SlideShare uma empresa Scribd logo

Getting started with android

V
Vandana Verma

Android Security

Tecnologia
1 de 27
MINALI ARORA
 A cyber security professional with almost 6 years of experience  Demostrated areas of work- Application & Network Pentesting, Bash Scripting and Red Teaming  Part time bug bounty hunter and blogger https://medium.com/@minaliarora  Loves to read about psychology  Follow me on twitter: @AroraMinali
 Android Overview  Android Architecture  Android Security Model  Android App Testing  OWASP Top 10  Security tips for Developers
 Android’s Security Model consists of two parts: ◦ UID Separation ◦ Sandboxing Linux Kernel offers unique UID and GID for each application at run time. Thus, an application runs in its own sandbox environment and does not affect any other apps running.
AndroidManifest.XML Classes.dex Resources.arsc Assets Folder Lib Folder META-INF Folder Res Folder Other Files
 Root your device (If you choose an emulator, then make sure that it is already rooted)  Allow unknown sources (Settings->Security)  Install the application  Connect the device/emulator to a proxy setup (for e.g. Burp)
Methodology of testing an Android application can be broadly divided into two categories:  Static Testing  Dynamic Testing While static testing includes reversing an android application and reading the code, Dynamic testing includes analyzing the network traffic
 Android SDK: A software development kit containing API libraries and developer tools to build, test and debug Android apps In our context , more important ones are adb, aapt and the emulator
 Android Debug Bridge: Command line tool to communicate with emulator instance or connected physical/virtual device  Useful Commands:  adb devices  adb connect  adb shell  adb install  adb push/pull
 apktool: is used to decode and reverse engineer android application Command: apktool d <apk file>
 dex2jar –converts dex file to jar containing reconstructed source code which can be viewed in jdgui
 AndroidManifest.xml- This file contains all application components and application permissions
 Drozer  Burp Suite  Droidbox  MobSF  Inspeckage
 Drozer: One of the most chosen tools for Android security testing. A security testing framework, great to determine app attack surface and interact with it.
Most common vulnerabilities found during Android application testing:  OTP bypass  Authentication bypass  IDOR  Information Leakage  Privilege Escalation
 Store data safely  Enforce secure communication  Use web view objects carefully  Provide the right permissions to application  Update security provider to protect against exploits  Share only sensitive data to cache files  Use shared preferences in private mode https://developer.android.com/topic/security/best- practices
Getting started with android

Recomendados

Getting started with Android pentesting
Getting started with Android pentestingGetting started with Android pentesting
Getting started with Android pentestingMinali Arora
 
Introduction to Android Development and Security
Introduction to Android Development and SecurityIntroduction to Android Development and Security
Introduction to Android Development and SecurityKelwin Yang
 
Understanding Android Security
Understanding Android SecurityUnderstanding Android Security
Understanding Android SecurityAsanka Dilruk
 
Android security
Android securityAndroid security
Android securityMobile Rtpl
 
Android security
Android securityAndroid security
Android securityMidhun P Gopi
 
Android security in depth
Android security in depthAndroid security in depth
Android security in depthSander Alberink
 
Android Security
Android SecurityAndroid Security
Android SecuritySuminda Gunawardhana
 
Understanding android security model
Understanding android security modelUnderstanding android security model
Understanding android security modelPragati Rai
 

Mais conteúdo relacionado

Mais procurados

Sperasoft talks: Android Security Threats
Sperasoft talks: Android Security ThreatsSperasoft talks: Android Security Threats
Sperasoft talks: Android Security ThreatsSperasoft
 
Analysis and research of system security based on android
Analysis and research of system security based on androidAnalysis and research of system security based on android
Analysis and research of system security based on androidRavishankar Kumar
 
2015.04.24 Updated > Android Security Development - Part 1: App Development
2015.04.24 Updated > Android Security Development - Part 1: App Development 2015.04.24 Updated > Android Security Development - Part 1: App Development
2015.04.24 Updated > Android Security Development - Part 1: App Development Cheng-Yi Yu
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration TestingSubho Halder
 
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android ApplicationsAndroid Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android ApplicationsBlrDroid
 
Deep Dive Into Android Security
Deep Dive Into Android SecurityDeep Dive Into Android Security
Deep Dive Into Android SecurityMarakana Inc.
 
Android Security
Android SecurityAndroid Security
Android SecurityLars Jacobs
 
Android Security
Android SecurityAndroid Security
Android SecurityArqum Ahmad
 
Bypassing the Android Permission Model
Bypassing the Android Permission ModelBypassing the Android Permission Model
Bypassing the Android Permission ModelGeorgia Weidman
 
Android application security testing
Android application security testingAndroid application security testing
Android application security testingMykhailo Antonishyn
 
Android Device Hardening
Android Device HardeningAndroid Device Hardening
Android Device Hardeninganupriti
 
Android Security Overview and Safe Practices for Web-Based Android Applications
Android Security Overview and Safe Practices for Web-Based Android ApplicationsAndroid Security Overview and Safe Practices for Web-Based Android Applications
Android Security Overview and Safe Practices for Web-Based Android Applicationsh4oxer
 
Security threats in Android OS + App Permissions
Security threats in Android OS + App PermissionsSecurity threats in Android OS + App Permissions
Security threats in Android OS + App PermissionsHariharan Ganesan
 
Android pen test basics
Android pen test basicsAndroid pen test basics
Android pen test basicsOWASPKerala
 
[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security WorkshopOWASP
 
Android Camp 2011 @ Silicon India
Android Camp 2011 @ Silicon IndiaAndroid Camp 2011 @ Silicon India
Android Camp 2011 @ Silicon IndiaAvinash Birnale
 

Mais procurados (20)

Sperasoft talks: Android Security Threats
Sperasoft talks: Android Security ThreatsSperasoft talks: Android Security Threats
Sperasoft talks: Android Security Threats
 
Android sandbox
Android sandboxAndroid sandbox
Android sandbox
 
Analysis and research of system security based on android
Analysis and research of system security based on androidAnalysis and research of system security based on android
Analysis and research of system security based on android
 
2015.04.24 Updated > Android Security Development - Part 1: App Development
2015.04.24 Updated > Android Security Development - Part 1: App Development 2015.04.24 Updated > Android Security Development - Part 1: App Development
2015.04.24 Updated > Android Security Development - Part 1: App Development
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration Testing
 
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android ApplicationsAndroid Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android Applications
 
Andriod Pentesting and Malware Analysis
Andriod Pentesting and Malware AnalysisAndriod Pentesting and Malware Analysis
Andriod Pentesting and Malware Analysis
 
Deep Dive Into Android Security
Deep Dive Into Android SecurityDeep Dive Into Android Security
Deep Dive Into Android Security
 
Android Security
Android SecurityAndroid Security
Android Security
 
Android Security
Android SecurityAndroid Security
Android Security
 
Android Security
Android SecurityAndroid Security
Android Security
 
Bypassing the Android Permission Model
Bypassing the Android Permission ModelBypassing the Android Permission Model
Bypassing the Android Permission Model
 
Android application security testing
Android application security testingAndroid application security testing
Android application security testing
 
Android Device Hardening
Android Device HardeningAndroid Device Hardening
Android Device Hardening
 
Android Security Overview and Safe Practices for Web-Based Android Applications
Android Security Overview and Safe Practices for Web-Based Android ApplicationsAndroid Security Overview and Safe Practices for Web-Based Android Applications
Android Security Overview and Safe Practices for Web-Based Android Applications
 
Security threats in Android OS + App Permissions
Security threats in Android OS + App PermissionsSecurity threats in Android OS + App Permissions
Security threats in Android OS + App Permissions
 
Android pen test basics
Android pen test basicsAndroid pen test basics
Android pen test basics
 
Pentesting Android Apps
Pentesting Android AppsPentesting Android Apps
Pentesting Android Apps
 
[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop
 
Android Camp 2011 @ Silicon India
Android Camp 2011 @ Silicon IndiaAndroid Camp 2011 @ Silicon India
Android Camp 2011 @ Silicon India
 

Semelhante a Getting started with android

Null Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat DasNull Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat Dasnullowaspmumbai
 
Mobile application security
Mobile application securityMobile application security
Mobile application securityShubhneet Goel
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application SecurityIshan Girdhar
 
Android Overview
Android OverviewAndroid Overview
Android OverviewRaju Kadam
 
Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Stephan Chenette
 
Google android white paper
Google android white paperGoogle android white paper
Google android white paperSravan Reddy
 
Introduction to Android Application Security Testing - 2nd Sep 2017
Introduction to Android Application Security Testing - 2nd Sep 2017Introduction to Android Application Security Testing - 2nd Sep 2017
Introduction to Android Application Security Testing - 2nd Sep 2017Satheesh Kumar V
 
Androidoverview 100405150711-phpapp01
Androidoverview 100405150711-phpapp01Androidoverview 100405150711-phpapp01
Androidoverview 100405150711-phpapp01Santosh Sh
 
Security testing of mobile applications
Security testing of mobile applicationsSecurity testing of mobile applications
Security testing of mobile applicationsGTestClub
 
Android open-source operating System for mobile devices
Android open-source operating System for mobile devicesAndroid open-source operating System for mobile devices
Android open-source operating System for mobile devicesIOSR Journals
 
Mediating Applications on the Android System
Mediating Applications on the Android SystemMediating Applications on the Android System
Mediating Applications on the Android SystemNizar Maan
 
COVERT app
COVERT appCOVERT app
COVERT appitba9
 
Android For Java Developers
Android For Java DevelopersAndroid For Java Developers
Android For Java DevelopersMike Wolfson
 
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentestingNull Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentestingRomansh Yadav
 
Android security in depth - extended
Android security in depth - extendedAndroid security in depth - extended
Android security in depth - extendedSander Alberink
 

Semelhante a Getting started with android (20)

Null Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat DasNull Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
 
Mobile application security
Mobile application securityMobile application security
Mobile application security
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
 
Android Overview
Android OverviewAndroid Overview
Android Overview
 
Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013
 
Cc4201519521
Cc4201519521Cc4201519521
Cc4201519521
 
Google android white paper
Google android white paperGoogle android white paper
Google android white paper
 
Untitled 1
Untitled 1Untitled 1
Untitled 1
 
Introduction to Android Application Security Testing - 2nd Sep 2017
Introduction to Android Application Security Testing - 2nd Sep 2017Introduction to Android Application Security Testing - 2nd Sep 2017
Introduction to Android Application Security Testing - 2nd Sep 2017
 
Androidoverview 100405150711-phpapp01
Androidoverview 100405150711-phpapp01Androidoverview 100405150711-phpapp01
Androidoverview 100405150711-phpapp01
 
Security testing of mobile applications
Security testing of mobile applicationsSecurity testing of mobile applications
Security testing of mobile applications
 
Android open-source operating System for mobile devices
Android open-source operating System for mobile devicesAndroid open-source operating System for mobile devices
Android open-source operating System for mobile devices
 
Mediating Applications on the Android System
Mediating Applications on the Android SystemMediating Applications on the Android System
Mediating Applications on the Android System
 
COVERT app
COVERT appCOVERT app
COVERT app
 
Android security
Android securityAndroid security
Android security
 
Android security
Android securityAndroid security
Android security
 
Stealing sensitive data from android phones the hacker way
Stealing sensitive data from android phones the hacker wayStealing sensitive data from android phones the hacker way
Stealing sensitive data from android phones the hacker way
 
Android For Java Developers
Android For Java DevelopersAndroid For Java Developers
Android For Java Developers
 
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentestingNull Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
 
Android security in depth - extended
Android security in depth - extendedAndroid security in depth - extended
Android security in depth - extended
 

Mais de Vandana Verma

Building security into the pipelines
Building security into the pipelinesBuilding security into the pipelines
Building security into the pipelinesVandana Verma
 
Applying OWASP web security testing guide (OWSTG)
Applying OWASP web security testing guide (OWSTG)Applying OWASP web security testing guide (OWSTG)
Applying OWASP web security testing guide (OWSTG)Vandana Verma
 
Running an app sec program with OWASP projects_ Defcon AppSec Village
Running an app sec program with OWASP projects_ Defcon AppSec VillageRunning an app sec program with OWASP projects_ Defcon AppSec Village
Running an app sec program with OWASP projects_ Defcon AppSec VillageVandana Verma
 
SARCON Talk - Vandana Verma Sehgal
SARCON Talk - Vandana Verma SehgalSARCON Talk - Vandana Verma Sehgal
SARCON Talk - Vandana Verma SehgalVandana Verma
 
Sacon 2020 living in the world of zero trust v1.0
Sacon 2020 living in the world of zero trust v1.0Sacon 2020 living in the world of zero trust v1.0
Sacon 2020 living in the world of zero trust v1.0Vandana Verma
 
Addo 2019 vandana_dev_secops_culturalchange
Addo 2019 vandana_dev_secops_culturalchangeAddo 2019 vandana_dev_secops_culturalchange
Addo 2019 vandana_dev_secops_culturalchangeVandana Verma
 
App Sec village DevSecOps as a culture
App Sec village DevSecOps as a cultureApp Sec village DevSecOps as a culture
App Sec village DevSecOps as a cultureVandana Verma
 
Web sockets - Pentesting
Web sockets - Pentesting Web sockets - Pentesting
Web sockets - Pentesting Vandana Verma
 
Story of http headers
Story of http headersStory of http headers
Story of http headersVandana Verma
 
Security audits & compliance
Security audits & complianceSecurity audits & compliance
Security audits & complianceVandana Verma
 
Basics of Server Side Template Injection
Basics of Server Side Template InjectionBasics of Server Side Template Injection
Basics of Server Side Template InjectionVandana Verma
 
SIEM Vendor Neutrality
SIEM Vendor NeutralitySIEM Vendor Neutrality
SIEM Vendor NeutralityVandana Verma
 
Importance of Penetration Testing
Importance of Penetration TestingImportance of Penetration Testing
Importance of Penetration TestingVandana Verma
 
Identity & access management
Identity & access managementIdentity & access management
Identity & access managementVandana Verma
 
Chariot generic presentation owaspwia_Infosecgirls
Chariot generic presentation owaspwia_InfosecgirlsChariot generic presentation owaspwia_Infosecgirls
Chariot generic presentation owaspwia_InfosecgirlsVandana Verma
 
OWASP - Dependency Check
OWASP - Dependency CheckOWASP - Dependency Check
OWASP - Dependency CheckVandana Verma
 
Incident response in Cloud
Incident response in CloudIncident response in Cloud
Incident response in CloudVandana Verma
 

Mais de Vandana Verma (18)

Building security into the pipelines
Building security into the pipelinesBuilding security into the pipelines
Building security into the pipelines
 
Applying OWASP web security testing guide (OWSTG)
Applying OWASP web security testing guide (OWSTG)Applying OWASP web security testing guide (OWSTG)
Applying OWASP web security testing guide (OWSTG)
 
Running an app sec program with OWASP projects_ Defcon AppSec Village
Running an app sec program with OWASP projects_ Defcon AppSec VillageRunning an app sec program with OWASP projects_ Defcon AppSec Village
Running an app sec program with OWASP projects_ Defcon AppSec Village
 
SARCON Talk - Vandana Verma Sehgal
SARCON Talk - Vandana Verma SehgalSARCON Talk - Vandana Verma Sehgal
SARCON Talk - Vandana Verma Sehgal
 
Sacon 2020 living in the world of zero trust v1.0
Sacon 2020 living in the world of zero trust v1.0Sacon 2020 living in the world of zero trust v1.0
Sacon 2020 living in the world of zero trust v1.0
 
Addo 2019 vandana_dev_secops_culturalchange
Addo 2019 vandana_dev_secops_culturalchangeAddo 2019 vandana_dev_secops_culturalchange
Addo 2019 vandana_dev_secops_culturalchange
 
App Sec village DevSecOps as a culture
App Sec village DevSecOps as a cultureApp Sec village DevSecOps as a culture
App Sec village DevSecOps as a culture
 
Oscp - Journey
Oscp - JourneyOscp - Journey
Oscp - Journey
 
Web sockets - Pentesting
Web sockets - Pentesting Web sockets - Pentesting
Web sockets - Pentesting
 
Story of http headers
Story of http headersStory of http headers
Story of http headers
 
Security audits & compliance
Security audits & complianceSecurity audits & compliance
Security audits & compliance
 
Basics of Server Side Template Injection
Basics of Server Side Template InjectionBasics of Server Side Template Injection
Basics of Server Side Template Injection
 
SIEM Vendor Neutrality
SIEM Vendor NeutralitySIEM Vendor Neutrality
SIEM Vendor Neutrality
 
Importance of Penetration Testing
Importance of Penetration TestingImportance of Penetration Testing
Importance of Penetration Testing
 
Identity & access management
Identity & access managementIdentity & access management
Identity & access management
 
Chariot generic presentation owaspwia_Infosecgirls
Chariot generic presentation owaspwia_InfosecgirlsChariot generic presentation owaspwia_Infosecgirls
Chariot generic presentation owaspwia_Infosecgirls
 
OWASP - Dependency Check
OWASP - Dependency CheckOWASP - Dependency Check
OWASP - Dependency Check
 
Incident response in Cloud
Incident response in CloudIncident response in Cloud
Incident response in Cloud
 

Último

Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Jeffrey Haguewood
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
Kuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorialKuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorialJoão Esperancinha
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observabilityitnewsafrica
 
Infrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsInfrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsYoss Cohen
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#Karmanjay Verma
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesManik S Magar
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector
4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector
4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sectoritnewsafrica
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxAna-Maria Mihalceanu
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Kaya Weers
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxfnnc6jmgwh
 

Último (20)

Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
Kuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorialKuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorial
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
 
Infrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsInfrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platforms
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector
4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector
4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance Toolbox
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
 

Getting started with android

  • 2.  A cyber security professional with almost 6 years of experience  Demostrated areas of work- Application & Network Pentesting, Bash Scripting and Red Teaming  Part time bug bounty hunter and blogger https://medium.com/@minaliarora  Loves to read about psychology  Follow me on twitter: @AroraMinali
  • 3.  Android Overview  Android Architecture  Android Security Model  Android App Testing  OWASP Top 10  Security tips for Developers
  • 4.
  • 5.
  • 6.  Android’s Security Model consists of two parts: ◦ UID Separation ◦ Sandboxing Linux Kernel offers unique UID and GID for each application at run time. Thus, an application runs in its own sandbox environment and does not affect any other apps running.
  • 7.
  • 9.
  • 10.  Root your device (If you choose an emulator, then make sure that it is already rooted)  Allow unknown sources (Settings->Security)  Install the application  Connect the device/emulator to a proxy setup (for e.g. Burp)
  • 11.
  • 12. Methodology of testing an Android application can be broadly divided into two categories:  Static Testing  Dynamic Testing While static testing includes reversing an android application and reading the code, Dynamic testing includes analyzing the network traffic
  • 13.
  • 14.
  • 15.  Android SDK: A software development kit containing API libraries and developer tools to build, test and debug Android apps In our context , more important ones are adb, aapt and the emulator
  • 16.  Android Debug Bridge: Command line tool to communicate with emulator instance or connected physical/virtual device  Useful Commands:  adb devices  adb connect  adb shell  adb install  adb push/pull
  • 17.  apktool: is used to decode and reverse engineer android application Command: apktool d <apk file>
  • 18.  dex2jar –converts dex file to jar containing reconstructed source code which can be viewed in jdgui
  • 19.  AndroidManifest.xml- This file contains all application components and application permissions
  • 20.  Drozer  Burp Suite  Droidbox  MobSF  Inspeckage
  • 21.  Drozer: One of the most chosen tools for Android security testing. A security testing framework, great to determine app attack surface and interact with it.
  • 22.
  • 23. Most common vulnerabilities found during Android application testing:  OTP bypass  Authentication bypass  IDOR  Information Leakage  Privilege Escalation
  • 24.
  • 25.
  • 26.  Store data safely  Enforce secure communication  Use web view objects carefully  Provide the right permissions to application  Update security provider to protect against exploits  Share only sensitive data to cache files  Use shared preferences in private mode https://developer.android.com/topic/security/best- practices