The art of android hacking by Abhinav Mishra (0ctac0der)

OWASP Delhi
Security Researcher at Adobe, Chapter Leader at OWASP & null
Mar. 21, 2016
The art of android hacking by Abhinav Mishra (0ctac0der)
The art of android hacking by Abhinav Mishra (0ctac0der)
The art of android hacking by Abhinav Mishra (0ctac0der)
The art of android hacking by Abhinav Mishra (0ctac0der)
The art of android hacking by Abhinav Mishra (0ctac0der)
The art of android hacking by Abhinav Mishra (0ctac0der)
The art of android hacking by Abhinav Mishra (0ctac0der)
The art of android hacking by Abhinav Mishra (0ctac0der)
The art of android hacking by Abhinav Mishra (0ctac0der)
The art of android hacking by Abhinav Mishra (0ctac0der)
The art of android hacking by Abhinav Mishra (0ctac0der)
The art of android hacking by Abhinav Mishra (0ctac0der)
The art of android hacking by Abhinav Mishra (0ctac0der)
The art of android hacking by Abhinav Mishra (0ctac0der)
The art of android hacking by Abhinav Mishra (0ctac0der)
The art of android hacking by Abhinav Mishra (0ctac0der)
1 of 16

The art of android hacking by Abhinav Mishra (0ctac0der)

Mar. 21, 2016
Download to read offline
Technology

Android application security ○ Android architecture ○ Application structure ○ Cool tools and distributions ○ Emulators, Devices, Attacks, Vulnerabilities ….. ● What (& How) to look for in an android application ● Some interesting findings ● (Random talks) ● Cool demonstrations ● Next steps to learn android appsec

OWASP Delhi
Security Researcher at Adobe, Chapter Leader at OWASP & null

Recommended

Secrets of Google VRP by: Krzysztof Kotowicz, Google Security TeamSecrets of Google VRP by: Krzysztof Kotowicz, Google Security Team
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security TeamOWASP Delhi4.2K views54 slides
Android "Fight Club" : In pursuit of APPiness -- null Humla Delhi ChapterAndroid "Fight Club" : In pursuit of APPiness -- null Humla Delhi Chapter
Android "Fight Club" : In pursuit of APPiness -- null Humla Delhi ChapterAbhinav Mishra843 views19 slides
The art of android hackingThe art of android hacking
The art of android hackingAbhinav Mishra1.1K views16 slides
Peerlyst Delhi NCR Chapter MeetPeerlyst Delhi NCR Chapter Meet
Peerlyst Delhi NCR Chapter MeetAbhinav Mishra1.3K views16 slides
Web Security 101Web Security 101
Web Security 101Michael Peters4.5K views47 slides
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultMohammed ALDOUB9.3K views34 slides

More Related Content

Slideshows for you

Practical Cyber Attacking TutorialPractical Cyber Attacking Tutorial
Practical Cyber Attacking TutorialYam Peleg1.9K views49 slides
[OWASP Poland Day] Application security - daily questions & answers[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answersOWASP377 views30 slides
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standardsWebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standardsSecuRing218 views49 slides
Hacking sites for fun and profitHacking sites for fun and profit
Hacking sites for fun and profitDavid Stockton865 views69 slides
Owasp for dummies handoutsOwasp for dummies handouts
Owasp for dummies handoutsBCC12.8K views45 slides
Csrf not-all-defenses-are-created-equalCsrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equaldrewz lin3.1K views62 slides

Slideshows for you(20)

Practical Cyber Attacking TutorialPractical Cyber Attacking Tutorial
Practical Cyber Attacking Tutorial
Yam Peleg1.9K views
[OWASP Poland Day] Application security - daily questions & answers[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answers
OWASP377 views
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standardsWebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
SecuRing218 views
Hacking sites for fun and profitHacking sites for fun and profit
Hacking sites for fun and profit
David Stockton865 views
Owasp for dummies handoutsOwasp for dummies handouts
Owasp for dummies handouts
BCC12.8K views
Csrf not-all-defenses-are-created-equalCsrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equal
drewz lin3.1K views
Introduction to OWASP & Web Application SecurityIntroduction to OWASP & Web Application Security
Introduction to OWASP & Web Application Security
OWASPKerala950 views
Brute Force AttackBrute Force Attack
Brute Force Attack
Ahmad karawash2.8K views
Owasp for testing_mobile_apps_opdOwasp for testing_mobile_apps_opd
Owasp for testing_mobile_apps_opd
Pawel Rzepa416 views
Security In .Net FrameworkSecurity In .Net Framework
Security In .Net Framework
Ramakanta Behera526 views
My tryst with sourcecode reviewMy tryst with sourcecode review
My tryst with sourcecode review
Anant Shrivastava2.6K views
Smart Sheriff, Dumb Idea, the wild west of government assisted parentingSmart Sheriff, Dumb Idea, the wild west of government assisted parenting
Smart Sheriff, Dumb Idea, the wild west of government assisted parenting
Abraham Aranguren16.1K views
Android Application Security from consumer and developer perspectivesAndroid Application Security from consumer and developer perspectives
Android Application Security from consumer and developer perspectives
Ayoma Wijethunga567 views
When the internet bleeded : RootConf 2014When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014
Anant Shrivastava2.3K views
.NET Security Topics.NET Security Topics
.NET Security Topics
Shawn Gorrell882 views
Secure coding practicesSecure coding practices
Secure coding practices
Scott Hurrey8.2K views
Recent Trends in Cyber SecurityRecent Trends in Cyber Security
Recent Trends in Cyber Security
Ayoma Wijethunga538 views
Developer's Guide to JavaScript and Web CryptographyDeveloper's Guide to JavaScript and Web Cryptography
Developer's Guide to JavaScript and Web Cryptography
Kevin Hakanson30.8K views
Empire Work shopEmpire Work shop
Empire Work shop
Haydn Johnson1K views
BSides Cleveland: Active Defense - Helping threat actors hack themselves!BSides Cleveland: Active Defense - Helping threat actors hack themselves!
BSides Cleveland: Active Defense - Helping threat actors hack themselves!
CiNPA Security SIG70 views

Viewers also liked

The Time Machine 2 Quiz (13/09/2014)The Time Machine 2 Quiz (13/09/2014)
The Time Machine 2 Quiz (13/09/2014)Nihal Nayak912 views24 slides
Change Management 13 things to considerChange Management 13 things to consider
Change Management 13 things to considerpck100354 views7 slides
More about healthMore about health
More about healthJack740201 views4 slides
νεο λυκειονεο λυκειο
νεο λυκειοelpitheo184 views7 slides
Curiculum vitae aciqCuriculum vitae aciq
Curiculum vitae aciqlaw siewpeng243 views5 slides
(2014 관측회) 점상촬영법(2014 관측회) 점상촬영법
(2014 관측회) 점상촬영법soar7sci1.4K views17 slides

Viewers also liked(15)

The Time Machine 2 Quiz (13/09/2014)The Time Machine 2 Quiz (13/09/2014)
The Time Machine 2 Quiz (13/09/2014)
Nihal Nayak912 views
Change Management 13 things to considerChange Management 13 things to consider
Change Management 13 things to consider
pck100354 views
More about healthMore about health
More about health
Jack740201 views
νεο λυκειονεο λυκειο
νεο λυκειο
elpitheo184 views
Curiculum vitae aciqCuriculum vitae aciq
Curiculum vitae aciq
law siewpeng243 views
(2014 관측회) 점상촬영법(2014 관측회) 점상촬영법
(2014 관측회) 점상촬영법
soar7sci1.4K views
досвід людської особидосвід людської особи
досвід людської особи
biblioteka_c767 views
ORIMARY DATA AND SECANDARY DATAORIMARY DATA AND SECANDARY DATA
ORIMARY DATA AND SECANDARY DATA
AJEET KUMAR YADAV358 views
Contoh Kajian KesContoh Kajian Kes
Contoh Kajian Kes
DinGea464 views
νεο λυκειονεο λυκειο
νεο λυκειο
elpitheo172 views
Better footballBetter football
Better football
Jack740162 views
Brigade panoramaBrigade panorama
Brigade panorama
Ashish Kesarwani181 views
Public-Private Roundtables at the Fourth Clean Energy MinisterialPublic-Private Roundtables at the Fourth Clean Energy Ministerial
Public-Private Roundtables at the Fourth Clean Energy Ministerial
Valerie Riedel754 views
Ormiston educationOrmiston education
Ormiston education
Jack740162 views
Vado bathroom acessoriesVado bathroom acessories
Vado bathroom acessories
fountaindirect241 views

Similar to The art of android hacking by Abhinav Mishra (0ctac0der)

MobSecCon 2015 - Burning Marshmallows MobSecCon 2015 - Burning Marshmallows
MobSecCon 2015 - Burning Marshmallows Ron Munitz142 views23 slides
Android Tamer (Anant Shrivastava)Android Tamer (Anant Shrivastava)
Android Tamer (Anant Shrivastava)ClubHack7.5K views17 slides
[Wroclaw #1] Android Security Workshop[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security WorkshopOWASP2.2K views166 slides
Android AttacksAndroid Attacks
Android AttacksMichael Scovetta4K views45 slides
CodeMotion tel aviv 2015 - burning marshmallowsCodeMotion tel aviv 2015 - burning marshmallows
CodeMotion tel aviv 2015 - burning marshmallowsRon Munitz68 views28 slides
Android Programming made easyAndroid Programming made easy
Android Programming made easyLars Vogel4.9K views42 slides

Similar to The art of android hacking by Abhinav Mishra (0ctac0der)(20)

MobSecCon 2015 - Burning Marshmallows MobSecCon 2015 - Burning Marshmallows
MobSecCon 2015 - Burning Marshmallows
Ron Munitz142 views
Android Tamer (Anant Shrivastava)Android Tamer (Anant Shrivastava)
Android Tamer (Anant Shrivastava)
ClubHack7.5K views
[Wroclaw #1] Android Security Workshop[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop
OWASP2.2K views
Android AttacksAndroid Attacks
Android Attacks
Michael Scovetta4K views
CodeMotion tel aviv 2015 - burning marshmallowsCodeMotion tel aviv 2015 - burning marshmallows
CodeMotion tel aviv 2015 - burning marshmallows
Ron Munitz68 views
Android Programming made easyAndroid Programming made easy
Android Programming made easy
Lars Vogel4.9K views
Fight back android fragmentationFight back android fragmentation
Fight back android fragmentation
Bitbar1.2K views
Xamarin.android memory management gotchasXamarin.android memory management gotchas
Xamarin.android memory management gotchas
Alec Tucker2.9K views
Embedded Android Workshop at AnDevCon IVEmbedded Android Workshop at AnDevCon IV
Embedded Android Workshop at AnDevCon IV
Opersys inc.661 views
Android Made SimpleAndroid Made Simple
Android Made Simple
Gabriel Dogaru879 views
Begining Android DevelopmentBegining Android Development
Begining Android Development
Hayi Nukman1.5K views
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesGetting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
OWASP Delhi649 views
Getting started with hacking android & i os apps tools, techniques and re...Getting started with hacking android & i os apps tools, techniques and re...
Getting started with hacking android & i os apps tools, techniques and re...
n|u - The Open Security Community86 views
AndroidAndroid
Android
Mithilesh Rajbhar521 views
Outsmarting SmartPhonesOutsmarting SmartPhones
Outsmarting SmartPhones
saurabhharit438 views
Can I Play with Madness?!?Can I Play with Madness?!?
Can I Play with Madness?!?
ElevenPaths1.3K views
Voxxed Days Villnius 2015 - Burning MarshmallowsVoxxed Days Villnius 2015 - Burning Marshmallows
Voxxed Days Villnius 2015 - Burning Marshmallows
Ron Munitz139 views
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
Stephan Chenette3.3K views
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2
ShapeBlue1.3K views
Embedded Android Workshop with NougatEmbedded Android Workshop with Nougat
Embedded Android Workshop with Nougat
Opersys inc.2.2K views

More from OWASP Delhi

Securing dns records from subdomain takeoverSecuring dns records from subdomain takeover
Securing dns records from subdomain takeoverOWASP Delhi277 views22 slides
Effective Cyber Security Report WritingEffective Cyber Security Report Writing
Effective Cyber Security Report WritingOWASP Delhi623 views20 slides
Data sniffing over Air GapData sniffing over Air Gap
Data sniffing over Air GapOWASP Delhi311 views29 slides
UDP HunterUDP Hunter
UDP HunterOWASP Delhi102 views14 slides
Demystifying Container EscapesDemystifying Container Escapes
Demystifying Container EscapesOWASP Delhi337 views12 slides
Automating WAF using TerraformAutomating WAF using Terraform
Automating WAF using TerraformOWASP Delhi388 views14 slides

More from OWASP Delhi(20)

Securing dns records from subdomain takeoverSecuring dns records from subdomain takeover
Securing dns records from subdomain takeover
OWASP Delhi277 views
Effective Cyber Security Report WritingEffective Cyber Security Report Writing
Effective Cyber Security Report Writing
OWASP Delhi623 views
Data sniffing over Air GapData sniffing over Air Gap
Data sniffing over Air Gap
OWASP Delhi311 views
UDP HunterUDP Hunter
UDP Hunter
OWASP Delhi102 views
Demystifying Container EscapesDemystifying Container Escapes
Demystifying Container Escapes
OWASP Delhi337 views
Automating WAF using TerraformAutomating WAF using Terraform
Automating WAF using Terraform
OWASP Delhi388 views
Actionable Threat IntelligenceActionable Threat Intelligence
Actionable Threat Intelligence
OWASP Delhi260 views
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep Singh
OWASP Delhi1.2K views
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilities
OWASP Delhi4.4K views
Recon with Nmap Recon with Nmap
Recon with Nmap
OWASP Delhi1.7K views
Securing AWS environments by Ankit GiriSecuring AWS environments by Ankit Giri
Securing AWS environments by Ankit Giri
OWASP Delhi211 views
DMARC OverviewDMARC Overview
DMARC Overview
OWASP Delhi1.3K views
Cloud assessments by :- Aakash GoelCloud assessments by :- Aakash Goel
Cloud assessments by :- Aakash Goel
OWASP Delhi305 views
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang Bhatnagar
OWASP Delhi5.9K views
Wireless security beyond password cracking by Mohit RanjanWireless security beyond password cracking by Mohit Ranjan
Wireless security beyond password cracking by Mohit Ranjan
OWASP Delhi148 views
IETF's Role and Mandate in Internet Governance by Mohit BatraIETF's Role and Mandate in Internet Governance by Mohit Batra
IETF's Role and Mandate in Internet Governance by Mohit Batra
OWASP Delhi516 views
Malicious Hypervisor - Virtualization in Shellcodes by Adhokshaj MishraMalicious Hypervisor - Virtualization in Shellcodes by Adhokshaj Mishra
Malicious Hypervisor - Virtualization in Shellcodes by Adhokshaj Mishra
OWASP Delhi507 views
ICS Security 101 by Sandeep SinghICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep Singh
OWASP Delhi1.5K views
Thwarting The Surveillance in Online Communication by Adhokshaj MishraThwarting The Surveillance in Online Communication by Adhokshaj Mishra
Thwarting The Surveillance in Online Communication by Adhokshaj Mishra
OWASP Delhi429 views
Hostile Subdomain Takeover by Ankit PrateekHostile Subdomain Takeover by Ankit Prateek
Hostile Subdomain Takeover by Ankit Prateek
OWASP Delhi826 views

Recently uploaded

Testing and Developing GraphQL APIsTesting and Developing GraphQL APIs
Testing and Developing GraphQL APIsPostman21 views14 slides
#11 DataWeave Extension Library using Visual Studio Code#11 DataWeave Extension Library using Visual Studio Code
#11 DataWeave Extension Library using Visual Studio CodeAnoopRamachandran1379 views25 slides
CloudStack Object Storage Framework & DemoCloudStack Object Storage Framework & Demo
CloudStack Object Storage Framework & DemoShapeBlue109 views12 slides
Diogo Monteiro- KAMK Certificate - Demola Global Project 2023.pdfDiogo Monteiro- KAMK Certificate - Demola Global Project 2023.pdf
Diogo Monteiro- KAMK Certificate - Demola Global Project 2023.pdfDiogoMonteiro78696022 views1 slide
What’s new in Kotlin 12-08-2023 Google IO Cairo 23What’s new in Kotlin 12-08-2023 Google IO Cairo 23
What’s new in Kotlin 12-08-2023 Google IO Cairo 23Ahmed Nabil66 views27 slides
NoSQL Database Migration Masterclass - Session 3: Migration LogisticsNoSQL Database Migration Masterclass - Session 3: Migration Logistics
NoSQL Database Migration Masterclass - Session 3: Migration LogisticsScyllaDB27 views32 slides

Recently uploaded(20)

Testing and Developing GraphQL APIsTesting and Developing GraphQL APIs
Testing and Developing GraphQL APIs
Postman21 views
#11 DataWeave Extension Library using Visual Studio Code#11 DataWeave Extension Library using Visual Studio Code
#11 DataWeave Extension Library using Visual Studio Code
AnoopRamachandran1379 views
CloudStack Object Storage Framework & DemoCloudStack Object Storage Framework & Demo
CloudStack Object Storage Framework & Demo
ShapeBlue109 views
Diogo Monteiro- KAMK Certificate - Demola Global Project 2023.pdfDiogo Monteiro- KAMK Certificate - Demola Global Project 2023.pdf
Diogo Monteiro- KAMK Certificate - Demola Global Project 2023.pdf
DiogoMonteiro78696022 views
What’s new in Kotlin 12-08-2023 Google IO Cairo 23What’s new in Kotlin 12-08-2023 Google IO Cairo 23
What’s new in Kotlin 12-08-2023 Google IO Cairo 23
Ahmed Nabil66 views
NoSQL Database Migration Masterclass - Session 3: Migration LogisticsNoSQL Database Migration Masterclass - Session 3: Migration Logistics
NoSQL Database Migration Masterclass - Session 3: Migration Logistics
ScyllaDB27 views
ECE ANURANAN 2023ECE ANURANAN 2023
ECE ANURANAN 2023
Bishal20Hazarika103448 views
AI and ML Series - Leveraging Generative AI and LLMs Using the UiPath Platfor...AI and ML Series - Leveraging Generative AI and LLMs Using the UiPath Platfor...
AI and ML Series - Leveraging Generative AI and LLMs Using the UiPath Platfor...
DianaGray1048 views
GDSC23 - Info Session GDSC KIET (1).pptxGDSC23 - Info Session GDSC KIET (1).pptx
GDSC23 - Info Session GDSC KIET (1).pptx
SnehaAggarwal40119 views
An Introduction To Using ChatGPT For BusinessAn Introduction To Using ChatGPT For Business
An Introduction To Using ChatGPT For Business
Paul Nguyen56 views
FewShotExamples.pptxFewShotExamples.pptx
FewShotExamples.pptx
Alok Ranjan20 views
Common - Concerns Around OpenAI.pptxCommon - Concerns Around OpenAI.pptx
Common - Concerns Around OpenAI.pptx
Alok Ranjan51 views
NTGapps DTB Platform.pdfNTGapps DTB Platform.pdf
NTGapps DTB Platform.pdf
Mustafa Kuğu165 views
Info Session GDSC Mepco Sechenk Chapter.pptxInfo Session GDSC Mepco Sechenk Chapter.pptx
Info Session GDSC Mepco Sechenk Chapter.pptx
DURAIVIGNESHC15 views
Welcome and State of Apache CloudStack CommunityWelcome and State of Apache CloudStack Community
Welcome and State of Apache CloudStack Community
ShapeBlue149 views
GDSC_Info_Session_KITTiptur.pptxGDSC_Info_Session_KITTiptur.pptx
GDSC_Info_Session_KITTiptur.pptx
RadhikaNA38 views
AI and ML Series - Generative Extraction and Classification of Documents in S...AI and ML Series - Generative Extraction and Classification of Documents in S...
AI and ML Series - Generative Extraction and Classification of Documents in S...
DianaGray1067 views
Sell&Buy.pdfSell&Buy.pdf
Sell&Buy.pdf
Danielle9510955 views
Orbyfy Grid e-Services_vFx.pdfOrbyfy Grid e-Services_vFx.pdf
Orbyfy Grid e-Services_vFx.pdf
Orbyfy19 views
GDSC INFO.pptxGDSC INFO.pptx
GDSC INFO.pptx
AshishChanchal136 views

The art of android hacking by Abhinav Mishra (0ctac0der)

  1. The Art Of Android Hacking by, Abhinav Mishra (0ctac0der)

  2. Who is this weird tall guy?? Abhinav Mishra | @0ctac0der Senior Security Consultant @ TOTHENEW Digital Top 5 Mobile Security Researcher | Synack Red Team (@SynackRedTeam) Web and Mobile Application Security Researcher Bug Bounty Hunter, Speaker, Trainer, Traveler, Movie buff Have you seen “Mr. Robot” ? Any comments? Link

  3. What is he talking about?? ● Android application security ○ Android architecture ○ Application structure ○ Cool tools and distributions ○ Emulators, Devices, Attacks, Vulnerabilities ….. ● What (& How) to look for in an android application ● Some interesting findings ● (Random talks) ● Cool demonstrations ● Next steps to learn android appsec

  4. Que le jeu commence….. Quick Questions ● What all you know about android… ● Application structure ● Vulnerability ? Okay, my turn now ● What you want to know/learn? ● What you want me to demo? ● Any tool you love? We can talk….

  5. Quick Android Walkthrough ● Linux Kernel ● Privilege separation Model (UID & GID) ● Android Permission model (android manifest) ● APK components: ○ AndroidManifest.xml ○ Classes.dex ○ META-INF ○ Resources.arsc ○ Assets ○ Res ○ Lib

  6. Reversing a cute APK Things I am going to do in next 10-15 minutes: ● Choose any apk ● Decompile with apktool | $apktool d package_name.apk ● Read and understand the AndroidManifest.xml ● Showing components in the code: ○ Activities, Broadcast receivers, Content providers …. ● Extract the apk with any extractor ● Change the classes.dex to jar | $dex2jar classes.dex ● Show multiple java classes ● Possible issues to be discovered ● SMALI files and converting to JAR

  7. Tools & Demos ● Emulators??? ○ Genymotion ○ Android Studio | AVD ● ADB (Android Debug Bridge) ○ $adb install ○ $ adb pull / push ● AppUse Virtual Machine ● Android Monitor / Logcat ● Application Local files

  8. Drozer Basics ● Drozer client and server ● Setting up the console ● Basic commands: ○ $ run app.packer.list ○ $run app.package.info ○ $run app.package.attacksurface ○ $ run app.activity.start

  9. 15 min checks 1. Debuggable | Backup : True ??? 2. AndroidManifest: Permissions 3. Hardcoded stuff 4. SSL Pinning ?? 5. Drozer: attack surface | exported components 6. Local storage encryption 7. Sdcard storage | public folder usage 8. TLS protection check

  10. Because Money matters Vulnerability 1 Date: Mar-2014 Issue: Debuggable = True Bounty: $500 How to check: APK AndroidManifest.xml “debuggable=true”

  11. Because Money matters Vulnerability 2 Date: May-2015 Issue: App fragment injection Bounty: $250 How to check: Anyone?

  12. Because Money matters Vulnerability 3 Date: May-2015 Issue: Hardcoded Account Credentials Bounty: $200 How to check: Anyone?

  13. Because Money matters Vulnerability 4 Date: June-2015 Issue: Exported component malicious usage Bounty: $1000 How to check: Anyone?

  14. Because Money matters Vulnerability 5 Date: Oct-2015 Issue: Parameter manipulation Bounty: $1000 How to check: Let me explain this one to you.

  15. My virtual machine (Droider) Prerequisites ● 16 GB RAM ● Intel COREi7 processor ● 500 GB free hard disk space ● Minimum internet speed required 50 MBPS ● Google Nexus 7 device, rooted

  16. What Next …. ● Learn more ● Read online ● Use tools: Drozer, QARK etc. ● Start practising