{"id":2500,"date":"2024-10-27T11:07:29","date_gmt":"2024-10-27T05:37:29","guid":{"rendered":"https:\/\/iciss.isrdc.in\/?page_id=2500"},"modified":"2024-12-07T01:29:14","modified_gmt":"2024-12-06T19:59:14","slug":"tutorial-2-android-security","status":"publish","type":"page","link":"https:\/\/iciss.isrdc.in\/2024\/?page_id=2500","title":{"rendered":"Tutorial 2: Android Security"},"content":{"rendered":"\n

by Vivek Balachandran
Associate Professor
Singapore Institute of Technology
&
Deputy CEO
Verbosecurity Pte Ltd Singapore
https:\/\/www.vivekb.info\/<\/a>
Date: 16 December 2024; Time: 9:30 AM; Venue: LNMIIT, LH-16<\/a>, RIEP building<\/p>\n\n\n\n

\n\n\n\n

This hands-on workshop focuses on static and dynamic analysis techniques to assess Android app security. Participants will learn how to use tools like Androwarn, Drozer, Frida, and BurpSuite to analyze apps, bypass security mechanisms, and intercept network traffic. By the end, attendees will be able to identify vulnerabilities in Android apps and understand techniques for securing them. Participants will have hands-on experience with tools for both static and dynamic analysis of Android apps. They will be able to assess app security, identify vulnerabilities, bypass SSL pinning, and manipulate app behaviors through Frida, gaining practical skills for Android security testing.

Prerequisites
<\/strong>
Laptop with at least 8GB RAM, VMware Workstation Pro\/Player (for running the virtual machine), BurpSuite Community Edition, Genymotion, basic familiarity with command-line tools and Python.
– Download this VM: https:\/\/drive.google.com\/file\/d\/1nNJnX32c8x-XGLMjvgxeBuE2J15N_1bz\/view?usp=sharing<\/a>
– Install Genymotion: https:\/\/www.genymotion.com\/product-desktop\/<\/a>

Outline
<\/strong>
Module 1: Introduction to Android Security (30 mins)
<\/strong>\u2013 Overview of Android architecture
\u2013 Security model of Android OS
\u2013 Common vulnerabilities in Android apps
\u2013 Outcome: Understanding the basic architecture and security challenges in Android applications.<\/p>\n\n\n\n

Module 2: Static Analysis with Androwarn (1 hour)
<\/strong>\u2013 Overview of static analysis and Androwarn
\u2013 Analyzing APKs with Androwarn
\u2013 Interpreting Androwarn reports to identify permissions, activities, and potential vulnerabilities
\u2013 Hands-on: Analyze a sample APK and generate a report with Androwarn
\u2013 Hands-on: Identify permissions and investigate potential security risks
\u2013 Outcome: Ability to perform static analysis on an APK using Androwarn and understand its report.<\/p>\n\n\n\n

Module 3: Dynamic Analysis Setup with Drozer (1.5 hours)
<\/strong>\u2013 Introduction to Drozer and its functionalities
\u2013 Setting up Drozer on Linux and connecting to an Android emulator
\u2013 Using Drozer to enumerate app components (activities, services, broadcast receivers)
\u2013 Command examples for analyzing app attack surfaces and sending intents
\u2013 Hands-on: Install Drozer and analyze the FourGoats app to discover its attack surface
\u2013 Hands-on: Investigate vulnerable components and experiment with sending intents
\u2013 Outcome: Ability to use Drozer to conduct dynamic analysis, explore app components, and find exposed interfaces.

Module 4: Intercepting TraKic with BurpSuite (1 hour)
<\/strong>\u2013 Setting up BurpSuite for Android traBic interception
\u2013 Configuring the Android emulator to route traffic through BurpSuite
\u2013 Configuring proxy settings on an emulator or physical device
\u2013 Intercepting HTTP\/S traffic from the app
\u2013 Hands-on: Configure BurpSuite on the workstation and set up the Android emulator to forward traffic
\u2013 Hands-on: Capture and inspect traffic generated by a vulnerable app
\u2013 Outcome: Ability to configure BurpSuite as a proxy and capture HTTP\/S traffic from an Android app.

Module 5: SSL Pinning Bypass with Frida (1 hour)
<\/strong>\u2013 Overview of SSL pinning and its role in secure network communication
\u2013 Introduction to Frida for dynamic instrumentation
\u2013 Using Frida scripts to bypass SSL pinning in Android apps
\u2013 Hands-on: Load an APK that implements SSL pinning
\u2013 Hands-on: Run a Frida script to bypass SSL pinning and intercept HTTPS traffic in BurpSuite
\u2013 Outcome: Understanding of SSL pinning and ability to bypass it using Frida for deeper traffic analysis.

Module 6: Dynamic Instrumentation with Frida (1.5 hours)
<\/strong>\u2013 Setting up Frida for dynamic analysis on an Android device
\u2013 Injecting JavaScript code to hook functions and alter app behavior
\u2013 Examples of function hooking (e.g., bypassing app security checks, altering function return values)
\u2013 Hands-on: Use Frida to hook a method in a sample app and modify its behavior
\u2013 Hands-on: Explore how to dynamically alter the app logic by injecting code
\u2013 Outcome: Ability to use Frida to hook into app functions and manipulate them for security testing.

Module 7: APK Decompilation and Source Code Analysis (45 mins)
<\/strong>\u2013 Introduction to dex2jar and JD-GUI for APK de-compilation
\u2013 Analyzing de-compiled code to identify sensitive information and logic
\u2013 Hands-on: De-compile a sample APK and locate critical functions in the source code
\u2013 Hands-on: Identify hard-coded secrets or vulnerable code paths
\u2013 Outcome: Ability to de-compile an APK and analyze the Java source code for security weaknesses.

Module 8: Wrap-Up and Q&A (15-30 mins)
<\/strong>\u2013 Review of key takeaways and best practices
\u2013 Resources for further learning and practice
\u2013 Open Q&A session for participants to ask questions
\u2013 Outcome: Reinforced understanding of Android security principles and tools.<\/p>\n","protected":false},"excerpt":{"rendered":"

by Vivek BalachandranAssociate ProfessorSingapore Institute of Technology&Deputy CEOVerbosecurity Pte Ltd Singaporehttps:\/\/www.vivekb.info\/Date: 16 December 2024; Time: 9:30 AM; Venue: LNMIIT, LH-16, RIEP building This hands-on workshop focuses on static and dynamic analysis techniques to assess Android app security. Participants will learn how to use tools like Androwarn, Drozer, Frida, and BurpSuite to analyze apps, bypass security […]<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":[],"_links":{"self":[{"href":"https:\/\/iciss.isrdc.in\/2024\/index.php?rest_route=\/wp\/v2\/pages\/2500"}],"collection":[{"href":"https:\/\/iciss.isrdc.in\/2024\/index.php?rest_route=\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/iciss.isrdc.in\/2024\/index.php?rest_route=\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/iciss.isrdc.in\/2024\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/iciss.isrdc.in\/2024\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2500"}],"version-history":[{"count":7,"href":"https:\/\/iciss.isrdc.in\/2024\/index.php?rest_route=\/wp\/v2\/pages\/2500\/revisions"}],"predecessor-version":[{"id":2728,"href":"https:\/\/iciss.isrdc.in\/2024\/index.php?rest_route=\/wp\/v2\/pages\/2500\/revisions\/2728"}],"wp:attachment":[{"href":"https:\/\/iciss.isrdc.in\/2024\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2500"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}