuel Ortega Candel - Codemotion Amsterdam 2016
Codemotion
 
PDF
CNIT 128 6. Analyzing Android Applications (Part 1)
Sam Bowne
 
PPTX
Security testing of mobile applications
GTestClub
 
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
Romansh Yadav
 
Android pentesting
Mykhailo Antonishyn
 
Android village @nullcon 2012
hakersinfo
 
Mobile application security
Shubhneet Goel
 
Mobile Application Security
Ishan Girdhar
 
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
Felipe Prado
 
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
Area41
 
The art of android hacking by Abhinav Mishra (0ctac0der)
OWASP Delhi
 
The art of android hacking
Abhinav Mishra
 
Hacker Halted 2014 - Reverse Engineering the Android OS
EC-Council
 
Rapid Android Application Security Testing
Nutan Kumar Panda
 
Android "Fight Club" : In pursuit of APPiness -- null Humla Delhi Chapter
Abhinav Mishra
 
Android pentesting
Mykhailo Antonishyn
 
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
Romansh Yadav
 
Untitled 1
Sergey Kochergan
 
Reading Group Presentation: Why Eve and Mallory Love Android
Michael Rushanan
 
Testing Android Security Codemotion Amsterdam edition
Jose Manuel Ortega Candel
 
Testing Android Security - Jose Manuel Ortega Candel - Codemotion Amsterdam 2016
Codemotion
 
CNIT 128 6. Analyzing Android Applications (Part 1)
Sam Bowne
 
Security testing of mobile applications
GTestClub
 
Ad

More from Vandana Verma (18)

PDF
Building security into the pipelines
Vandana Verma
 
PPTX
Applying OWASP web security testing guide (OWSTG)
Vandana Verma
 
PDF
Running an app sec program with OWASP projects_ Defcon AppSec Village
Vandana Verma
 
PDF
SARCON Talk - Vandana Verma Sehgal
Vandana Verma
 
PDF
Sacon 2020 living in the world of zero trust v1.0
Vandana Verma
 
PDF
Addo 2019 vandana_dev_secops_culturalchange
Vandana Verma
 
PDF
App Sec village DevSecOps as a culture
Vandana Verma
 
PPTX
Oscp - Journey
Vandana Verma
 
PPTX
Web sockets - Pentesting
Vandana Verma
 
PPTX
Story of http headers
Vandana Verma
 
PPTX
Security audits & compliance
Vandana Verma
 
PPTX
Basics of Server Side Template Injection
Vandana Verma
 
PPTX
SIEM Vendor Neutrality
Vandana Verma
 
PPTX
Importance of Penetration Testing
Vandana Verma
 
PPTX
Identity & access management
Vandana Verma
 
PPTX
Chariot generic presentation owaspwia_Infosecgirls
Vandana Verma
 
PDF
OWASP - Dependency Check
Vandana Verma
 
PDF
Incident response in Cloud
Vandana Verma
 
Building security into the pipelines
Vandana Verma
 
Applying OWASP web security testing guide (OWSTG)
Vandana Verma
 
Running an app sec program with OWASP projects_ Defcon AppSec Village
Vandana Verma
 
SARCON Talk - Vandana Verma Sehgal
Vandana Verma
 
Sacon 2020 living in the world of zero trust v1.0
Vandana Verma
 
Addo 2019 vandana_dev_secops_culturalchange
Vandana Verma
 
App Sec village DevSecOps as a culture
Vandana Verma
 
Oscp - Journey
Vandana Verma
 
Web sockets - Pentesting
Vandana Verma
 
Story of http headers
Vandana Verma
 
Security audits & compliance
Vandana Verma
 
Basics of Server Side Template Injection
Vandana Verma
 
SIEM Vendor Neutrality
Vandana Verma
 
Importance of Penetration Testing
Vandana Verma
 
Identity & access management
Vandana Verma
 
Chariot generic presentation owaspwia_Infosecgirls
Vandana Verma
 
OWASP - Dependency Check
Vandana Verma
 
Incident response in Cloud
Vandana Verma
 

Recently uploaded (20)

PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Modernizing your data center with Dell and AMD
Principled Technologies
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Modernizing your data center with Dell and AMD
Principled Technologies
 
Teaching material agriculture food technology
LiaRayya
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Cloud computing and distributed systems.
kkkkkhan
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 

Getting started with android

  • 2.  A cyber security professional with almost 6 years of experience  Demostrated areas of work- Application & Network Pentesting, Bash Scripting and Red Teaming  Part time bug bounty hunter and blogger https://medium.com/@minaliarora  Loves to read about psychology  Follow me on twitter: @AroraMinali
  • 3.  Android Overview  Android Architecture  Android Security Model  Android App Testing  OWASP Top 10  Security tips for Developers
  • 6.  Android’s Security Model consists of two parts: ◦ UID Separation ◦ Sandboxing Linux Kernel offers unique UID and GID for each application at run time. Thus, an application runs in its own sandbox environment and does not affect any other apps running.
  • 10.  Root your device (If you choose an emulator, then make sure that it is already rooted)  Allow unknown sources (Settings->Security)  Install the application  Connect the device/emulator to a proxy setup (for e.g. Burp)
  • 12. Methodology of testing an Android application can be broadly divided into two categories:  Static Testing  Dynamic Testing While static testing includes reversing an android application and reading the code, Dynamic testing includes analyzing the network traffic
  • 15.  Android SDK: A software development kit containing API libraries and developer tools to build, test and debug Android apps In our context , more important ones are adb, aapt and the emulator
  • 16.  Android Debug Bridge: Command line tool to communicate with emulator instance or connected physical/virtual device  Useful Commands:  adb devices  adb connect  adb shell  adb install  adb push/pull
  • 17.  apktool: is used to decode and reverse engineer android application Command: apktool d <apk file>
  • 18.  dex2jar –converts dex file to jar containing reconstructed source code which can be viewed in jdgui
  • 19.  AndroidManifest.xml- This file contains all application components and application permissions
  • 20.  Drozer  Burp Suite  Droidbox  MobSF  Inspeckage
  • 21.  Drozer: One of the most chosen tools for Android security testing. A security testing framework, great to determine app attack surface and interact with it.
  • 23. Most common vulnerabilities found during Android application testing:  OTP bypass  Authentication bypass  IDOR  Information Leakage  Privilege Escalation
  • 26.  Store data safely  Enforce secure communication  Use web view objects carefully  Provide the right permissions to application  Update security provider to protect against exploits  Share only sensitive data to cache files  Use shared preferences in private mode https://developer.android.com/topic/security/best- practices