As of September 2017, the Google Play store holds 3.3 million applications. In May 2017 Google announced that there are over 2 billion monthly active Android devices. These devices are a gateway to our entire lives- our contacts, communications, entertainment and finances. Every application installed on a mobile device is placed into an ecosystem where all of this information is stored and constantly exchanged and accessed by the user and other parties. And just like every other piece of software written by humans, Android applications contain vulnerabilities. These vulnerabilities can be exploited by attackers, placing users and publishers of applications at risk.
What we will do:The workshop will be a combination of lectures, demos and hands on exercises, during which you will be given access to virtualized Android devices with pre- installed applications designed to showcase specific vulnerabilities.
- We will conduct assessments on the applications, the devices and on
- network traffic to discover the vulnerabilities present in the apps
- We will assess the threats posed by the vulnerabilities
- Since no security assessment is complete without writing a Proof-of-Concept attack, we will exploit every vulnerability that we find during our assessments
We will use the following techniques to conduct our assessments:
- De-assembling applications into human readable dalvik opcodes (smali)
- Generating Java-like code from Android apk files
- Reverse engineering application logic, modifying and re-compiling Android applications
- Modifying Android application logic during run-time
- Analyzing, intercepting and modifying Android application network traffic
After completing the workshop you will have a basic understanding of how to conduct an Android application assessment. The outcome will be a healthy paranoia, which will make you think twice before installing any application from the Play Store in the future. At the very least, you will become conscious of permissions requested by Android applications and how dangerous they may be.
This will be a technical, hands-on tutorial, which means, that participants are required to bring their own laptop. Previous programming and command line experience may make your overall experience smoother, but all concepts, techniques and tools will be explained from A to Z. In conclusion - all you really need is a laptop and motivation!