Course Overview / Description:
The Android Application Security Training is a “2 Day Hands-On Training”. This Training is intended for students interested in making a career in the Information Security domain and specifically into Mobile Security domain. This training involves real world scenarios that every Security Professional must be well versed with. It involves decompiling, real-time analyzing and testing of the mobile applications from security standpoint. This training covers understanding the internals of android applications, Real-time testing of android applications and a strategic approach to analyse applications for OWASP Top 10 vulnerabilities Mobile security issues such as Injections, Insecure API’s, Insecure logging, Insecure communication, Insufficient cryptography, Insecure authentication and Poor code quality and many more. This training is made of CTF based modules where the attendees will have to solve a different set of Challenges to move on to the next set of modules, giving them real time hands-on experience on pentesting mobile applications.
Core Idea: Get a complete understanding of Pentesting Mobile Applications and implementing Security into them.
Intent: To help and enhance skills that are fast creating employment in the market
Prerequisites / Eligibility: Passion to learn.
Detailed Course Content / Training Schedule/ Curriculum :
ANDROID SECURITY MODULES ● Module 1 ○ Introduction to Android Mobile OS ○ Android Security Architecture ○ Sandboxing Applications ○ Setting up the Android Emulator ○ Working with the Android Debug Bridge (ADB) ○ Setting up a Mobile Pentest Environment
● Module 2 ○ Inspecting Application Certificates & Sign&tures ○ Signing/Resigning Android Applications ○ Application Signature Verification ○ Investigating the Android App Permissions through the Manifest File ○ Application Resources Extraction using ADB
● Module 3 ○ Bypassing Android Permissions ○ Introduction to Drozer ○ Setting up and Running a Drozer Session ○ Enumerating Packages and their Activities ○ Enumerating Content Providers &&Serv&&es ○ Enumerating Broadcast Receivers ○ Finding Vulnerabilities using Drozer ● Module 4 ○ Reversing of Android Applications ○ Working with the Logcat ○ Disclosing Sensitive Information using Logcat ○ Network Traffic Inspection ○ Passive Intent Sniffing ○ Exploiting Services ○ Exploiting Broadcast Receivers ○ Exploiting Insecure Data Storage ○ Understanding the Top 10 Mobile Vulnerabilities ○ Exploiting Poor Cryptography Implementation ○ Exploiting Data Leakage Vulnerabilities ○ Exploiting the Debuggable Applications ○ Understanding the Concept of Certificate Pinning ○ Dynamically Analysing Android Applications ○ Understanding and Working with different Obfuscation Techniques ○ Static Analysis using MobSF ○ Getting into Bug Bounty Programs : BugCrowd, HackerOne ○ Learning from advance exploitation methods via Responsible Disclosures
Why learn / Advantages:
This Training is intended for students/professionals interested in making a career in the Information Security domain and specifically into Mobile Security domain, as this training would help them to propel into Mobile Security Industry.