Thank you for sending your enquiry! One of our team members will contact you shortly.
Thank you for sending your booking! One of our team members will contact you shortly.
Course Outline
Day 1: Introduction to System Security Android
- introduction to the system Android
- security model Androida: application isolation, permission system
- Android from a programmer's point of view: Java, Kotlin, manifest, resources, IPC components, web API
- apps from the inside: dex and apk file formats
- Android a Linux: from a developer's point of view and from a security researcher's point of view
- securityAndroidand from the inside: DAC, SELinux, partition mounting, dm-verity
- rooting
- basic tools: Android Studio, ADB, logcat
- security of Android applications in theory: CVSS, MASVS, MSTG
Day 2: Reverse engineering Android applications, static analysis and IPC security
- what is reverse engineering (reversion)
- reverse engineering using apktool: resource decoding, code disassembly
- Dalvik virtual machine, dex bytecode and Smali language
- code decompilation to language Java: Bytecode Viewer
- working with decompiled code in Android Studio
- Manifest analysis for IPC
- automatic static analysis using MobSF
- dynamic analysis of the IPC attack surface using Drozer
- vulnerabilities in IPC
- preparing proof of concept: am, Drozer, Java/Kotlin
Day 3: Dynamic analysis, repacking and instrumentation
- application log analysis
- file system content analysis
- debuggable and backupable applications
- working with the debugger
- network traffic analysis: tcpdump, Burp Proxy
- trusted certificates and certificate pinning
- repacking: modifying application code or manifest, ziapligner, jarsigner
- instrumentation: Frida and Objection
Day 4: WebView, cross-platform applications, native libraries
- WebView: HTML and JavaScript in Android applications
- interactions between WebView and Java: access to the filesystem and JavascriptInterface
- WebView vulnerabilities: gaining access via escape, XSS, or debuggable WebView
- WebView vulnerabilities: escalation via JavascriptInterface
- cross-platform applications: theory
- reverse engineering applications C# (Xamarin) using dotPeek and ILSpy
- reverse engineer JavaScript (React Native) applications with react-native-decompiler
- other cross-platform frameworks: Flutter (Dart), Ionic/Angular (JavaScript) and others
- native libraries: C, C++ and machine code in Android applications
- JNI: System.loadLibrary() and methods with the native keyword
- reverse engineering native libraries using Ghidra
Day 5: Web API security
- Web API in Android applications
- protocols for web API: SOAP, REST, JSON-RPC, GraphQL and others
- OWASP API Top 10
- capturing API communication using Burp Proxy
- Burp Repeater: API query modification
- authentication vulnerabilities: credential stuffing, login SQL injection, JWT vulnerabilities
- vulnerabilities related to access control: IDOR, mass assignment, access to administrative and debug functions
- other vulnerabilities: SSRF, injection, redundant data in error messages, server vulnerabilities
- discovering additional API functions in definition files: WSDL, Swagger/OpenAPI, GraphQL SDL, etc.
- automatic generation of API queries: SoapUI, Postman
Requirements
Basic security knowledge.
System knowledge Android.
35 Hours
Testimonials (4)
That there was a lot of exercises.
Katarzyna Straszewska - Swiss AviationSoftware Ltd.
Course - Build Native iOS and Android Apps with Flutter
More on the lab.
Sarbin - Cagayan Electric Power And Light Co., Inc.
Course - Flutter Development Bootcamp with Dart
On time, training resources is readily available
MIKHAIL JOSUE MONTECILLO - PAg-IBIG Fund
Course - Xamarin for Cross-Platform Development
The knowledge of the trainer. He was able to answer all of my questions, even questions about our platform. He also continued to help until we all understood the material.
