Back to timeline

Xtreame Android Exploitation Lab Training

Nullcon 2016


Xtreame Android Exploitation Lab


Xtreame Android Exploitation Lab is a 2 days fast paced hands-on session. The class is revamped to provide students with hands-on exposure which they can start applying immediately after the session.
This training will teach you:

  1. How to decompile an android application and understand obfuscated code
  2. Intercept traffic from android application even with protections like HTTPS certificate validation and SSL Pinning
  3. How to defeat root detection
  4. Perform manual and automated static analysis
  5. Perform automated analysis using tools like drozer and Mobile Security Framework and more
  6. Perform application hooking and dynamic instrumentation using Xposed Framework including writing own custom xposed module.
  7. Analyze HTML5 Applications
  8. Fuzzing Android for memory corruption vulnerabilities
  9. Perform Remote Code Executions
  10. Write your own tools / scripts to automate analysis

And much more. The entire lab is designed in a scenario based situation where we will perform the same attacks that an attacker can do to gain access. Multiple applications have been developed to mimic real life vulnerabilities and multiple real world applications will be analyzed and exploited.

Each attendee will be provided with complete testing environment preconfigured for application assessment. The environment will consist of Android Tamer distribution customized for NullCon Training and customized Android Emulator images pre-configured with security tools. Attendees will learn and understand how to make best use of Android Tamer for android application penetration testing, directly from its creator.

All attendees will also be provided access to a continuous learning portal which will allow them to continue learning newer security developments even after finishing the training session. The portal also provides options to collaborate amongst the present and current students and also to interact with the trainer.

At the end of the class, there will be a final CTF challenge where the attendees will have to identify security vulnerabilities and exploit them in a real world application.

Course Outline Day wise

Day 1

Day 2

What to bring?


Basic familiarity of Linux usage
Python scripting knowledge is a plus, but not essential

Who Should Attend?

Security Professionals
Web Application Pentesters
Application Developers
People interested to start doing Android security

What to expect?

Intense, fast paced learning using a combination of scenarios, case studies, hacker tools
Reversing and auditing of Android applications
Finding vulnerabilities and exploiting them
Hands-on with different Android components from security perspective
A custom CTF to end the two days of training

What not to expect?

To be an Android Hacking Expert/Ninja in a matter of 2 days. Even though this training would take you to a considerably high level in Android Security/Exploitation, and impart you with all the necessary skills needed, you need to work on your own and use the skills learnt in the training class to continue your Android Security explorations.

About the Trainer

Anant Shrivastava (@anantshri)

Anant Shrivastava is an information security professional with 7+ yrs of corporate experience with expertise in Mobile, application and Linux Security. He has trained ~300 delegates at various conferences (BlackHat USA โ€“ 15, BlackHat Europe โ€“ 15, RuxCon 2015, c0c0n 2015, Nullcon โ€“ 2015, g0s โ€“ 2013, c0c0n โ€“ 2013, NullCon โ€“ 2012). He holds various industry recognized certifications such as SANS GWAPT (GIAC Certified Web Application Testing and RHCE (RedHat certified Engineer). He is co-author for OWASP Testing guide version-4. He is credited with multiple responsible public disclosures (refer He also maintains an Android Security distribution called Android Tamer ( and also runs a responsible disclosure program for open source software under the name CodeVigilant ( He can be contact at

Anto Joseph (@antojosep007)

Anto Joseph is a Security Engineer for Citrix with 4 + years of expertise in Mobile , Systems and Web . He is a strong supporter of Free & Open Information Security Education. His area of interest includes Web,Mobile and Systems. He is currently researching on Android and IOT Security .He has talked and conducted Trainings in various security conferences like c0c0n 2015 , XorConf 2015 , GroundZero 2015 etc and has good expertise in Practical Security. His code / works could be seen @ .