Dive into the world of Android app security with this 48-minute conference talk from Derbycon 2018, presented by Joff Thyer and Derek Banks. Explore the fundamentals of Android app penetration testing, covering essential topics such as Android OS architecture, potential risks, and must-have tools for testing. Learn how to configure emulators, utilize ADB effectively, and analyze package files and manifests. Gain insights into app analysis guidelines, methodology overviews, and various testing techniques including static analysis, app reconnaissance, and identifying insecure communications and data storage. Discover how to detect extraneous functionality and understand the process of embedding malware in APKs. This comprehensive talk equips security professionals with the knowledge to assess and improve Android app security.
Overview
Syllabus
Intro
About Derek
Why Android?
Android OS Split
What are the risks?
Must Have tools
Nice to Have tools
Configure your emulator
ADB is your friend
Find your package file!
What about the MANIFEST?
More about Drozer
App Analysis Guidelines
What should be tested?
Methodology Overview
Static Analysis & App Recon
MobSF Dashboard
Insecure Communication
Insecure Data Storage
Extraneous Functionality
Embed Malware APK
Embedding Malware APK
Locate APP Entry Point
Re-assemble and sign
Way too many steps...
