
Identify the most common areas where mobile app data resides, including private application folder, Android SD card, system log files, RAM, key chain, source code, and web cache.
Understand the four-layer Android architecture built on a modified Linux kernel, with hardware drivers, the hardware abstraction layer, surface manager, browser rendering engine, and Dalvik/ART runtimes.
Explore how each Android app runs in its own Dalvik VM, enabling isolation. Understand how the sandbox controls data access with fine-grained permissions in the Android manifest and content providers.
Explore the five Android app components—activities, intents, services, content providers, and broadcast receivers—and how each drives visible screens, background tasks, data sharing, and operating system events.
Set up an android testing lab by installing VirtualBox, deploying Santoku Linux, and creating a Genymotion Android emulator with a dedicated virtual machine for testing android applications.
Connect the emulator and Santoku on bridged network, obtain their IPs, and use adb to explore devices, run shell commands and logcat, and access data and sdcard for forensics.
Intercept and analyze mobile app network traffic using a proxy tool, configure the device to forward traffic to the proxy IP, and install the proxy certificate to capture requests.
Learn to reverse an Android application to inspect its source and find hard-coded secrets and security vulnerabilities by converting Dalvik executables to Java code and viewing source with JD-GUI.
Install the DIVA insecure and vulnerable android app on a connected emulator using ADB. Then explore common security issues arising from insecure coding practices.
Demonstrate an insecure logging issue by showing credit card numbers appear in application logs; highlight the need to set proper logging levels before go live to protect sensitive data.
Explore how insecure data storage exposes user credentials by saving usernames and passwords in plain text on Android devices, and learn why encryption is essential.
Explore how apps store sensitive data in an unencrypted database, exposing credentials such as username and password, and reveal the database insecure storage vulnerability.
Shows how apps store credentials in temporary files on Android, exposing username and password, and demonstrates accessing the file via adb, warning developers to avoid insecure storage.
Identify hard coding issues by demonstrating how sensitive data like keys and access tokens stored in source code can let attackers gain access with a secret vendor key.
Explore how input validation issues enable SQL injection in an Android app, exposing all user data due to unfiltered search input and true-condition exploits.
Explore input validation issues and WebView vulnerabilities in Android apps. Learn how embedded web content can read local files and expose sensitive data.
Demonstrate how a script source code disclosure vulnerability lets attackers read source files and expose sensitive data. Explore how this flaw reveals database connection details and other internal information.
This course includes all necessary information to start your carrier in Cyber Security field. This course aims to teach you how to perform full penetration testing on Android Mobile applications.
Course at a glance:
- Start from Android architectures basics.
- Covers Mobile applications reverse engineering.
- Practice on real world mobile applications.
- Build your own home lab on mobile application security.
- Provides you the skills necessary to perform Penetration tests of mobile applications.
Syllabus:
Introduction To Mobile Apps.
Mobile Application Security.
Mobile Application Penetration Testing.
The most common areas where we find mobile application data resides.
The Architecture of Android.
The App Sandbox and the Permission Model.
AndroidManifest.xml File.
Android Compilation Process.
Android Startup Process.
Android Application Components.
Setup a testing environment.
Android Debug Bridge (adb).
Digging deeper into Android (ADB tool).
intercept and analyze the network traffic.
Reversing an Android application.
OWASP top 10 vulnerabilities for mobiles.
Install DIVA (Damn insecure and vulnerable App).
Insecure Logging Issue.
Insecure Data Storage.
Database Insecure Storage.
Insecure Data Storage Inside Temporary Files.
Hardcoding Issues.
Input Validation Issues - SQL Injection.
Input Validation Issues - Exploiting Webview Vulnerability.
With this course you'll get 24/7 support, so if you have any questions you can post them in the Q&A section and we'll respond to you within 10 hours.
NOTE: This course is created for educational purposes only.