Android Hacking Workshop
Speaker
Sunita Sharma
Deputy Manager
@Titan Company Limited
Sunita Sharma is a distinguished Mobile Application Security Penetration Tester specializing in web applications and APIs. Her dedication to advancing mobile application security and bug bounty programs has made her a driving force in the cybersecurity community. As a core team member of the Seasides Conference and a volunteer at c0c0n23 Conference, Sunita is highly respected for her expertise. She is also a sought-after speaker at NULL/OWASP and THM meetups and serves as the chapter lead for the NULL Bangalore meetup, where she shares her extensive knowledge and insights.
Workshop Overview
Welcome to the Android Hacking Workshop at BSides! This hands-on session is designed for security enthusiasts, penetration testers, and developers who want to dive deep into the world of Android security. Over the course of the workshop, participants will learn about various vulnerabilities in Android applications, exploit techniques, and best practices for securing Android apps.
Agenda
Introduction to Android Security
- Overview of the Android operating system architecture.
- Understanding Android app components: Activities, Services, Broadcast Receivers, and Content Providers.
- Introduction to Android security features and model.
Setting Up the Environment
- Tools and software required for Android hacking.
- Setting up Android Studio and the Android emulator.
- Introduction to popular Android hacking tools: APKTool, JADX, Burp Suite, Frida, and MobSF.
Reverse Engineering Android Applications
- Extracting APK files from devices and emulators.
- Decompiling APK files using JADX and APKTool.
- Analyzing decompiled code to find vulnerabilities.
Static Analysis
- Understanding AndroidManifest.xml and its significance.
- Identifying insecure permissions and components.
- Analyzing code for hardcoded secrets, insecure configurations, and potential vulnerabilities.
Dynamic Analysis
- Setting up Burp Suite for Android app traffic interception.
- Using Frida for dynamic instrumentation.
- Hooking methods and manipulating app behavior at runtime.
Exploiting Common Vulnerabilities
- Exploiting insecure data storage (e.g., SharedPreferences, SQLite databases).
- Bypassing root detection mechanisms.
- Exploiting insecure communication (e.g., HTTP vs. HTTPS, certificate pinning bypass).
- Exploiting WebView vulnerabilities.
Advanced Exploitation Techniques
- Analyzing and exploiting native code vulnerabilities.
- Using custom scripts with Frida for advanced exploitation.
Secure Coding Practices
- Best practices for securing Android applications.
- Secure data storage techniques.
- Implementing secure communication protocols.
- Protecting against common vulnerabilities like SQL injection, XSS, and CSRF in Android apps.
Capture the Flag (CTF) Challenge
- Applying the skills learned during the workshop in a hands-on CTF challenge.
- Participants will work in teams to identify and exploit vulnerabilities in a provided Android application
Requirements
- Basic understanding of programming (preferably Java or Kotlin ).
- Familiarity with mobile application development concepts.
- Laptop with 100gb hard disk, virtualbox 7+..
- Bring your own laptop with the following installed:
- Android Studio
- Burp Suite
- Frida
- JADX
- APKTool
- MobSF
Takeaways
By the end of this workshop, participants will have a solid understanding of Android security, be able to identify and exploit common vulnerabilities, and implement best practices to secure Android applications. Participants will also gain hands-on experience through practical exercises and a CTF challenge, enhancing their skills and knowledge in Android hacking.