Attack & Defend Android Applications

Introduction

Android has become a critical part of our daily lives, powering devices like phones, TVs, and even IoT systems. With this growing ecosystem comes increased concern over security and privacy. This has led to a greater need for security assessments and the secure operation of the Android application ecosystem.

This course is designed to equip application security engineers, developers, and penetration testers with the knowledge and hands-on experience to assess and defend Android applications. The course offers a balanced focus on both attacking and defending Android apps, with practical exercises and challenges at each stage.

Key topics include::

• Traffic interception (HTTP/HTTPS/WebSockets)
• Root detection bypass techniques
• Static and dynamic analysis
• Dynamic instrumentation (Frida/Magisk/Objection)
• Analyzing non-Java/Kotlin frameworks (React Native, Flutter, Xamarin)
• Building a full CI pipeline with security integration for Android apps

The course provides vulnerable applications for hands-on practice during attack sections, and requires setting up a CI/CD pipeline for real-world defense exercises. Participants will leave with practical skills and access to cloud-based labs, resources, and AMIs for continued learning.

Table of Contents

1. Android Security Fundamentals

   Objective: Establish a foundational understanding of Android OS architecture and application structure, ensuring all participants are on the same page.

   • Overview of Android OS Architecture
   • Android Permissions and Security Models
   • Inter-process Communication (Intents, Binders, Deep Linking)
   • Application Structure and Components (Manifest, Activities, Services)

2. Mapping the Android Attack Surface

   Objective: Understand the attack surface of Android applications and practice mapping out potential vulnerabilities using industry standards.

   • Attack Surface Mapping for Android Apps
   • Introduction to MITRE ATT&CK & OWASP MSTG
   • Traffic Interception (HTTP/HTTPS/WebSockets)
   • Bypassing Root Detection
   • Code Deobfuscation Techniques
   • Dynamic Instrumentation with Frida/Objection

3. Advanced Application Assessment

   Objective: Dive deep into static and dynamic analysis techniques, focusing on both native and hybrid applications.

   • Static Analysis (Source Code Review, Decompiled Binary Analysis)
   • Dynamic Analysis with Tools (MobSF, Pithas)
   • Hybrid App Assessment (React Native, Flutter, Xamarin)
   • Real-world Android App Vulnerabilities: Case Studies

4. Building the Full CI/CD Pipeline

   Objective: Guide participants through building a complete CI/CD pipeline for Android apps, integrating multiple layers of security testing and analysis.

   • Setting Up the CI Pipeline (GitHub Actions or any preferred platform)
   • Implementing SAST with Semgrep for Static Analysis
   • Dynamic Application Security Testing (DAST) Setup
   • Integrating 3rd-Party Library Tracking
   • Implementing Supply Chain Security in the Pipeline
   • Monitoring and Handling False Positives in Security Tools

Each section contains multiple hands-on challenges that will ensure the learnings are imbued in the minds of the attendees. Challenges range from compiling an application, to decompiling and security assessment of application to securely building the application.

Pre-Requisites :

This course assumes participants have basic familiarity with the command-line and Linux. No prior deep knowledge of Android is required, as all necessary concepts will be taught during the course.

Our labs are cloud-based, and a browser should be sufficient. However, we will still suggest the following hardware specs:

• Laptop with administrative access
• Stable internet connection for cloud-based labs
• Browser with access to port 80 and 443 (some web-socket connections might be required)

Hardware / Software / Internet Requirements

• Our labs are cloud based which means a strong Internet connection is a requirement for all students.

Duration

2 days, hands-on learning with a focus on practical application.

Target Audience

• Android security engineers
• Mobile app developers
• Pentesters with a focus on mobile security
• DevOps engineers working with Android CI/CD pipelines
• Anyone interested in securing Android applications

Learning Outcomes

Participants will:

• Perform thorough security assessments on Android applications
• Build and integrate a complete CI pipeline with security tools
• Gain hands-on experience with traffic interception, root detection bypass, dynamic instrumentation, and static analysis
• Understand the unique security challenges posed by hybrid applications

What to expect?

Participants will engage in 50% hands-on practice through cloud-based labs and challenges, with access to vulnerable applications for attack exercises and the task of building a full CI pipeline for defense exercises.

Who should attend?

• Resident Android security engineers,

• Android DevOps engineer,

• Mobile application developers,

• Pentesters or

• Anyone interested in Android security

• How to attack real-world Android applications

• How to integrate security into CI / CD Pipeline for Android Applications

What not to expect?

This is not a course designed to turn participants into instant expert hackers, but rather to provide methodical and practical approaches to Android security assessments.

Ref https://india.c0c0n.org/2024/attack-and-defend-android-applications