Android security by ravi-rai
•Download as PPTX, PDF•
0 likes•610 views
This document summarizes various Android security topics such as Android architecture, application permissions, rooting, common commands, file system structure, auditing applications for content provider leakage, insecure file storage, path traversal vulnerabilities, and client-side injection vulnerabilities. It provides an overview of key Android security concepts and commands used to analyze apps for common issues like unauthorized access to private data or escalation of privileges.
Report
Share
Report
Share
Recommended
Attacking android insecurity
This presentation is aimed at Android app developers looking to deal with the insecurity that surrounds Android apps these days and how to create a secure app.
Decompiling Android Workshop
This document provides tips and techniques for analyzing Android applications (APKs), including decompiling APKs to view source code, investigating APK and SQLite databases, and securing sensitive data and authentication on mobile devices. It lists tools for extracting and decompiling APKs, and provides references and contact information.
Bulletproof
The document discusses various security issues related to mobile applications including weak server-side controls, insecure data storage, insufficient transport layer protection, unintended data leakage, poor authorization and authentication, broken cryptography, client-side injection, security decisions via untrusted input, improper session handling, and lack of binary protections. It provides examples of issues like hardcoded passwords, insecure data storage on devices, and cross-site scripting vulnerabilities. The document also outlines fixes like encryption, access control, SSL pinning, parameterized queries, and disabling JavaScript to address these issues.
My Null Android Penetration Session
I attended the Android Penetration testing session organized by Null Bangalore. It was an AWESOME session by Ashish and everyone enjoyed it. This is the first time the Humla session was organized at Flipkart and it was beautiful venue. As I was sure that I may forget it later, I documented the entire session so that it will help me to revise it later as well. I have tried to make it as comprehensive as possible which gives you precise step by step instructions. It also covers most of the errors and solutions
we all faced during the session. This will help all of us to revise whatever we were taught in the Humla Session. It covers everything except the challenges. I am sure once you go through this document it will help you and others as well who were not able to attend.
Cheers !!!
Bypass Security Checking with Frida
This document discusses using Frida, an open source dynamic instrumentation toolkit, to bypass security checks in applications. It describes how Frida works by injecting JavaScript instrumentation scripts to inspect and modify running processes. Examples are given of using Frida to bypass encryption, PIN checks, root checking, and SSL pinning by hooking functions to log plaintext, force checks to return true, or ignore certificate validation. Alternative dynamic binary instrumentation tools like PIN and DynamoRIO are also mentioned.
Abusing Glype Proxies - Attacks, Exploits and Defences
Proxies play a critical privacy role by allowing anonymous web surfing and identity cloaking. Glype is an open source PHP proxy that is commonly used and provides anonymity. However, Glype proxies also have weaknesses that can allow attackers to exploit them. Misconfigured Glype proxies can leak users' sensitive information through log files and cookies. Attackers can also use Glype proxies to distribute malware by modifying the proxy software and using plugins. Strong authentication, disabling logs, and removing vulnerabilities are recommended to prevent abuse of Glype proxies.
Android app security
This document summarizes common security issues in Android applications. It discusses how application components like activities, services, and broadcasts can be exploited if exposed via intents. It also covers how sensitive data stored in files, SQLite databases, log files, and network traffic can leak if not properly secured. The document provides recommendations to address these issues, such as encrypting sensitive data, validating intent parameters, and restricting component and permission access. Overall, it analyzes the main avenues of attack for Android apps and best practices for application hardening.
Study of Directory Traversal Attack and Tools Used for Attack
In a lot of cases, configuration files, leftover files, temporary files and many other of such types are left without any security due to many reasons like for fellow developer so that it can be easy access to him or you are still working on it or sometimes overwork so you don’t remember or in hurry act sometime irresponsible but this can help attacker a lot to get information which can further lead to huge attacks. An automated Dictionary Traversal tool can find those files easily and provide a great help to attacker. There are many tools of such kind like Dir Buster, Go Buster, DIRB etc. These tools are not only used for attack but also for pen testing. Pen tester could easily find these kinds of vulnerabilities with such tools and remove them to make the application secure. Sanchi Sood | Mrs. N. Priya "Study of Directory Traversal Attack & Tools Used for Attack" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-5 | Issue-1 , December 2020, URL: https://www.ijtsrd.com/papers/ijtsrd37933.pdf Paper URL : https://www.ijtsrd.com/computer-science/computer-security/37933/study-of-directory-traversal-attack-and-tools-used-for-attack/sanchi-sood
Recommended
Attacking android insecurity
This presentation is aimed at Android app developers looking to deal with the insecurity that surrounds Android apps these days and how to create a secure app.
Decompiling Android Workshop
This document provides tips and techniques for analyzing Android applications (APKs), including decompiling APKs to view source code, investigating APK and SQLite databases, and securing sensitive data and authentication on mobile devices. It lists tools for extracting and decompiling APKs, and provides references and contact information.
Bulletproof
The document discusses various security issues related to mobile applications including weak server-side controls, insecure data storage, insufficient transport layer protection, unintended data leakage, poor authorization and authentication, broken cryptography, client-side injection, security decisions via untrusted input, improper session handling, and lack of binary protections. It provides examples of issues like hardcoded passwords, insecure data storage on devices, and cross-site scripting vulnerabilities. The document also outlines fixes like encryption, access control, SSL pinning, parameterized queries, and disabling JavaScript to address these issues.
My Null Android Penetration Session
I attended the Android Penetration testing session organized by Null Bangalore. It was an AWESOME session by Ashish and everyone enjoyed it. This is the first time the Humla session was organized at Flipkart and it was beautiful venue. As I was sure that I may forget it later, I documented the entire session so that it will help me to revise it later as well. I have tried to make it as comprehensive as possible which gives you precise step by step instructions. It also covers most of the errors and solutions
we all faced during the session. This will help all of us to revise whatever we were taught in the Humla Session. It covers everything except the challenges. I am sure once you go through this document it will help you and others as well who were not able to attend.
Cheers !!!
Bypass Security Checking with Frida
This document discusses using Frida, an open source dynamic instrumentation toolkit, to bypass security checks in applications. It describes how Frida works by injecting JavaScript instrumentation scripts to inspect and modify running processes. Examples are given of using Frida to bypass encryption, PIN checks, root checking, and SSL pinning by hooking functions to log plaintext, force checks to return true, or ignore certificate validation. Alternative dynamic binary instrumentation tools like PIN and DynamoRIO are also mentioned.
Abusing Glype Proxies - Attacks, Exploits and Defences
Proxies play a critical privacy role by allowing anonymous web surfing and identity cloaking. Glype is an open source PHP proxy that is commonly used and provides anonymity. However, Glype proxies also have weaknesses that can allow attackers to exploit them. Misconfigured Glype proxies can leak users' sensitive information through log files and cookies. Attackers can also use Glype proxies to distribute malware by modifying the proxy software and using plugins. Strong authentication, disabling logs, and removing vulnerabilities are recommended to prevent abuse of Glype proxies.
Android app security
This document summarizes common security issues in Android applications. It discusses how application components like activities, services, and broadcasts can be exploited if exposed via intents. It also covers how sensitive data stored in files, SQLite databases, log files, and network traffic can leak if not properly secured. The document provides recommendations to address these issues, such as encrypting sensitive data, validating intent parameters, and restricting component and permission access. Overall, it analyzes the main avenues of attack for Android apps and best practices for application hardening.
Study of Directory Traversal Attack and Tools Used for Attack
In a lot of cases, configuration files, leftover files, temporary files and many other of such types are left without any security due to many reasons like for fellow developer so that it can be easy access to him or you are still working on it or sometimes overwork so you don’t remember or in hurry act sometime irresponsible but this can help attacker a lot to get information which can further lead to huge attacks. An automated Dictionary Traversal tool can find those files easily and provide a great help to attacker. There are many tools of such kind like Dir Buster, Go Buster, DIRB etc. These tools are not only used for attack but also for pen testing. Pen tester could easily find these kinds of vulnerabilities with such tools and remove them to make the application secure. Sanchi Sood | Mrs. N. Priya "Study of Directory Traversal Attack & Tools Used for Attack" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-5 | Issue-1 , December 2020, URL: https://www.ijtsrd.com/papers/ijtsrd37933.pdf Paper URL : https://www.ijtsrd.com/computer-science/computer-security/37933/study-of-directory-traversal-attack-and-tools-used-for-attack/sanchi-sood
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
The workshop will also provide a thorough guide on how the mobile applications can be attacked and provide an overview of how some of the most important security checks for the applications are applied and get an in-depth understanding of these security checks.
Course Content:
Android Introduction & Basics
Setting up the Pen testing environment
Reverse engineering & runtime manipulation
Application dynamic runtime analysis
Application Components and security issues
Data and Network interception – manipulation and analysis
Defensive Tools & Techniques for Android application
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
Android Reverse Engineering by Samrat Das
Abstract
• Intro to Reverse Engineering
• Short walkthough with Windows RE
• Introduction to Mobile Security Assessments
• Dalvik Virtual Machine vs JVM
• APK Walkthrough
• Components of Android
• Steps of Reverse Engineering Android Applications
• Hands-on demos on manual reversing of android apps
• Introduction to APPuse VM for droid assessments
• Detecting developer backdoors
• Creating Infected Android Applications
• Anti-Reversing | Obfuscation
Android pen test basics
The document covers topics related to Android penetration testing including the Android security model, software stack, content providers, and secure coding practices. The Android security model uses app isolation and each app runs in its own Dalvik Virtual Machine. Content providers manage access to structured app data and enable inter-process communication. Reverse engineering the APK file by extracting and decompiling it is demonstrated as part of the app security testing process. Common insecure practices like hardcoding sensitive data and lack of encryption are also discussed.
Getting started with Android pentesting
Minali Arora is a cyber security professional with 6 years of experience in application and network pentesting, bash scripting, and red teaming. She is also a part-time bug bounty hunter and blogger. The document discusses Android security architecture, testing methodologies, common vulnerabilities, and security tips for developers. It covers topics such as Android security model, application components, static and dynamic testing tools, and the OWASP top 10.
Getting started with android
Minali Arora is a cyber security professional with 6 years of experience in application and network pentesting, bash scripting, and red teaming. She also works as a part-time bug bounty hunter and blogger. The document discusses Android security architecture, which uses UID separation and sandboxing to isolate apps from each other. It describes tools used for static and dynamic Android application testing such as apktool, dex2jar, and Drozer. Common vulnerabilities found include OTP bypass, authentication bypass, and privilege escalation. The document provides tips for developers to store data safely, enforce secure communication, and implement least privilege permissions.
Reverse engineering android apps
With growth in app market it is essential to guard our android apps against possible threats, in this presentation we will walk through various tools and techniques which some one can use to reverse engineer an android app, we will see how some one can get access to APP DB, CODE, API, PREFERENCES.
We will also see different tools and techniques to guard our app against possible threats from code obfuscation with tools like dexgaurd to newer methods like verification of api calls using google play services.
This session was taken in Barcamp 13 bangalore http://barcampbangalore.org/bcb/bcb13/reverse-engineering-an-android-app-securing-your-android-apps-against-attacks
and bangalore android user group meetup Jan meetup http://www.meetup.com/blrdroid/events/100360682/
Android security and penetration testing | DIVA | Yogesh Ojha
This document provides an overview of Android security and penetration testing. It discusses the Android runtime environment and application fundamentals. It then examines the contents of an Android APK file, including the AndroidManifest.xml and code files. The document outlines the Android sandbox security model and various tools for decompiling and analyzing APKs. It introduces the DIVA vulnerable Android app and demonstrates several common security issues like insecure data storage, input validation problems, and ways to capture network traffic.
Securing android applications
The document discusses securing Android applications. It covers the Android architecture, permissions model, data storage, content providers, networking, SQLite encryption, static analysis, and obfuscation. The key topics are the Dalvik VM, sandbox model, permissions, signing applications, minimizing permissions, HTTPS for networking, SQLite encryption, Lint for static analysis, and Proguard for obfuscation.
Dissecting Android APK
This document provides an overview of reversing Android applications. It discusses the Android security model including permissions and ARM TrustZone. It describes real world Android malware like ransomware and data stealing malware. The structure of an Android APK file is explained including the dex, resources, libraries and manifest. Tools for analyzing APKs are introduced, like APKTool for decompiling and Dex2Jar for extracting dex files. The document demonstrates decompiling an APK and analyzing the smali code. It provides a glossary of related terms and references for further reading.
Thick Application Penetration Testing: Crash Course
Scott Sutherland discusses penetration testing thick applications. He explains why these applications create unique risks compared to web applications due to users having full control over the application environment. This allows attacks on trusted components, exposure of data and admin functions, and privilege escalation. Sutherland outlines the goals and process for testing thick applications, including common architectures, accessing the application, and testing the application's GUI, files, registry, network traffic, memory, and configurations to identify vulnerabilities.
Understanding android security model
This is the presentation on Android Security Model made at Android Dev Camp, March 4-6, 2011 at PayPal Campus.
Null mumbai-Android-Insecure-Data-Storage-Exploitation
This document discusses insecure data storage in Android applications. It provides an overview of common ways Android apps store data, such as Shared Preferences, SQLite databases, and internal/external storage. It notes that malware or physical access could exploit unencrypted or insecurely stored data. The document demonstrates extracting Shared Preference XML files and SQLite databases from an emulator for a banking app as an example of insecure data storage. It recommends storing data on a network/server or encrypting locally stored data on the device to help secure apps.
Android For Java Developers
This document provides an overview of the Android framework and development tools for Java developers. It summarizes the key components of the Android framework including the Linux kernel, Dalvik VM, core libraries, and application framework. It also describes the basic structure of an Android app, common elements like activities, intents, and layouts. Finally, it recommends resources for learning more about Android development.
Manish Chasta - Securing Android Applications
Mansih Chasta is a principal consultant at Indusface with over 6 years of experience in information and application security. The document discusses an upcoming training on analyzing and reverse engineering Android applications. It will cover topics like the Android SDK, setting up a GoatDroid application, memory analysis, intercepting layer 7 traffic, reverse engineering Android apps, SQLite database analysis, and demonstrating exploits on an ExploitMe application. Statistics are provided on growth in mobile app downloads from 2010 to 2014.
Artem Сhaykin. Android Application Security.
The document discusses security considerations for Android applications. It covers several key areas: hardcoded credentials and test data that should be removed before release; permissions for reading application logs and files; securing SQLite databases and content providers; properly configuring application components like activities, services, and broadcasts in the manifest; validating intent data; and securing client-server communication. The presentation provides guidance on how to address vulnerabilities in each of these areas, such as not logging sensitive data, restricting file permissions, and validating external input.
Android_Malware_IOAsis_2014_Analysis.pdf
es un análisis detallado sobre el malware que afecta a los dispositivos Android, realizado en el año 2014. Este estudio proporciona una visión completa del panorama del malware en esa época, incluyendo los métodos de propagación, las técnicas de infección y el impacto en los usuarios y sus dispositivos.
Android application development fundamentals
Some concepts to understand the things that relate to basics of development on the Android Platform. The presentation explains the concept of formation of virtual machine for each android app. It also explains the main components like Activities, Services, Content Provider and Broadcast Receiver. The purpose of Intent is also explained. One can also find a brief on things that one can write in the Manifest file. The types of resources have also been explained. Finally one learns to know about the android metrics.
Mobile application security
This document provides an overview of mobile application security testing. It discusses the mobile security stack including the infrastructure, hardware, operating system and application layers. It then covers topics like mobile threat modeling, mobile application auditing techniques including dynamic and static analysis. The document also discusses the OWASP top 10 mobile risks and provides case studies and demonstrations on pentesting real mobile applications and reverse engineering Android malware.
Mobile Application Security
This document provides an overview of mobile application security testing. It discusses the mobile security stack including the infrastructure, hardware, operating system and application layers. It then covers topics like mobile threat modeling, mobile application auditing techniques including dynamic and static analysis. The document also discusses the OWASP top 10 mobile risks and provides case studies and demonstrations on pentesting real mobile applications and reverse engineering Android malware.
03 android application structure
The document discusses the structure and components of an Android application. It describes the AndroidManifest.xml file which contains configuration settings and metadata. It also describes resources like layouts, strings and images which are externalized. Alternative resources can be provided for different configurations like screen sizes or languages. The document outlines how to access resources in code and XML. It also discusses using assets to include external files like HTML pages and images that are not given a resource ID.
DEEP LEARNING FOR SMART GRID INTRUSION DETECTION: A HYBRID CNN-LSTM-BASED MODEL
As digital technology becomes more deeply embedded in power systems, protecting the communication
networks of Smart Grids (SG) has emerged as a critical concern. Distributed Network Protocol 3 (DNP3)
represents a multi-tiered application layer protocol extensively utilized in Supervisory Control and Data
Acquisition (SCADA)-based smart grids to facilitate real-time data gathering and control functionalities.
Robust Intrusion Detection Systems (IDS) are necessary for early threat detection and mitigation because
of the interconnection of these networks, which makes them vulnerable to a variety of cyberattacks. To
solve this issue, this paper develops a hybrid Deep Learning (DL) model specifically designed for intrusion
detection in smart grids. The proposed approach is a combination of the Convolutional Neural Network
(CNN) and the Long-Short-Term Memory algorithms (LSTM). We employed a recent intrusion detection
dataset (DNP3), which focuses on unauthorized commands and Denial of Service (DoS) cyberattacks, to
train and test our model. The results of our experiments show that our CNN-LSTM method is much better
at finding smart grid intrusions than other deep learning algorithms used for classification. In addition,
our proposed approach improves accuracy, precision, recall, and F1 score, achieving a high detection
accuracy rate of 99.50%.
More Related Content
Similar to Android security by ravi-rai
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
The workshop will also provide a thorough guide on how the mobile applications can be attacked and provide an overview of how some of the most important security checks for the applications are applied and get an in-depth understanding of these security checks.
Course Content:
Android Introduction & Basics
Setting up the Pen testing environment
Reverse engineering & runtime manipulation
Application dynamic runtime analysis
Application Components and security issues
Data and Network interception – manipulation and analysis
Defensive Tools & Techniques for Android application
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
Android Reverse Engineering by Samrat Das
Abstract
• Intro to Reverse Engineering
• Short walkthough with Windows RE
• Introduction to Mobile Security Assessments
• Dalvik Virtual Machine vs JVM
• APK Walkthrough
• Components of Android
• Steps of Reverse Engineering Android Applications
• Hands-on demos on manual reversing of android apps
• Introduction to APPuse VM for droid assessments
• Detecting developer backdoors
• Creating Infected Android Applications
• Anti-Reversing | Obfuscation
Android pen test basics
The document covers topics related to Android penetration testing including the Android security model, software stack, content providers, and secure coding practices. The Android security model uses app isolation and each app runs in its own Dalvik Virtual Machine. Content providers manage access to structured app data and enable inter-process communication. Reverse engineering the APK file by extracting and decompiling it is demonstrated as part of the app security testing process. Common insecure practices like hardcoding sensitive data and lack of encryption are also discussed.
Getting started with Android pentesting
Minali Arora is a cyber security professional with 6 years of experience in application and network pentesting, bash scripting, and red teaming. She is also a part-time bug bounty hunter and blogger. The document discusses Android security architecture, testing methodologies, common vulnerabilities, and security tips for developers. It covers topics such as Android security model, application components, static and dynamic testing tools, and the OWASP top 10.
Getting started with android
Minali Arora is a cyber security professional with 6 years of experience in application and network pentesting, bash scripting, and red teaming. She also works as a part-time bug bounty hunter and blogger. The document discusses Android security architecture, which uses UID separation and sandboxing to isolate apps from each other. It describes tools used for static and dynamic Android application testing such as apktool, dex2jar, and Drozer. Common vulnerabilities found include OTP bypass, authentication bypass, and privilege escalation. The document provides tips for developers to store data safely, enforce secure communication, and implement least privilege permissions.
Reverse engineering android apps
With growth in app market it is essential to guard our android apps against possible threats, in this presentation we will walk through various tools and techniques which some one can use to reverse engineer an android app, we will see how some one can get access to APP DB, CODE, API, PREFERENCES.
We will also see different tools and techniques to guard our app against possible threats from code obfuscation with tools like dexgaurd to newer methods like verification of api calls using google play services.
This session was taken in Barcamp 13 bangalore http://barcampbangalore.org/bcb/bcb13/reverse-engineering-an-android-app-securing-your-android-apps-against-attacks
and bangalore android user group meetup Jan meetup http://www.meetup.com/blrdroid/events/100360682/
Android security and penetration testing | DIVA | Yogesh Ojha
This document provides an overview of Android security and penetration testing. It discusses the Android runtime environment and application fundamentals. It then examines the contents of an Android APK file, including the AndroidManifest.xml and code files. The document outlines the Android sandbox security model and various tools for decompiling and analyzing APKs. It introduces the DIVA vulnerable Android app and demonstrates several common security issues like insecure data storage, input validation problems, and ways to capture network traffic.
Securing android applications
The document discusses securing Android applications. It covers the Android architecture, permissions model, data storage, content providers, networking, SQLite encryption, static analysis, and obfuscation. The key topics are the Dalvik VM, sandbox model, permissions, signing applications, minimizing permissions, HTTPS for networking, SQLite encryption, Lint for static analysis, and Proguard for obfuscation.
Dissecting Android APK
This document provides an overview of reversing Android applications. It discusses the Android security model including permissions and ARM TrustZone. It describes real world Android malware like ransomware and data stealing malware. The structure of an Android APK file is explained including the dex, resources, libraries and manifest. Tools for analyzing APKs are introduced, like APKTool for decompiling and Dex2Jar for extracting dex files. The document demonstrates decompiling an APK and analyzing the smali code. It provides a glossary of related terms and references for further reading.
Thick Application Penetration Testing: Crash Course
Scott Sutherland discusses penetration testing thick applications. He explains why these applications create unique risks compared to web applications due to users having full control over the application environment. This allows attacks on trusted components, exposure of data and admin functions, and privilege escalation. Sutherland outlines the goals and process for testing thick applications, including common architectures, accessing the application, and testing the application's GUI, files, registry, network traffic, memory, and configurations to identify vulnerabilities.
Understanding android security model
This is the presentation on Android Security Model made at Android Dev Camp, March 4-6, 2011 at PayPal Campus.
Null mumbai-Android-Insecure-Data-Storage-Exploitation
This document discusses insecure data storage in Android applications. It provides an overview of common ways Android apps store data, such as Shared Preferences, SQLite databases, and internal/external storage. It notes that malware or physical access could exploit unencrypted or insecurely stored data. The document demonstrates extracting Shared Preference XML files and SQLite databases from an emulator for a banking app as an example of insecure data storage. It recommends storing data on a network/server or encrypting locally stored data on the device to help secure apps.
Android For Java Developers
This document provides an overview of the Android framework and development tools for Java developers. It summarizes the key components of the Android framework including the Linux kernel, Dalvik VM, core libraries, and application framework. It also describes the basic structure of an Android app, common elements like activities, intents, and layouts. Finally, it recommends resources for learning more about Android development.
Manish Chasta - Securing Android Applications
Mansih Chasta is a principal consultant at Indusface with over 6 years of experience in information and application security. The document discusses an upcoming training on analyzing and reverse engineering Android applications. It will cover topics like the Android SDK, setting up a GoatDroid application, memory analysis, intercepting layer 7 traffic, reverse engineering Android apps, SQLite database analysis, and demonstrating exploits on an ExploitMe application. Statistics are provided on growth in mobile app downloads from 2010 to 2014.
Artem Сhaykin. Android Application Security.
The document discusses security considerations for Android applications. It covers several key areas: hardcoded credentials and test data that should be removed before release; permissions for reading application logs and files; securing SQLite databases and content providers; properly configuring application components like activities, services, and broadcasts in the manifest; validating intent data; and securing client-server communication. The presentation provides guidance on how to address vulnerabilities in each of these areas, such as not logging sensitive data, restricting file permissions, and validating external input.
Android_Malware_IOAsis_2014_Analysis.pdf
es un análisis detallado sobre el malware que afecta a los dispositivos Android, realizado en el año 2014. Este estudio proporciona una visión completa del panorama del malware en esa época, incluyendo los métodos de propagación, las técnicas de infección y el impacto en los usuarios y sus dispositivos.
Android application development fundamentals
Some concepts to understand the things that relate to basics of development on the Android Platform. The presentation explains the concept of formation of virtual machine for each android app. It also explains the main components like Activities, Services, Content Provider and Broadcast Receiver. The purpose of Intent is also explained. One can also find a brief on things that one can write in the Manifest file. The types of resources have also been explained. Finally one learns to know about the android metrics.
Mobile application security
This document provides an overview of mobile application security testing. It discusses the mobile security stack including the infrastructure, hardware, operating system and application layers. It then covers topics like mobile threat modeling, mobile application auditing techniques including dynamic and static analysis. The document also discusses the OWASP top 10 mobile risks and provides case studies and demonstrations on pentesting real mobile applications and reverse engineering Android malware.
Mobile Application Security
This document provides an overview of mobile application security testing. It discusses the mobile security stack including the infrastructure, hardware, operating system and application layers. It then covers topics like mobile threat modeling, mobile application auditing techniques including dynamic and static analysis. The document also discusses the OWASP top 10 mobile risks and provides case studies and demonstrations on pentesting real mobile applications and reverse engineering Android malware.
03 android application structure
The document discusses the structure and components of an Android application. It describes the AndroidManifest.xml file which contains configuration settings and metadata. It also describes resources like layouts, strings and images which are externalized. Alternative resources can be provided for different configurations like screen sizes or languages. The document outlines how to access resources in code and XML. It also discusses using assets to include external files like HTML pages and images that are not given a resource ID.
Similar to Android security by ravi-rai (20)
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh Ojha
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash Course
Null mumbai-Android-Insecure-Data-Storage-Exploitation
Null mumbai-Android-Insecure-Data-Storage-Exploitation
Recently uploaded
DEEP LEARNING FOR SMART GRID INTRUSION DETECTION: A HYBRID CNN-LSTM-BASED MODEL
As digital technology becomes more deeply embedded in power systems, protecting the communication
networks of Smart Grids (SG) has emerged as a critical concern. Distributed Network Protocol 3 (DNP3)
represents a multi-tiered application layer protocol extensively utilized in Supervisory Control and Data
Acquisition (SCADA)-based smart grids to facilitate real-time data gathering and control functionalities.
Robust Intrusion Detection Systems (IDS) are necessary for early threat detection and mitigation because
of the interconnection of these networks, which makes them vulnerable to a variety of cyberattacks. To
solve this issue, this paper develops a hybrid Deep Learning (DL) model specifically designed for intrusion
detection in smart grids. The proposed approach is a combination of the Convolutional Neural Network
(CNN) and the Long-Short-Term Memory algorithms (LSTM). We employed a recent intrusion detection
dataset (DNP3), which focuses on unauthorized commands and Denial of Service (DoS) cyberattacks, to
train and test our model. The results of our experiments show that our CNN-LSTM method is much better
at finding smart grid intrusions than other deep learning algorithms used for classification. In addition,
our proposed approach improves accuracy, precision, recall, and F1 score, achieving a high detection
accuracy rate of 99.50%.
Gas agency management system project report.pdf
The project entitled "Gas Agency" is done to make the manual process easier by making it a computerized system for billing and maintaining stock. The Gas Agencies get the order request through phone calls or by personal from their customers and deliver the gas cylinders to their address based on their demand and previous delivery date. This process is made computerized and the customer's name, address and stock details are stored in a database. Based on this the billing for a customer is made simple and easier, since a customer order for gas can be accepted only after completing a certain period from the previous delivery. This can be calculated and billed easily through this. There are two types of delivery like domestic purpose use delivery and commercial purpose use delivery. The bill rate and capacity differs for both. This can be easily maintained and charged accordingly.
Applications of artificial Intelligence in Mechanical Engineering.pdf
Historically, mechanical engineering has relied heavily on human expertise and empirical methods to solve complex problems. With the introduction of computer-aided design (CAD) and finite element analysis (FEA), the field took its first steps towards digitization. These tools allowed engineers to simulate and analyze mechanical systems with greater accuracy and efficiency. However, the sheer volume of data generated by modern engineering systems and the increasing complexity of these systems have necessitated more advanced analytical tools, paving the way for AI.
AI offers the capability to process vast amounts of data, identify patterns, and make predictions with a level of speed and accuracy unattainable by traditional methods. This has profound implications for mechanical engineering, enabling more efficient design processes, predictive maintenance strategies, and optimized manufacturing operations. AI-driven tools can learn from historical data, adapt to new information, and continuously improve their performance, making them invaluable in tackling the multifaceted challenges of modern mechanical engineering.
Design and optimization of ion propulsion drone
Electric propulsion technology is widely used in many kinds of vehicles in recent years, and aircrafts are no exception. Technically, UAVs are electrically propelled but tend to produce a significant amount of noise and vibrations. Ion propulsion technology for drones is a potential solution to this problem. Ion propulsion technology is proven to be feasible in the earth’s atmosphere. The study presented in this article shows the design of EHD thrusters and power supply for ion propulsion drones along with performance optimization of high-voltage power supply for endurance in earth’s atmosphere.
一比一原版(uofo毕业证书)美国俄勒冈大学毕业证如何办理
原版一模一样【微信:741003700 】【(uofo毕业证书)美国俄勒冈大学毕业证成绩单】【微信:741003700 】学位证,留信认证(真实可查,永久存档)原件一模一样纸张工艺/offer、雅思、外壳等材料/诚信可靠,可直接看成品样本,帮您解决无法毕业带来的各种难题!外壳,原版制作,诚信可靠,可直接看成品样本。行业标杆!精益求精,诚心合作,真诚制作!多年品质 ,按需精细制作,24小时接单,全套进口原装设备。十五年致力于帮助留学生解决难题,包您满意。
本公司拥有海外各大学样板无数,能完美还原。
1:1完美还原海外各大学毕业材料上的工艺:水印,阴影底纹,钢印LOGO烫金烫银,LOGO烫金烫银复合重叠。文字图案浮雕、激光镭射、紫外荧光、温感、复印防伪等防伪工艺。材料咨询办理、认证咨询办理请加学历顾问Q/微741003700
【主营项目】
一.毕业证【q微741003700】成绩单、使馆认证、教育部认证、雅思托福成绩单、学生卡等!
二.真实使馆公证(即留学回国人员证明,不成功不收费)
三.真实教育部学历学位认证(教育部存档!教育部留服网站永久可查)
四.办理各国各大学文凭(一对一专业服务,可全程监控跟踪进度)
如果您处于以下几种情况:
◇在校期间,因各种原因未能顺利毕业……拿不到官方毕业证【q/微741003700】
◇面对父母的压力,希望尽快拿到;
◇不清楚认证流程以及材料该如何准备;
◇回国时间很长,忘记办理;
◇回国马上就要找工作,办给用人单位看;
◇企事业单位必须要求办理的
◇需要报考公务员、购买免税车、落转户口
◇申请留学生创业基金
留信网认证的作用:
1:该专业认证可证明留学生真实身份
2:同时对留学生所学专业登记给予评定
3:国家专业人才认证中心颁发入库证书
4:这个认证书并且可以归档倒地方
5:凡事获得留信网入网的信息将会逐步更新到个人身份内,将在公安局网内查询个人身份证信息后,同步读取人才网入库信息
6:个人职称评审加20分
7:个人信誉贷款加10分
8:在国家人才网主办的国家网络招聘大会中纳入资料,供国家高端企业选择人才
办理(uofo毕业证书)美国俄勒冈大学毕业证【微信:741003700 】外观非常简单,由纸质材料制成,上面印有校徽、校名、毕业生姓名、专业等信息。
办理(uofo毕业证书)美国俄勒冈大学毕业证【微信:741003700 】格式相对统一,各专业都有相应的模板。通常包括以下部分:
校徽:象征着学校的荣誉和传承。
校名:学校英文全称
授予学位:本部分将注明获得的具体学位名称。
毕业生姓名:这是最重要的信息之一,标志着该证书是由特定人员获得的。
颁发日期:这是毕业正式生效的时间,也代表着毕业生学业的结束。
其他信息:根据不同的专业和学位,可能会有一些特定的信息或章节。
办理(uofo毕业证书)美国俄勒冈大学毕业证【微信:741003700 】价值很高,需要妥善保管。一般来说,应放置在安全、干燥、防潮的地方,避免长时间暴露在阳光下。如需使用,最好使用复印件而不是原件,以免丢失。
综上所述,办理(uofo毕业证书)美国俄勒冈大学毕业证【微信:741003700 】是证明身份和学历的高价值文件。外观简单庄重,格式统一,包括重要的个人信息和发布日期。对持有人来说,妥善保管是非常重要的。
Electric vehicle and photovoltaic advanced roles in enhancing the financial p...
Climate change's impact on the planet forced the United Nations and governments to promote green energies and electric transportation. The deployments of photovoltaic (PV) and electric vehicle (EV) systems gained stronger momentum due to their numerous advantages over fossil fuel types. The advantages go beyond sustainability to reach financial support and stability. The work in this paper introduces the hybrid system between PV and EV to support industrial and commercial plants. This paper covers the theoretical framework of the proposed hybrid system including the required equation to complete the cost analysis when PV and EV are present. In addition, the proposed design diagram which sets the priorities and requirements of the system is presented. The proposed approach allows setup to advance their power stability, especially during power outages. The presented information supports researchers and plant owners to complete the necessary analysis while promoting the deployment of clean energy. The result of a case study that represents a dairy milk farmer supports the theoretical works and highlights its advanced benefits to existing plants. The short return on investment of the proposed approach supports the paper's novelty approach for the sustainable electrical system. In addition, the proposed system allows for an isolated power setup without the need for a transmission line which enhances the safety of the electrical network
一比一原版(osu毕业证书)美国俄勒冈州立大学毕业证如何办理
原版一模一样【微信:741003700 】【(osu毕业证书)美国俄勒冈州立大学毕业证成绩单】【微信:741003700 】学位证,留信认证(真实可查,永久存档)原件一模一样纸张工艺/offer、雅思、外壳等材料/诚信可靠,可直接看成品样本,帮您解决无法毕业带来的各种难题!外壳,原版制作,诚信可靠,可直接看成品样本。行业标杆!精益求精,诚心合作,真诚制作!多年品质 ,按需精细制作,24小时接单,全套进口原装设备。十五年致力于帮助留学生解决难题,包您满意。
本公司拥有海外各大学样板无数,能完美还原。
1:1完美还原海外各大学毕业材料上的工艺:水印,阴影底纹,钢印LOGO烫金烫银,LOGO烫金烫银复合重叠。文字图案浮雕、激光镭射、紫外荧光、温感、复印防伪等防伪工艺。材料咨询办理、认证咨询办理请加学历顾问Q/微741003700
【主营项目】
一.毕业证【q微741003700】成绩单、使馆认证、教育部认证、雅思托福成绩单、学生卡等!
二.真实使馆公证(即留学回国人员证明,不成功不收费)
三.真实教育部学历学位认证(教育部存档!教育部留服网站永久可查)
四.办理各国各大学文凭(一对一专业服务,可全程监控跟踪进度)
如果您处于以下几种情况:
◇在校期间,因各种原因未能顺利毕业……拿不到官方毕业证【q/微741003700】
◇面对父母的压力,希望尽快拿到;
◇不清楚认证流程以及材料该如何准备;
◇回国时间很长,忘记办理;
◇回国马上就要找工作,办给用人单位看;
◇企事业单位必须要求办理的
◇需要报考公务员、购买免税车、落转户口
◇申请留学生创业基金
留信网认证的作用:
1:该专业认证可证明留学生真实身份
2:同时对留学生所学专业登记给予评定
3:国家专业人才认证中心颁发入库证书
4:这个认证书并且可以归档倒地方
5:凡事获得留信网入网的信息将会逐步更新到个人身份内,将在公安局网内查询个人身份证信息后,同步读取人才网入库信息
6:个人职称评审加20分
7:个人信誉贷款加10分
8:在国家人才网主办的国家网络招聘大会中纳入资料,供国家高端企业选择人才
办理(osu毕业证书)美国俄勒冈州立大学毕业证【微信:741003700 】外观非常简单,由纸质材料制成,上面印有校徽、校名、毕业生姓名、专业等信息。
办理(osu毕业证书)美国俄勒冈州立大学毕业证【微信:741003700 】格式相对统一,各专业都有相应的模板。通常包括以下部分:
校徽:象征着学校的荣誉和传承。
校名:学校英文全称
授予学位:本部分将注明获得的具体学位名称。
毕业生姓名:这是最重要的信息之一,标志着该证书是由特定人员获得的。
颁发日期:这是毕业正式生效的时间,也代表着毕业生学业的结束。
其他信息:根据不同的专业和学位,可能会有一些特定的信息或章节。
办理(osu毕业证书)美国俄勒冈州立大学毕业证【微信:741003700 】价值很高,需要妥善保管。一般来说,应放置在安全、干燥、防潮的地方,避免长时间暴露在阳光下。如需使用,最好使用复印件而不是原件,以免丢失。
综上所述,办理(osu毕业证书)美国俄勒冈州立大学毕业证【微信:741003700 】是证明身份和学历的高价值文件。外观简单庄重,格式统一,包括重要的个人信息和发布日期。对持有人来说,妥善保管是非常重要的。
Prediction of Electrical Energy Efficiency Using Information on Consumer's Ac...
Energy efficiency has been important since the latter part of the last century. The main object of this survey is to determine the energy efficiency knowledge among consumers. Two separate districts in Bangladesh are selected to conduct the survey on households and showrooms about the energy and seller also. The survey uses the data to find some regression equations from which it is easy to predict energy efficiency knowledge. The data is analyzed and calculated based on five important criteria. The initial target was to find some factors that help predict a person's energy efficiency knowledge. From the survey, it is found that the energy efficiency awareness among the people of our country is very low. Relationships between household energy use behaviors are estimated using a unique dataset of about 40 households and 20 showrooms in Bangladesh's Chapainawabganj and Bagerhat districts. Knowledge of energy consumption and energy efficiency technology options is found to be associated with household use of energy conservation practices. Household characteristics also influence household energy use behavior. Younger household cohorts are more likely to adopt energy-efficient technologies and energy conservation practices and place primary importance on energy saving for environmental reasons. Education also influences attitudes toward energy conservation in Bangladesh. Low-education households indicate they primarily save electricity for the environment while high-education households indicate they are motivated by environmental concerns.
Digital Twins Computer Networking Paper Presentation.pptx
A Digital Twin in computer networking is a virtual representation of a physical network, used to simulate, analyze, and optimize network performance and reliability. It leverages real-time data to enhance network management, predict issues, and improve decision-making processes.
原版制作(Humboldt毕业证书)柏林大学毕业证学位证一模一样
原件一模一样【微信:bwp0011】《(Humboldt毕业证书)柏林大学毕业证学位证》【微信:bwp0011】学位证,留信认证(真实可查,永久存档)原件一模一样纸张工艺/offer、雅思、外壳等材料/诚信可靠,可直接看成品样本,帮您解决无法毕业带来的各种难题!外壳,原版制作,诚信可靠,可直接看成品样本。行业标杆!精益求精,诚心合作,真诚制作!多年品质 ,按需精细制作,24小时接单,全套进口原装设备。十五年致力于帮助留学生解决难题,包您满意。
本公司拥有海外各大学样板无数,能完美还原。
1:1完美还原海外各大学毕业材料上的工艺:水印,阴影底纹,钢印LOGO烫金烫银,LOGO烫金烫银复合重叠。文字图案浮雕、激光镭射、紫外荧光、温感、复印防伪等防伪工艺。材料咨询办理、认证咨询办理请加学历顾问微bwp0011
【主营项目】
一.毕业证【微bwp0011】成绩单、使馆认证、教育部认证、雅思托福成绩单、学生卡等!
二.真实使馆公证(即留学回国人员证明,不成功不收费)
三.真实教育部学历学位认证(教育部存档!教育部留服网站永久可查)
四.办理各国各大学文凭(一对一专业服务,可全程监控跟踪进度)
如果您处于以下几种情况:
◇在校期间,因各种原因未能顺利毕业……拿不到官方毕业证【微bwp0011】
◇面对父母的压力,希望尽快拿到;
◇不清楚认证流程以及材料该如何准备;
◇回国时间很长,忘记办理;
◇回国马上就要找工作,办给用人单位看;
◇企事业单位必须要求办理的
◇需要报考公务员、购买免税车、落转户口
◇申请留学生创业基金
留信网认证的作用:
1:该专业认证可证明留学生真实身份
2:同时对留学生所学专业登记给予评定
3:国家专业人才认证中心颁发入库证书
4:这个认证书并且可以归档倒地方
5:凡事获得留信网入网的信息将会逐步更新到个人身份内,将在公安局网内查询个人身份证信息后,同步读取人才网入库信息
6:个人职称评审加20分
7:个人信誉贷款加10分
8:在国家人才网主办的国家网络招聘大会中纳入资料,供国家高端企业选择人才
VARIABLE FREQUENCY DRIVE. VFDs are widely used in industrial applications for...
Variable frequency drive .A Variable Frequency Drive (VFD) is an electronic device used to control the speed and torque of an electric motor by varying the frequency and voltage of its power supply. VFDs are widely used in industrial applications for motor control, providing significant energy savings and precise motor operation.
Embedded machine learning-based road conditions and driving behavior monitoring
Car accident rates have increased in recent years, resulting in losses in human lives, properties, and other financial costs. An embedded machine learning-based system is developed to address this critical issue. The system can monitor road conditions, detect driving patterns, and identify aggressive driving behaviors. The system is based on neural networks trained on a comprehensive dataset of driving events, driving styles, and road conditions. The system effectively detects potential risks and helps mitigate the frequency and impact of accidents. The primary goal is to ensure the safety of drivers and vehicles. Collecting data involved gathering information on three key road events: normal street and normal drive, speed bumps, circular yellow speed bumps, and three aggressive driving actions: sudden start, sudden stop, and sudden entry. The gathered data is processed and analyzed using a machine learning system designed for limited power and memory devices. The developed system resulted in 91.9% accuracy, 93.6% precision, and 92% recall. The achieved inference time on an Arduino Nano 33 BLE Sense with a 32-bit CPU running at 64 MHz is 34 ms and requires 2.6 kB peak RAM and 139.9 kB program flash memory, making it suitable for resource-constrained embedded systems.
一比一原版(爱大毕业证书)爱荷华大学毕业证如何办理
原版一模一样【微信:741003700 】【(爱大毕业证书)爱荷华大学毕业证成绩单】【微信:741003700 】学位证,留信认证(真实可查,永久存档)原件一模一样纸张工艺/offer、雅思、外壳等材料/诚信可靠,可直接看成品样本,帮您解决无法毕业带来的各种难题!外壳,原版制作,诚信可靠,可直接看成品样本。行业标杆!精益求精,诚心合作,真诚制作!多年品质 ,按需精细制作,24小时接单,全套进口原装设备。十五年致力于帮助留学生解决难题,包您满意。
本公司拥有海外各大学样板无数,能完美还原。
1:1完美还原海外各大学毕业材料上的工艺:水印,阴影底纹,钢印LOGO烫金烫银,LOGO烫金烫银复合重叠。文字图案浮雕、激光镭射、紫外荧光、温感、复印防伪等防伪工艺。材料咨询办理、认证咨询办理请加学历顾问Q/微741003700
【主营项目】
一.毕业证【q微741003700】成绩单、使馆认证、教育部认证、雅思托福成绩单、学生卡等!
二.真实使馆公证(即留学回国人员证明,不成功不收费)
三.真实教育部学历学位认证(教育部存档!教育部留服网站永久可查)
四.办理各国各大学文凭(一对一专业服务,可全程监控跟踪进度)
如果您处于以下几种情况:
◇在校期间,因各种原因未能顺利毕业……拿不到官方毕业证【q/微741003700】
◇面对父母的压力,希望尽快拿到;
◇不清楚认证流程以及材料该如何准备;
◇回国时间很长,忘记办理;
◇回国马上就要找工作,办给用人单位看;
◇企事业单位必须要求办理的
◇需要报考公务员、购买免税车、落转户口
◇申请留学生创业基金
留信网认证的作用:
1:该专业认证可证明留学生真实身份
2:同时对留学生所学专业登记给予评定
3:国家专业人才认证中心颁发入库证书
4:这个认证书并且可以归档倒地方
5:凡事获得留信网入网的信息将会逐步更新到个人身份内,将在公安局网内查询个人身份证信息后,同步读取人才网入库信息
6:个人职称评审加20分
7:个人信誉贷款加10分
8:在国家人才网主办的国家网络招聘大会中纳入资料,供国家高端企业选择人才
办理(爱大毕业证书)爱荷华大学毕业证【微信:741003700 】外观非常简单,由纸质材料制成,上面印有校徽、校名、毕业生姓名、专业等信息。
办理(爱大毕业证书)爱荷华大学毕业证【微信:741003700 】格式相对统一,各专业都有相应的模板。通常包括以下部分:
校徽:象征着学校的荣誉和传承。
校名:学校英文全称
授予学位:本部分将注明获得的具体学位名称。
毕业生姓名:这是最重要的信息之一,标志着该证书是由特定人员获得的。
颁发日期:这是毕业正式生效的时间,也代表着毕业生学业的结束。
其他信息:根据不同的专业和学位,可能会有一些特定的信息或章节。
办理(爱大毕业证书)爱荷华大学毕业证【微信:741003700 】价值很高,需要妥善保管。一般来说,应放置在安全、干燥、防潮的地方,避免长时间暴露在阳光下。如需使用,最好使用复印件而不是原件,以免丢失。
综上所述,办理(爱大毕业证书)爱荷华大学毕业证【微信:741003700 】是证明身份和学历的高价值文件。外观简单庄重,格式统一,包括重要的个人信息和发布日期。对持有人来说,妥善保管是非常重要的。
Use PyCharm for remote debugging of WSL on a Windo cf5c162d672e4e58b4dde5d797...
This document serves as a comprehensive step-by-step guide on how to effectively use PyCharm for remote debugging of the Windows Subsystem for Linux (WSL) on a local Windows machine. It meticulously outlines several critical steps in the process, starting with the crucial task of enabling permissions, followed by the installation and configuration of WSL.
The guide then proceeds to explain how to set up the SSH service within the WSL environment, an integral part of the process. Alongside this, it also provides detailed instructions on how to modify the inbound rules of the Windows firewall to facilitate the process, ensuring that there are no connectivity issues that could potentially hinder the debugging process.
The document further emphasizes on the importance of checking the connection between the Windows and WSL environments, providing instructions on how to ensure that the connection is optimal and ready for remote debugging.
It also offers an in-depth guide on how to configure the WSL interpreter and files within the PyCharm environment. This is essential for ensuring that the debugging process is set up correctly and that the program can be run effectively within the WSL terminal.
Additionally, the document provides guidance on how to set up breakpoints for debugging, a fundamental aspect of the debugging process which allows the developer to stop the execution of their code at certain points and inspect their program at those stages.
Finally, the document concludes by providing a link to a reference blog. This blog offers additional information and guidance on configuring the remote Python interpreter in PyCharm, providing the reader with a well-rounded understanding of the process.
Comparative analysis between traditional aquaponics and reconstructed aquapon...
The aquaponic system of planting is a method that does not require soil usage. It is a method that only needs water, fish, lava rocks (a substitute for soil), and plants. Aquaponic systems are sustainable and environmentally friendly. Its use not only helps to plant in small spaces but also helps reduce artificial chemical use and minimizes excess water use, as aquaponics consumes 90% less water than soil-based gardening. The study applied a descriptive and experimental design to assess and compare conventional and reconstructed aquaponic methods for reproducing tomatoes. The researchers created an observation checklist to determine the significant factors of the study. The study aims to determine the significant difference between traditional aquaponics and reconstructed aquaponics systems propagating tomatoes in terms of height, weight, girth, and number of fruits. The reconstructed aquaponics system’s higher growth yield results in a much more nourished crop than the traditional aquaponics system. It is superior in its number of fruits, height, weight, and girth measurement. Moreover, the reconstructed aquaponics system is proven to eliminate all the hindrances present in the traditional aquaponics system, which are overcrowding of fish, algae growth, pest problems, contaminated water, and dead fish.
Recently uploaded (20)
DEEP LEARNING FOR SMART GRID INTRUSION DETECTION: A HYBRID CNN-LSTM-BASED MODEL
DEEP LEARNING FOR SMART GRID INTRUSION DETECTION: A HYBRID CNN-LSTM-BASED MODEL
Applications of artificial Intelligence in Mechanical Engineering.pdf
Applications of artificial Intelligence in Mechanical Engineering.pdf
Electric vehicle and photovoltaic advanced roles in enhancing the financial p...
Electric vehicle and photovoltaic advanced roles in enhancing the financial p...
Prediction of Electrical Energy Efficiency Using Information on Consumer's Ac...
Prediction of Electrical Energy Efficiency Using Information on Consumer's Ac...
Digital Twins Computer Networking Paper Presentation.pptx
Digital Twins Computer Networking Paper Presentation.pptx
VARIABLE FREQUENCY DRIVE. VFDs are widely used in industrial applications for...
VARIABLE FREQUENCY DRIVE. VFDs are widely used in industrial applications for...
Embedded machine learning-based road conditions and driving behavior monitoring
Embedded machine learning-based road conditions and driving behavior monitoring
Use PyCharm for remote debugging of WSL on a Windo cf5c162d672e4e58b4dde5d797...
Use PyCharm for remote debugging of WSL on a Windo cf5c162d672e4e58b4dde5d797...
Comparative analysis between traditional aquaponics and reconstructed aquapon...
Comparative analysis between traditional aquaponics and reconstructed aquapon...
Android security by ravi-rai
- 1. Android Security By – Ravi Rai
- 2. Google Android Linux + Java + Google’s Magic = Android Open distribution model Android Market, Amazon Appstore, Verizon V Cast Application capabilities are granted by permission User settings to enable/disable installation from untrusted source Rooting
- 3. Key Terms DVM – All application run’s under a virtual environment is called davalik virtual environment DVM executes files in format is called .dex You Could use utility provided by SDK itself called adb
- 4. Basics Commands # adb devices ( List down all connected devices ) # adb shell ( shell interaction) # ps ( List out all process’s)
- 5. File System Binaries as Command /system/bin /system/xbin Application data /data/app App need to buy /data/app-private /
- 6. Android package (.apk) Default extension of android application . It is archived file contains all necessary files and folders Files and folders can be extracted using 7zip or winrar
- 7. Apk File structure APK Classes.dex Androidmanif est.xml Resources.ar sc Lib Res Assets Meta-inf
- 8. Screen Lock /Pattern Lock Cracking Location of pattern lock and screen lock (/data/system) # cd /data/system #ls Gesture. Key Password .Key #rm gesture.key (Note – phone should be rooted)
- 10. Content Provider leakage Content Provider – All application use content provider to store data within application . Unless restriction has been there any content provider can access with permission by using defined content provider All providers have unique resource identifier (URI) in order to identify query
- 11. Content Provider leakage (Cont.) All content provider tool need to be registered in andoidmanifest.xml Use apktool to decompile androidmanifest.xml file
- 12. Testing for content provider leakage Step 1 # apktool d appname.apk (It will list out all files of android application) Step 2 # grep –R ‘content://’ android manifest (Check into manifest file and use grep command to search for key words of content providers
- 13. Testing for content provider leakage (Cont) Step 3 #adb install vulnerable-app.apk adb shell content query -uri Install application in emulator in order to query and confirm vulnerability
- 14. Dozer for Automatic testing of content leakage # Dozer console connect Dz> run app.provided.finduri ( It will search for content provider in android manifest file)
- 15. Countermeasure Configuration of android manifest.xml is Android:exported =false
- 16. Insecure File storage No correct permissions leads to this issue Many application store very sensitive information in application file Generally game scores and credit points store in local memory Loosely configured permission can allow other application’s to read data
- 17. Steps #adb shells #cd /data/data #ls –l ( to see all file permissions) #Ls –l /data/data/com.ravi.example/file’s/useri nfo.xml #Grep ‘password ‘/data/data/com.ravi.example/file’s/useri nfo.xml
- 18. Countermeasure Provide proper permission and properly hash and salt values
- 19. Path Traversal Vulnerability A directory traversal (or path traversal) consists in exploiting insufficient security validation / sanitization of user-supplied input file names, so that characters representing "traverse to parent directory" are passed through to the file APIs.
- 20. Tools Tool – Dozer dz> run app.provider.finduri Dz> run app.provider.read:content Check for android file system and possible search inside base system
- 21. 21 Client Side Injection • Apps using browser libraries • Pure web apps • Hybrid web/native apps • Some familiar faces • XSS and HTML Injection • SQL Injection • New and exciting twists • Abusing phone dialer + SMS • Abusing in-app payments Impact • Device compromise • Toll fraud • Privilege escalation
- 22. 22 M4- Client Side Injection Garden Variety XSS…. With access to:
- 23. Testing Injection Dz> run app.provider.query (URI) projection “* from sqlite_master where type = ‘table’ ; --
- 24. Thank you Question ?????????????