Back to timeline

Attack and Defend Android Applications

Blackhat USA 2022



NOTE: This course will be offered In-Person

This course takes a focused approach on android application security. We start by identifying various ways by which we could attack an android application and then cover various scenarios in which android application pen testers will struggle.

• How to intercept the traffic (http/https/WebSocket/non-http)
• How to bypass root detection
• How to perform static and dynamic analysis of the application
• How to perform dynamic instrumentation (Frida / Xposed / Magisk)
• How to analyze HTML 5 and non-Java/ Kotlin application

We cap the attack section by performing a CTF where previously unknown application is given with various attack scenarios exploitable on it. And students perform a CTF style game to identify as many weaknesses in as small timeframe as possible.

Then we shift gears and focus on defending the applications and major areas covered are
• Application Threat Modeling
• Application Source code Review
• Identifying weaknesses
• Adding Security into CI / CD Pipeline for the application

This section has a capstone challenge with an intentionally vulnerable application which is integrated in CI/CD pipeline. Attendees will add security tooling and fix the flaws discovered in that process.

The aim is not to create zero to hero, but provide a methodical approach with which the participants could perform any android application assessment. We provide students with access to learning portal and a soft copy of slides, detailed answer sheets and Virtual machine environments.

Course Outline

Android Basics

OS Architecture
Android Permission model and recent advancements in android 10-12
Inter process communication (Intents / Binders, Deep linking)
Application Structure
JNI Bridging
Exercise: Setup build environment and build a basic application with a deep link registered (base code provided)

Attacking Android Application

• Attacking Android applications
Attack surface mapping for the application
Introduction to common references MITRE AATT&CK and OWASP MSTG

Answers to Tricky Questions

Intercepting the traffic (http/https/WebSocket/ non-http)
Bypassing root detection (simple to complex)
Deobfuscating application code and where it might fail
Dynamic instrumentation via Frida / Xposed + Magisk
Static or dynamic analysis of applications (manual and automated approach)
Testing non kotlin / Java applications (HTML5/Flutter/ PWA/ .net or more)

Exercise: Each question is accompanied by atleast one challenge. There are more if scenarios are tricky such as interception and rooting

• Attack CTF: Exploit a fresh application and identify various flaws in the application

Defending Android Application

• Android Eco system threat modeling from defense perspective (a slightly deep version of attack surface mapping)
• Introduction to OWASP MASVS and its usage along with additional observations
• Establish defense methodology and strategy
• Identify various issues in code via static code analysis (semgrep and other tools)
• Introduction to CI / CD Pipeline for Android applications
• Identifying various tools to be placed in the CI / CD pipeline (SAST/ DAST/ Third party library tracking)

Exercise : Each tool discussed will have an exercise in it to identify various flaws in applications. Application examples would be real life examples of issues made public in past 2 years.

• Defend CTF: A application CI / CD pipeline will be provided where students have to add various tools and fix identified issues.

Key Takeaways

Who Should Take this Course

Audience Skill Level


Student Requirements

Course assumes basic familiarity with command-line and Linux. A userlevel understanding of Android phone is a good to have knowledge.

What Students Should Bring

Laptop with:

Setup instructions will be sent over as part of pre-course communication. On-site help can be provided with regard to VM Setup but would absolutely need administrative access on laptop OS as well as BIOS.

What Students Will Be Provided With


Anant Shrivastava is the founder of Cyfinoid Research which specializes in cyber security research. Previously he was a Technical Director at NotSoSecure Global Services, a boutique cyber security consultancy firm. He has been a trainer & a speaker at various international conferences (BlackHat-USA/ASIA/EU, Nullcon, c0c0n & many more). Anant also leads Open Source projects, Tamer Platform & CodeVigilant. He also maintains the archive portal named Hacking Archives of India. In his free time, he likes to take part in open communities targeted towards spreading information security knowledge such as the null community, Garage4Hackers, hasgeek & OWASP.

Prashant Mahajan is a Director at Payatu Australia Pty Ltd. He has over a decade of experience with various aspects of Information Security including penetration testing, vulnerability analysis, digital forensics, and incident response. He is also a developer of open-source tools such as ADRecon and AzureADRecon, a founder member of Null - The Open Security Community and a frequent speaker at industry events and training.

Official Links:

August 6-7 2022 August 8-9 2022