by Vivek Balachandran
Associate Professor
Singapore Institute of Technology
&
Deputy CEO
Verbosecurity Pte Ltd Singapore
https://www.vivekb.info/
Date: 16 December 2024; Time: 9:30 AM; Venue: LNMIIT, LH-16, RIEP building
This hands-on workshop focuses on static and dynamic analysis techniques to assess Android app security. Participants will learn how to use tools like Androwarn, Drozer, Frida, and BurpSuite to analyze apps, bypass security mechanisms, and intercept network traffic. By the end, attendees will be able to identify vulnerabilities in Android apps and understand techniques for securing them. Participants will have hands-on experience with tools for both static and dynamic analysis of Android apps. They will be able to assess app security, identify vulnerabilities, bypass SSL pinning, and manipulate app behaviors through Frida, gaining practical skills for Android security testing.
Prerequisites
Laptop with at least 8GB RAM, VMware Workstation Pro/Player (for running the virtual machine), BurpSuite Community Edition, Genymotion, basic familiarity with command-line tools and Python.
– Download this VM: https://drive.google.com/file/d/1nNJnX32c8x-XGLMjvgxeBuE2J15N_1bz/view?usp=sharing
– Install Genymotion: https://www.genymotion.com/product-desktop/
Outline
Module 1: Introduction to Android Security (30 mins)
– Overview of Android architecture
– Security model of Android OS
– Common vulnerabilities in Android apps
– Outcome: Understanding the basic architecture and security challenges in Android applications.
Module 2: Static Analysis with Androwarn (1 hour)
– Overview of static analysis and Androwarn
– Analyzing APKs with Androwarn
– Interpreting Androwarn reports to identify permissions, activities, and potential vulnerabilities
– Hands-on: Analyze a sample APK and generate a report with Androwarn
– Hands-on: Identify permissions and investigate potential security risks
– Outcome: Ability to perform static analysis on an APK using Androwarn and understand its report.
Module 3: Dynamic Analysis Setup with Drozer (1.5 hours)
– Introduction to Drozer and its functionalities
– Setting up Drozer on Linux and connecting to an Android emulator
– Using Drozer to enumerate app components (activities, services, broadcast receivers)
– Command examples for analyzing app attack surfaces and sending intents
– Hands-on: Install Drozer and analyze the FourGoats app to discover its attack surface
– Hands-on: Investigate vulnerable components and experiment with sending intents
– Outcome: Ability to use Drozer to conduct dynamic analysis, explore app components, and find exposed interfaces.
Module 4: Intercepting TraKic with BurpSuite (1 hour)
– Setting up BurpSuite for Android traBic interception
– Configuring the Android emulator to route traffic through BurpSuite
– Configuring proxy settings on an emulator or physical device
– Intercepting HTTP/S traffic from the app
– Hands-on: Configure BurpSuite on the workstation and set up the Android emulator to forward traffic
– Hands-on: Capture and inspect traffic generated by a vulnerable app
– Outcome: Ability to configure BurpSuite as a proxy and capture HTTP/S traffic from an Android app.
Module 5: SSL Pinning Bypass with Frida (1 hour)
– Overview of SSL pinning and its role in secure network communication
– Introduction to Frida for dynamic instrumentation
– Using Frida scripts to bypass SSL pinning in Android apps
– Hands-on: Load an APK that implements SSL pinning
– Hands-on: Run a Frida script to bypass SSL pinning and intercept HTTPS traffic in BurpSuite
– Outcome: Understanding of SSL pinning and ability to bypass it using Frida for deeper traffic analysis.
Module 6: Dynamic Instrumentation with Frida (1.5 hours)
– Setting up Frida for dynamic analysis on an Android device
– Injecting JavaScript code to hook functions and alter app behavior
– Examples of function hooking (e.g., bypassing app security checks, altering function return values)
– Hands-on: Use Frida to hook a method in a sample app and modify its behavior
– Hands-on: Explore how to dynamically alter the app logic by injecting code
– Outcome: Ability to use Frida to hook into app functions and manipulate them for security testing.
Module 7: APK Decompilation and Source Code Analysis (45 mins)
– Introduction to dex2jar and JD-GUI for APK de-compilation
– Analyzing de-compiled code to identify sensitive information and logic
– Hands-on: De-compile a sample APK and locate critical functions in the source code
– Hands-on: Identify hard-coded secrets or vulnerable code paths
– Outcome: Ability to de-compile an APK and analyze the Java source code for security weaknesses.
Module 8: Wrap-Up and Q&A (15-30 mins)
– Review of key takeaways and best practices
– Resources for further learning and practice
– Open Q&A session for participants to ask questions
– Outcome: Reinforced understanding of Android security principles and tools.