c0c0n 2015

Talk

Abstract

OWASP Top 10 introduced A9: Usage of known vulnerable component. Although one of the important issue however still highly ignored. This talk will focus on various aspects of This issue and what could be done at various level’s of Information technology flow. We are not going to stress more on the impact rather the focus of this presentation would be on what can be done to reduce the effect. How a developer or a tester or a administrator find out about A9 issues and work towards mitigating it. This talk will not just look at various existing tools that can be use but also how to integrate them in environment as well as how to craft your component usage policy to counter the effect of A9 issues.

As part of the presentation we will also be sharing automation techniques and various technological solutions on how to counter A9 issues.

Slides

Training

Deep Dive Android 2015

OBJECTIVE

Android is the leading Operating system. It is used not just in Smartphones / Tablet but also is used as base for interactive Television, gaming console and lot more systems. The obvious resultant is that there is a large focus towards developing applications for this platform and to maintain its security. This workshop aims to equip information security professionals with knowledge about Android Operating system and how to ensure that the application are followin best security practices.

Students of this course will learn how to operate and make the best of the Android Tamer Virtual machine environment specifically designed for android penetration testing, from its creator. After taking this course you will be in a position to comfortably assess Android mobile application. You will be able to identify potential security issues as well as suggest possible remediations for issues such as Insecure Data Storage, Insufficient Transport Layer Protection, Unintended Data Leakage, Poor Authorization and Authentication, Broken Cryptography, Client Side Injection, Security Decisions Via Untrusted Inputs, Improper Session Handling, Lack of Binary Protections and more.

COURSE CONTENT

  1. Understand Android
    • Operating System Overview
    • File system Overview
    • Security Model
  2. Understand Android Application
    • Application Components
    • Application Structure
    • The SDK and Android Tools
    • Developing a basic application
  3. Penentration Testing Setup and methodology
    • Introduction to Android Tamer
    • Setting up the environment
    • Penetation testing approach
    • Reverse Engineering basics
    • Rooting basics
    • Manual Pentesting
    • Automated Pentesting via Drozer
    • Dynamic Instrumentation via Xposed Framework
  4. Being secure
    • Writing Secure Code
    • Writing Python Scripts for automating android pentests
    • Checklist for android applications

PRE-REQUISITE

Basic familiarity of Linux usage
Python scripting knowledge is a plus, but not extremely required

PARTICIPANTS REQUIREMENTS/WHAT TO BRING

Windows 7/8 , Ubuntu 12.x +, Macbook (2011 or above model)
Administrative access on your laptop with external USB allowed
Laptop Processor should support Virtualization
Atleast 20+ GB free hard disk space
4 GB or more RAM
Genymotion installed (Downloadable from http://goo.gl/uGvWFM)

DURATION

1 day

WHAT TO EXPECT

Getting started with Android Security
Reversing and Auditing of Android applications
Finding vulnerabilities and exploiting them
Hands-on with different Android components from security perspective

WHAT NOT TO EXPECT

To be an Android Hacking Expert/Ninja in a matter of 1 Day. Even though this training would take you to a considerably high level in Android Security/Exploitation, and impart you with all the necessary skills needed, you need to work on your own and use the skills learnt in the training class to continue your Android Security explorations.

WHO SHOULD ATTEND

Security Professionals
Web Application Pentesters
Application Developers
People interested to start into Android security

Ref: https://is-ra.org/c0c0n/2015/workshops#Anant_Shrivastava