Back to timeline

Xtreme Android Exploitation Lab

Nullcon 2015



The Android Exploitation Lab is a 2 day action-packed class of extreme Android Security and Exploitation. We will have a look at the internals of the Android platform, understand it’s weakness, analyze and reverse applications, find vulnerabilities and exploit them.

The class is developed in a hands-on and CTF approach, where each attendee gets to have their hands dirty with exploiting real world Android applications and binaries. The training will be done on an Android Tamer distribution prepared exclusively for the Nullcon training.

The two trainers have put a lot of research in order to come up with this training for the first time @ Nullcon 2015. Attendees will also get full access to the automated cloud based app security assessment framework AppWatch after the training.

Course Outline Day wise

Android Basics

Android Security Model

Intro to application development

Setting up the Pentesting Environment

App Kung-Fu

Exploiting Logic and Code flaws in applications

Arm Basics

Dex Labs

Automated Analysis & Exploitation

Leveraging Dynamic Instrumentation frameworks

Further Exploitation

Android Forensics & Malware Analysis

Being secure

What to bring?


Who Should Attend?

What to expect?

What not to expect?

To be an Android Hacking Expert/Ninja in a matter of 2 days. Even though this training would take you to a considerably high level in Android Security/Exploitation, and impart you with all the necessary skills needed, you need to work on your own and use the skills learnt in the training class to continue your Android Security explorations.

About the Trainers

Anant Shrivastava (@anantshri)

Anant Shrivastava is an experienced information security professional with 6 yrs of corporate experience with expertise in Mobile, Web application and Linux Security.

He has developed his expertise in mobile security over years and has successfully executed multiple mobile application security assessment projects. He has trained 100+ delegates on Android Security at various conferences (Nullcon - 2012, g0s - 2013, c0c0n - 2013). He has created Android Tamer a Linux environment specially designed for Android Testing. He has also delivered talks at various security conferences on Android Operating System and Web application technologies. He holds various industry recognized certifications such as SANS GWAPT (GIAC Certified Web Application Testing), CEH (Certified Ethical Hacker) and RHCE (RedHat certified Engineer).

He is one of the co-author for OWASP Testing Guide v4. His whitepaper on “Web Application Fingerprinting” is referred as authority reference in OWASP Testing Guide. He has written multiple tools for web application and android testing, which are listed in his Github profile . He has credited with multiple responsible public disclosures ( refer . His tool named SVN Extractor is warmly received by penetration testing community. He has built a security solutions repository for WordPressCMS which contains open source code snippets to provide protection against known attack patterns . He is also a lead for project named as Code Vigilant , which aims to identify security, issues in open source software’s and currently holds 150+ vulnerability disclosures.He can be contact at

Aditya Gupta (@adi1391)

Aditya Gupta is the founder and trainer of Attify, a mobile security firm, and leading mobile security expert and evangelist. Apart from being the lead developer and co-creator of Android framework for exploitation - a framework for exploitation of Android applications, he has done a lot of in-depth research on the security of mobile devices, including Android, iOS, and Blackberry, as well as BYOD Enterprise Security.

He is also the author of the popular Android security book “Learning Pentesting for Android” selling over 5000+ copies, since the time of launch in March 2014. He has also discovered serious web application security flaws in websites such as Google, Facebook, PayPal, Apple, Microsoft, Adobe, Skype, and many more.

In his previous work at, his main responsibilities were to look after web application security and lead security automation. He also developed several internal security tools for the organization to handle the security issues.

He has also previously spoken and trained at numerous international security conferences including BlackHat, Syscan, OWASP AppSec, Toorcon, Clubhack, Nullconetc, along with many other corporate trainings on Mobile Security. He has also recently launched a cloud based automated mobile application security scanning solution for enterprises, called “AppWatch”. He could be contacted at