Uploaded byVodqaBLR
276 views

Android security testing

This document summarizes information from a presentation on pen testing Android apps. It discusses the Android application development cycle, the OWASP Mobile Top 10 security risks, additional focus areas beyond the top 10 like secure data storage and preventing reverse engineering. It also outlines some Android Pie security enhancements like the hardware security module and defaulting to HTTPS. The presentation concludes by thanking the audience.

Embed presentation

Download to read offline
Pen Test Android Apps VodQA Bangalore 2018 Srinivasan Sekar srinivasantarget sekars@thoughtworks.com
Expectations?
Android Application Dev Cycle .dex zipped into .apk file Java Source Code Java Compiler Java Byte Code Dex Compiler Dalvik Byte Code Dalvik Executable
OWASP Mobile Top 10
OWASP Mobile Top 10 Improper platform usage: • Misuse of a mobile operating system feature • lack of platform security controls/permission models Insecure data storage: • 25 percent of mobile apps have at least one high risk security or privacy flaw • Vulnerabilities leak personal information that can be used for illicit purposes. Insecure authentication: • Category includes session management issues, privacy issues related to authentication • User identification tokens are compromised. Reverse engineering: • Analyze an app’s source code, libraries, algorithms, and more • With deeper knowledge of an app’s functionality and how it works, an attacker can more easily identify flaws they can exploit
Beyond Top 10 Focus on Data: • Implement secure data storage • Certificate and Public key pinning Thwart reverse engineering: • Shrink your code and resources (https://developer.android.com/studio/build/shrink-code) Security as part of quality Embrace least privilege: • Access control mechanism to allow apps access device resources Monitor external libraries and standards implementation:
Reverse Engineering Arsenals
Android Pie Security Enhancements ❏ Hardware security module ❏ BioMetric APIs ❏ Compiler level mitigations ❏ HTTPS by default ❏ App permissions
THANK YOU Srinivasan Sekar srinivasantarget sekars@thoughtworks.com

More Related Content

PDF
Mobile arsenal
byAckcent
 
PDF
Reducing Risk of Credential Compromise at Netflix
bySBWebinars
 
PPTX
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
byAjin Abraham
 
PDF
Domain Driven Security at Internetdagarna-2014
byDan BerghJohnsson
 
PDF
Testing Web Application Security
byTed Husted
 
PPTX
Owasp Mobile Risk Series : M4 : Unintended Data Leakage
byAnant Shrivastava
 
PDF
Introduction to Security Testing
byvodQA
 
PPS
Security testing
byTabăra de Testare
 
Mobile arsenal
byAckcent
 
Reducing Risk of Credential Compromise at Netflix
bySBWebinars
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
byAjin Abraham
 
Domain Driven Security at Internetdagarna-2014
byDan BerghJohnsson
 
Testing Web Application Security
byTed Husted
 
Owasp Mobile Risk Series : M4 : Unintended Data Leakage
byAnant Shrivastava
 
Introduction to Security Testing
byvodQA
 
Security testing
byTabăra de Testare
 

What's hot

PPTX
Mobile application security
byShubhneet Goel
 
PDF
Security testing presentation
byConfiz
 
PPTX
How to produce more secure web apps
byDamilola Longe, CISSP, CCSP, MSc
 
PPTX
iOS Security: The Never-Ending Story of Malicious Profiles
byYair Amit
 
PPTX
Security Testing
byQualitest
 
PDF
Security testing in mobile applications
byJose Manuel Ortega Candel
 
PDF
Attacking android insecurity
byGodfrey Nolan
 
PPTX
Web Application Security 101
byJannis Kirschner
 
PPTX
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
byAjin Abraham
 
PPT
Get Ready for Web Application Security Testing
byAlan Kan
 
PPTX
Security testing fundamentals
byCygnet Infotech
 
PDF
Abhilash Owk - Resume
byabhilashowk
 
PPT
Owasp top 10 & Web vulnerabilities
byRIZWAN HASAN
 
PPTX
Security Testing Training With Examples
byAlwin Thayyil
 
PPT
Step by step guide for web application security testing
byAvyaan, Web Security Company in India
 
PPTX
Webinar mobile apps sec
byIndra Zulkarnain
 
PPTX
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
byAjin Abraham
 
PDF
Decompiling Android Workshop
byGodfrey Nolan
 
PDF
You installed what Thierry Sans
byOWASP-Qatar Chapter
 
PDF
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
byAll Things Open
 
Mobile application security
byShubhneet Goel
 
Security testing presentation
byConfiz
 
How to produce more secure web apps
byDamilola Longe, CISSP, CCSP, MSc
 
iOS Security: The Never-Ending Story of Malicious Profiles
byYair Amit
 
Security Testing
byQualitest
 
Security testing in mobile applications
byJose Manuel Ortega Candel
 
Attacking android insecurity
byGodfrey Nolan
 
Web Application Security 101
byJannis Kirschner
 
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
byAjin Abraham
 
Get Ready for Web Application Security Testing
byAlan Kan
 
Security testing fundamentals
byCygnet Infotech
 
Abhilash Owk - Resume
byabhilashowk
 
Owasp top 10 & Web vulnerabilities
byRIZWAN HASAN
 
Security Testing Training With Examples
byAlwin Thayyil
 
Step by step guide for web application security testing
byAvyaan, Web Security Company in India
 
Webinar mobile apps sec
byIndra Zulkarnain
 
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
byAjin Abraham
 
Decompiling Android Workshop
byGodfrey Nolan
 
You installed what Thierry Sans
byOWASP-Qatar Chapter
 
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
byAll Things Open
 

Similar to Android security testing

PDF
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
byFelipe Prado
 
PPTX
Android pen test basics
byOWASPKerala
 
PPTX
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
byRomansh Yadav
 
PDF
Getting started with Android pentesting
byMinali Arora
 
PDF
Owasp masvs spain 17
byLuis A. Solís
 
PPTX
Getting started with android
byVandana Verma
 
PDF
Testing Android Security Codemotion Amsterdam edition
byJose Manuel Ortega Candel
 
PDF
Testing Android Security - Jose Manuel Ortega Candel - Codemotion Amsterdam 2016
byCodemotion
 
PPTX
Android pentesting
byMykhailo Antonishyn
 
PPTX
Secure Android Apps- nVisium Security
byJack Mannino
 
PDF
Attacking and Defending Mobile Applications
byJerod Brennen
 
PPTX
Security testing of mobile applications
byGTestClub
 
PPTX
[Wroclaw #1] Android Security Workshop
byOWASP
 
PDF
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
byOWASP Delhi
 
PDF
Getting started with hacking android & i os apps tools, techniques and re...
byn|u - The Open Security Community
 
PDF
Android Application Security from consumer and developer perspectives
byAyoma Wijethunga
 
PDF
DEF CON 27 - workshop - POLOTO - hacking the android apk
byFelipe Prado
 
PPTX
Untitled 1
bySergey Kochergan
 
PPTX
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015
bySina Manavi
 
PDF
Android security and penetration testing | DIVA | Yogesh Ojha
byYogesh Ojha
 
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
byFelipe Prado
 
Android pen test basics
byOWASPKerala
 
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
byRomansh Yadav
 
Getting started with Android pentesting
byMinali Arora
 
Owasp masvs spain 17
byLuis A. Solís
 
Getting started with android
byVandana Verma
 
Testing Android Security Codemotion Amsterdam edition
byJose Manuel Ortega Candel
 
Testing Android Security - Jose Manuel Ortega Candel - Codemotion Amsterdam 2016
byCodemotion
 
Android pentesting
byMykhailo Antonishyn
 
Secure Android Apps- nVisium Security
byJack Mannino
 
Attacking and Defending Mobile Applications
byJerod Brennen
 
Security testing of mobile applications
byGTestClub
 
[Wroclaw #1] Android Security Workshop
byOWASP
 
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
byOWASP Delhi
 
Getting started with hacking android & i os apps tools, techniques and re...
byn|u - The Open Security Community
 
Android Application Security from consumer and developer perspectives
byAyoma Wijethunga
 
DEF CON 27 - workshop - POLOTO - hacking the android apk
byFelipe Prado
 
Untitled 1
bySergey Kochergan
 
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015
bySina Manavi
 
Android security and penetration testing | DIVA | Yogesh Ojha
byYogesh Ojha
 

More from VodqaBLR

PPTX
Consumer-Driven Contract Testing PACT
byVodqaBLR
 
PPTX
Taiko presentation
byVodqaBLR
 
PPT
Chatbot Testing
byVodqaBLR
 
PPTX
Key Note VodQA(Bangalore) 2018
byVodqaBLR
 
PDF
Advance appium workshop.pptx
byVodqaBLR
 
PDF
Blockchain workshop
byVodqaBLR
 
PPTX
Testing natural language processing
byVodqaBLR
 
PPTX
Drive chrome(headless) with puppeteer
byVodqaBLR
 
PPTX
Improve your Chaos IQ
byVodqaBLR
 
PPTX
WebDriver Lamda - Next Gen Scalable Test
byVodqaBLR
 
PPTX
Testing Tools with AI
byVodqaBLR
 
PPTX
Dynamic Security Analysis & Static Security Analysis for Android Apps.
byVodqaBLR
 
PDF
Visual testing for Mobile Native Applications
byVodqaBLR
 
PPTX
Parallel Sim Test using XCUI
byVodqaBLR
 
PPTX
Performance Testing using Taurus
byVodqaBLR
 
PPTX
Writing Maintainable Tests
byVodqaBLR
 
PPTX
Continuous security testing - sharing responsibility
byVodqaBLR
 
PPTX
ABCing docker with environments - workshop
byVodqaBLR
 
PDF
Automate Web or Mobile Analytics using TrakMatic
byVodqaBLR
 
PPTX
Quality Assurance in Healthcare
byVodqaBLR
 
Consumer-Driven Contract Testing PACT
byVodqaBLR
 
Taiko presentation
byVodqaBLR
 
Chatbot Testing
byVodqaBLR
 
Key Note VodQA(Bangalore) 2018
byVodqaBLR
 
Advance appium workshop.pptx
byVodqaBLR
 
Blockchain workshop
byVodqaBLR
 
Testing natural language processing
byVodqaBLR
 
Drive chrome(headless) with puppeteer
byVodqaBLR
 
Improve your Chaos IQ
byVodqaBLR
 
WebDriver Lamda - Next Gen Scalable Test
byVodqaBLR
 
Testing Tools with AI
byVodqaBLR
 
Dynamic Security Analysis & Static Security Analysis for Android Apps.
byVodqaBLR
 
Visual testing for Mobile Native Applications
byVodqaBLR
 
Parallel Sim Test using XCUI
byVodqaBLR
 
Performance Testing using Taurus
byVodqaBLR
 
Writing Maintainable Tests
byVodqaBLR
 
Continuous security testing - sharing responsibility
byVodqaBLR
 
ABCing docker with environments - workshop
byVodqaBLR
 
Automate Web or Mobile Analytics using TrakMatic
byVodqaBLR
 
Quality Assurance in Healthcare
byVodqaBLR
 

Recently uploaded

PDF
openstack_operations_slides_version1.3_pp.pdf
byssuser47d511
 
PDF
Clean Architecture with Vertical Slice Architecture in .NET 8
byVineet Sharma
 
PPTX
Introduction to n8n infrstructure and ho to install it
byMassimiliano Iommi
 
PDF
Complete iOS Delivery App Features & Admin Tools
byShiv Technolabs Pvt. Ltd.
 
PPTX
SAP S4 HANA Conversion and Migration .pptx
bysabeenakouser
 
PDF
Routing Guidelines: Unlocking Smarter Query Routing in MySQL Architectures
byMiguel Araújo
 
PPTX
Pitch Deck for MEVIA OS - No Apps, Infinite, Decentralized Operating System
byDr. Edwin Hernandez
 
PPTX
GraphQL Day Paris 2025 | Bringing DevOps to GraphQL with the Apollo GraphOS O...
byapidays
 
PPTX
40m_wAIred_DigitalPlatformRabobank_10022026.pptx
bySimonedeGijt
 
PDF
MySQL Routing Guidelines: Designing Smarter Query Routing Together
byMiguel Araújo
 
PDF
Ultimate Guide to CMMS An In-Depth Analysis - Zapium
byhello208828
 
PDF
Research-Driven Development: Navigating the Generative Era in Software
byCadabra Studio
 
PPTX
Prime Teams – Real-Time Employee Monitoring & Project Management Software
byPrime Teams
 
PDF
Doctor On Call App Development for Digital Healthcare.
byV3CUBE TECHNOLABS
 
PDF
Project Tracking in Software Project Management
bySahanaBarveen1
 
PDF
Azure DevOps Services: Complete Guide to DevOps Tools, Automation & End-to-En...
byjohncarterjn
 
PDF
Odoo ERP Implementation Setup: Step-by-Step Process
byShiv Technolabs Pvt. Ltd.
 
PDF
Versnel innovatie met GitHub Enterprise - Rick Smit GitHub
byDelta-N
 
PPTX
40m_wAIred_DigitalPlatformRabobank_10022026.pptx
bySimonedeGijt
 
PPTX
Salesforce Spring '26 Release presentation - Melbourne Salesforce User Group
byAnne N
 
openstack_operations_slides_version1.3_pp.pdf
byssuser47d511
 
Clean Architecture with Vertical Slice Architecture in .NET 8
byVineet Sharma
 
Introduction to n8n infrstructure and ho to install it
byMassimiliano Iommi
 
Complete iOS Delivery App Features & Admin Tools
byShiv Technolabs Pvt. Ltd.
 
SAP S4 HANA Conversion and Migration .pptx
bysabeenakouser
 
Routing Guidelines: Unlocking Smarter Query Routing in MySQL Architectures
byMiguel Araújo
 
Pitch Deck for MEVIA OS - No Apps, Infinite, Decentralized Operating System
byDr. Edwin Hernandez
 
GraphQL Day Paris 2025 | Bringing DevOps to GraphQL with the Apollo GraphOS O...
byapidays
 
40m_wAIred_DigitalPlatformRabobank_10022026.pptx
bySimonedeGijt
 
MySQL Routing Guidelines: Designing Smarter Query Routing Together
byMiguel Araújo
 
Ultimate Guide to CMMS An In-Depth Analysis - Zapium
byhello208828
 
Research-Driven Development: Navigating the Generative Era in Software
byCadabra Studio
 
Prime Teams – Real-Time Employee Monitoring & Project Management Software
byPrime Teams
 
Doctor On Call App Development for Digital Healthcare.
byV3CUBE TECHNOLABS
 
Project Tracking in Software Project Management
bySahanaBarveen1
 
Azure DevOps Services: Complete Guide to DevOps Tools, Automation & End-to-En...
byjohncarterjn
 
Odoo ERP Implementation Setup: Step-by-Step Process
byShiv Technolabs Pvt. Ltd.
 
Versnel innovatie met GitHub Enterprise - Rick Smit GitHub
byDelta-N
 
40m_wAIred_DigitalPlatformRabobank_10022026.pptx
bySimonedeGijt
 
Salesforce Spring '26 Release presentation - Melbourne Salesforce User Group
byAnne N
 

Android security testing

  • 1.
    Pen Test AndroidApps VodQA Bangalore 2018 Srinivasan Sekar srinivasantarget sekars@thoughtworks.com
  • 2.
  • 3.
    Android Application DevCycle .dex zipped into .apk file Java Source Code Java Compiler Java Byte Code Dex Compiler Dalvik Byte Code Dalvik Executable
  • 4.
  • 5.
    OWASP Mobile Top10 Improper platform usage: • Misuse of a mobile operating system feature • lack of platform security controls/permission models Insecure data storage: • 25 percent of mobile apps have at least one high risk security or privacy flaw • Vulnerabilities leak personal information that can be used for illicit purposes. Insecure authentication: • Category includes session management issues, privacy issues related to authentication • User identification tokens are compromised. Reverse engineering: • Analyze an app’s source code, libraries, algorithms, and more • With deeper knowledge of an app’s functionality and how it works, an attacker can more easily identify flaws they can exploit
  • 6.
    Beyond Top 10 Focuson Data: • Implement secure data storage • Certificate and Public key pinning Thwart reverse engineering: • Shrink your code and resources (https://developer.android.com/studio/build/shrink-code) Security as part of quality Embrace least privilege: • Access control mechanism to allow apps access device resources Monitor external libraries and standards implementation:
  • 7.
  • 8.
    Android Pie SecurityEnhancements ❏ Hardware security module ❏ BioMetric APIs ❏ Compiler level mitigations ❏ HTTPS by default ❏ App permissions
  • 9.