Learning Pentesting for Android Devices


Learning Pentesting for Android Devices
eBook: $17.99
Formats: PDF, PacktLib, ePub and Mobi formats
$15.29
save 15%!
Print + free eBook + free PacktLib access to the book: $47.98    Print cover: $29.99
$29.99
save 37%!
Free Shipping!
UK, US, Europe and selected countries in Asia.
Also available on:
Overview
Table of Contents
Author
Reviews
Support
Sample Chapters
  • Explore the security vulnerabilities in Android applications and exploit them
  • Venture into the world of Android forensics and get control of devices using exploits
  • Hands-on approach covers security vulnerabilities in Android using methods such as Traffic Analysis, SQLite vulnerabilities, and Content Providers Leakage

 

Book Details

Language : English
Paperback : 154 pages [ 235mm x 191mm ]
Release Date : March 2014
ISBN : 1783288981
ISBN 13 : 9781783288984
Author(s) : Aditya Gupta
Topics and Technologies : All Books, Mobile Application Development, Web Development, Open Source


Table of Contents

Preface
Chapter 1: Getting Started with Android Security
Chapter 2: Preparing the Battlefield
Chapter 3: Reversing and Auditing Android Apps
Chapter 4: Traffic Analysis for Android Devices
Chapter 5: Android Forensics
Chapter 6: Playing with SQLite
Chapter 7: Lesser-known Android Attacks
Chapter 8: ARM Exploitation
Chapter 9: Writing the Pentest Report
Index
  • Chapter 2: Preparing the Battlefield
    • Setting up the development environment
      • Creating an Android virtual device
    • Useful utilities for Android Pentest
      • Android Debug Bridge
      • Burp Suite
      • APKTool
    • Summary
  • Chapter 3: Reversing and Auditing Android Apps
    • Android application teardown
    • Reversing an Android application
    • Using Apktool to reverse an Android application
    • Auditing Android applications
    • Content provider leakage
    • Insecure file storage
      • Path traversal vulnerability or local file inclusion
      • Client-side injection attacks
    • OWASP top 10 vulnerabilities for mobiles
    • Summary
  • Chapter 4: Traffic Analysis for Android Devices
    • Android traffic interception
    • Ways to analyze Android traffic
      • Passive analysis
      • Active analysis
    • HTTPS Proxy interception
      • Other ways to intercept SSL traffic
    • Extracting sensitive files with packet capture
    • Summary
  • Chapter 5: Android Forensics
    • Types of forensics
    • Filesystems
      • Android filesystem partitions
    • Using dd to extract data
      • Using a custom recovery image
    • Using Andriller to extract an application's data
    • Using AFLogical to extract contacts, calls, and text messages
    • Dumping application databases manually
    • Logging the logcat
    • Using backup to extract an application's data
    • Summary
  • Chapter 7: Lesser-known Android Attacks
    • Android WebView vulnerability
      • Using WebView in the application
      • Identifying the vulnerability
    • Infecting legitimate APKs
    • Vulnerabilities in ad libraries
    • Cross-Application Scripting in Android
    • Summary
  • Chapter 8: ARM Exploitation
    • Introduction to ARM architecture
      • Execution modes
    • Setting up the environment
    • Simple stack-based buffer overflow
    • Return-oriented programming
    • Android root exploits
    • Summary
  • Chapter 9: Writing the Pentest Report
    • Basics of a penetration testing report
    • Writing the pentest report
      • Executive summary
      • Vulnerabilities
      • Scope of the work
      • Tools used
      • Testing methodologies followed
      • Recommendations
      • Conclusion
      • Appendix
    • Summary

Aditya Gupta

Aditya Gupta is the founder and trainer of Attify, a mobile security firm, and leading mobile security expert and evangelist. Apart from being the lead developer and co-creator of Android framework for exploitation, he has done a lot of in-depth research on the security of mobile devices, including Android, iOS, and Blackberry, as well as BYOD Enterprise Security.

He has also discovered serious web application security flaws in websites such as Google, Facebook, PayPal, Apple, Microsoft, Adobe, Skype, and many more.

In his previous work at Rediff.com, his main responsibilities were to look after web application security and lead security automation. He also developed several internal security tools for the organization to handle the security issues.

In his work with XYSEC, he was committed to perform VAPT and mobile security analysis. He has also worked with various organizations and private clients in India, as well as providing them with training and services on mobile security and exploitation, Exploit Development, and advanced web application hacking.

He is also a member of Null—an open security community in India, and an active member and contributor to the regular meetups and Humla sessions at the Bangalore and Mumbai Chapter.

He also gives talks and trainings at various security conferences from time to time, such as BlackHat, Syscan, Toorcon, PhDays, OWASP AppSec, ClubHack, Nullcon, and ISACA.

Right now he provides application auditing services and training. He can be contacted at adi@attify.com or @adi1391 on Twitter.

Code Downloads

Download the code and support files for this book.


Submit Errata

Please let us know if you have found any errors not listed on this list by completing our errata submission form. Our editors will check them and add them to this list. Thank you.


Errata

- 2 submitted: last submission 06 Jun 2014

In the Foreword, the last para:

On a personal note, my favorite chapters were the ones that discuss Android forensics, which are described as follows:

•  Chapter 5, Android Forensics, as it goes deeper into the Android filesystem and the reader learns how to extract data from the filesystem

•  Lesser-known Android attack vectors from Chapter 7, Lesser-known Android Attacks, as the chapter discusses infection vectors, and in particular the WebView component

•  Chapter 8, ARM Exploitationthat focuses on ARM-based exploitation for the Android platform

 

should be as follows:

On a personal note, my favorite chapters were the ones that discussed Android forensics, that is, Chapter 5, Android Forensics, as it goes deeper into the Android filesystem and the reader learns how to extract data from the filesystem; lesser-known Android attack vectors from Chapter 7, Lesser-known Android Attacks, as the chapter discusses infection vectors and in particular the web view component, and Chapter 8, Android Exploitation that focuses on ARM-based exploitation for the Android platform.

 

Page: 42

Type: Technical

Instead of:

To build a modified application from smali, we will use the b (build) flag in Apktool.
apktool d [decompiled folder name] [target-app-name].apk

 

It should be:

To build a modified application from smali, we will use the b (build) flag in Apktool.
apktool b [decompiled folder name] [target-app-name].apk

 

 

Sample chapters

You can view our sample chapters and prefaces of this title on PacktLib or download sample chapters in PDF format.

Frequently bought together

Learning Pentesting for Android Devices +    Mastering Object-oriented Python =
50% Off
the second eBook
Price for both: £20.45

Buy both these recommended eBooks together and get 50% off the cheapest eBook.

What you will learn from this book

  • Understand the basics of Android Security Architecture and Permission Model Bypassing
  • Use and explore Android Debug Bridge (ADB)
  • Study the internals of an Android application from a security viewpoint
  • Learn to reverse an Android application
  • Perform the Traffic Analysis on Android devices
  • Dive into the concepts of Android forensics and data acquisition
  • Acquire the knowledge of Application Level vulnerabilities and exploitation such as Webkit-Based Exploitation, Root Exploits, and Use After free vulnerabilities
  • Write a penetration testing report for an Android application auditing project

In Detail

Android is the most popular mobile smartphone operating system at present, with over a million applications. Every day hundreds of applications are published to the PlayStore, which users from all over the world download and use. Often, these applications have serious security weaknesses in them, which could lead an attacker to exploit the application and get access to sensitive information. This is where penetration testing comes into play to check for various vulnerabilities.

Learning Pentesting for Android is a practical and hands-on guide to take you from the very basic level of Android Security gradually to pentesting and auditing Android. It is a step-by-step guide, covering a variety of techniques and methodologies that you can learn and use in order to perform real life penetration testing on Android devices and applications.

The book starts with the basics of Android Security and the permission model, which we will bypass using a custom application, written by us. Thereafter we will move to the internals of Android applications from a security point of view, and will reverse and audit them to find the security weaknesses using manual analysis as well as using automated tools.

We will then move to a dynamic analysis of Android applications, where we will learn how to capture and analyze network traffic on Android devices and extract sensitive information and files from a packet capture from an Android device. We will then learn some different ways of doing Android forensics and use tools such as Lime and Volatility. After that, we will look into SQLite databases, and learn to find and exploit the injection vulnerabilities. Also, we will look into webkit-based vulnerabilities; root exploits, and how to exploit devices to get full access along with a reverse connect shell. Finally, we will learn how to write a penetration testing report for an Android application auditing project.

Approach

This is an easy-to-follow guide, full of hands-on and real-world examples of applications. Each of the vulnerabilities discussed in the book is accompanied with the practical approach to the vulnerability, and the underlying security issue.

Who this book is for

This book is intended for all those who are looking to get started in Android security or Android application penetration testing. You don’t need to be an Android developer to learn from this book, but it is highly recommended that developers have some experience in order to learn how to create secure applications for Android.

Code Download and Errata
Packt Anytime, Anywhere
Register Books
Print Upgrades
eBook Downloads
Video Support
Contact Us
Awards Voting Nominations Previous Winners
Judges Open Source CMS Hall Of Fame CMS Most Promising Open Source Project Open Source E-Commerce Applications Open Source JavaScript Library Open Source Graphics Software
Resources
Open Source CMS Hall Of Fame CMS Most Promising Open Source Project Open Source E-Commerce Applications Open Source JavaScript Library Open Source Graphics Software