Back to timeline

Attack and Defend Android Applications

Blackhat USA 2023


Attack and Defend Android Applications - Black Hat USA 2023


This course takes a focused approach on android application security. We start with identifying various ways by which an android application could be attacked and then cover various scenarios in which android application pen testers will struggle.

Throughout the day students will be exposed to multiple applications with deliberate weaknesses that they will exploit using the techniques covered in the class. We will also have additional applications that students can play with after the class.

Then, we shift gears and focus on defending the applications, and major areas covered are

This section will be covered in a hand-holding fashion with focus on ensuring everyone is able to set up a pipeline for a deliberately insecure application, discover and subsequently fix the flaws.

We then cap this course of by covering secure coding strategies and defense in-depth implementational logics:

The aim is not to create zero to hero but provide a methodical approach with which any android application assessment could be performed by the participants. Students are provided with access to a learning portal and a soft copy of slides, detailed answer sheets and AMI’s for the environment.

Course Outline

Android Basics

Attacking Android Application

Answers to Tricky Questions

Exercise: Each question is accompanied by at least one challenge. There are more if scenarios are tricky such as interception and rooting

Defending Android Application

Exercise : Each tool discussed will have an exercise in it to identify various flaws in applications.

Defense Strategies for app developers

Sample techniques and strategies on these topics will be shared for attendees to get a better understanding of development pitfalls.

Key Takeaways

Who Should Take this Course

Audience Skill Level


Student Requirements

Course assumes basic familiarity with command-line and Linux. A user level understanding of Android phones is good to have knowledge.

What Students Should Bring

Our labs are cloud-based, and a browser should be sufficient. However, we will still suggest following hardware specs:

Please ensure if any HIDS or Firewall is installed, we have admin access to disable in case it interferes with the lab setup.

What Students Will Be Provided With


Anant Shrivastava is the founder of Cyfinoid Research which specializes in cybersecurity research. Previously he was a Technical Director at NotSoSecure Global Services, a boutique cybersecurity consultancy firm. He has been a trainer & a speaker at various international conferences (BlackHat-USA/ASIA/EU, Nullcon, c0c0n & many more). Anant also leads Open-Source projects, Tamer Platform & CodeVigilant. He also maintains the archive portal named Hacking Archives of India. In his free time, he likes to take part in open communities targeted towards spreading information security knowledge such as the null community, Garage4Hackers, hasgeek & OWASP.

Ankur Bhargava is leading the Product Security team at PhonePe. With many years of experience in this field, Mobile and REST API Security have become his forte. He is also well-versed in different flavors of Security such as Application, Network, and API testing. He has been speaking at many conferences in India, viz Cocon, Ground Zero, and Nullcon on topics like ‘PDF Exploitation’, ‘Mobile Automation Framework’, and ‘Android Security. He also provided training at Nullcon, c0c0n in 2012, and 2013,2020,2021 on Android Security. He also presented an Android security automation tool called β€˜Mafia’ in Blackhat EU 2017. The tool was also presented in Blackhat USA 2018.

Official Link