Xtreame Android Exploitation Lab
Xtreame Android Exploitation Lab is a 2 days fast paced hands-on session. The class is revamped to provide students with hands-on exposure which they can start applying immediately after the session.
This training will teach you:
- How to decompile an android application and understand obfuscated code
- Intercept traffic from android application even with protections like HTTPS certificate validation and SSL Pinning
- How to defeat root detection
- Perform manual and automated static analysis
- Perform automated analysis using tools like drozer and Mobile Security Framework and more
- Perform application hooking and dynamic instrumentation using Xposed Framework including writing own custom xposed module.
- Analyze HTML5 Applications
- Fuzzing Android for memory corruption vulnerabilities
- Perform Remote Code Executions
- Write your own tools / scripts to automate analysis
And much more. The entire lab is designed in a scenario based situation where we will perform the same attacks that an attacker can do to gain access. Multiple applications have been developed to mimic real life vulnerabilities and multiple real world applications will be analyzed and exploited.
Each attendee will be provided with complete testing environment preconfigured for application assessment. The environment will consist of Android Tamer distribution customized for NullCon Training and customized Android Emulator images pre-configured with security tools. Attendees will learn and understand how to make best use of Android Tamer for android application penetration testing, directly from its creator.
All attendees will also be provided access to a continuous learning portal which will allow them to continue learning newer security developments even after finishing the training session. The portal also provides options to collaborate amongst the present and current students and also to interact with the trainer.
At the end of the class, there will be a final CTF challenge where the attendees will have to identify security vulnerabilities and exploit them in a real world application.
Course Outline Day wise
- Understand android application code.
- How to Decompile android application.
- How to handling obfuscated code
- How Dalvik Works
- Traffic interception of android applications
- How to handle SSL protections (cert validation, SSL Pinning)
- How to intercept non HTTP Traffic
- Defeating Root detection.
- HTML5 Application analysis
- Static analysis of application
- Manual and Automated dynamic analysis
- Application hooking and dynamic instrumentation with writing your own module
- Fuzzing Android (core and applications)
- CTF challenge to be solved based on learnings during class. (expected to write a code or use proper tools)
What to bring?
- Windows 7/8 , Ubuntu 12.x + (64 bit Operating System), MacOSX (Maverick or later)
- Intel / AMD Hardware Virtualization enabled Operating System
- Administrative access on your laptop with external USB allowed
- Atleast 20+ GB free hard disk space
- Atleast 4 GB RAM (more the better)
- Genymotion installed (Downloadable from http://genymotion.com)
- VirtualBox Installed (Downloadable from http://www.virtualbox.org)
Basic familiarity of Linux usage
Python scripting knowledge is a plus, but not essential
Who Should Attend?
Web Application Pentesters
People interested to start doing Android security
What to expect?
Intense, fast paced learning using a combination of scenarios, case studies, hacker tools
Reversing and auditing of Android applications
Finding vulnerabilities and exploiting them
Hands-on with different Android components from security perspective
A custom CTF to end the two days of training
What not to expect?
To be an Android Hacking Expert/Ninja in a matter of 2 days. Even though this training would take you to a considerably high level in Android Security/Exploitation, and impart you with all the necessary skills needed, you need to work on your own and use the skills learnt in the training class to continue your Android Security explorations.
About the Trainer
Anant Shrivastava (@anantshri)
Anant Shrivastava is an information security professional with 7+ yrs of corporate experience with expertise in Mobile, application and Linux Security. He has trained ~300 delegates at various conferences (BlackHat USA – 15, BlackHat Europe – 15, RuxCon 2015, c0c0n 2015, Nullcon – 2015, g0s – 2013, c0c0n – 2013, NullCon – 2012). He holds various industry recognized certifications such as SANS GWAPT (GIAC Certified Web Application Testing and RHCE (RedHat certified Engineer). He is co-author for OWASP Testing guide version-4. He is credited with multiple responsible public disclosures (refer www.osvdb.org/creditees/10234-anant-shrivastava). He also maintains an Android Security distribution called Android Tamer (www.androidtamer.com) and also runs a responsible disclosure program for open source software under the name CodeVigilant (www.codevigilant.com). He can be contact at firstname.lastname@example.org
Anto Joseph (@antojosep007)
Anto Joseph is a Security Engineer for Citrix with 4 + years of expertise in Mobile , Systems and Web . He is a strong supporter of Free & Open Information Security Education. His area of interest includes Web,Mobile and Systems. He is currently researching on Android and IOT Security .He has talked and conducted Trainings in various security conferences like c0c0n 2015 , XorConf 2015 , GroundZero 2015 etc and has good expertise in Practical Security. His code / works could be seen @ https://github.com/antojoseph .