2. A cyber security professional with almost 6
years of experience
Demostrated areas of work- Application &
Network Pentesting, Bash Scripting and Red
Teaming
Part time bug bounty hunter and blogger
https://medium.com/@minaliarora
Loves to read about psychology
Follow me on twitter: @AroraMinali
3. Android Overview
Android Architecture
Android Security Model
Android App Testing
OWASP Top 10
Security tips for Developers
4.
5.
6. Android’s Security Model consists of two parts:
◦ UID Separation
◦ Sandboxing
Linux Kernel offers unique UID and GID for each
application at run time.
Thus, an application runs in its own sandbox
environment and does not affect any other apps
running.
10. Root your device (If you choose an emulator, then
make sure that it is already rooted)
Allow unknown sources (Settings->Security)
Install the application
Connect the device/emulator to a proxy setup (for
e.g. Burp)
11.
12. Methodology of testing an Android application can be
broadly divided into two categories:
Static Testing
Dynamic Testing
While static testing includes reversing an android
application and reading the code, Dynamic testing
includes analyzing the network traffic
13.
14.
15. Android SDK: A software development kit containing
API libraries and developer tools to build, test and
debug Android apps
In our context , more important ones are adb, aapt
and the emulator
16. Android Debug Bridge: Command line tool to
communicate with emulator instance or connected
physical/virtual device
Useful Commands:
adb devices
adb connect
adb shell
adb install
adb push/pull
17. apktool: is used to decode and reverse engineer android
application
Command: apktool d <apk file>
18. dex2jar –converts dex file to jar containing reconstructed
source code which can be viewed in jdgui
21. Drozer: One of the most chosen tools for Android security testing.
A security testing framework, great to determine app attack
surface and interact with it.
22.
23. Most common vulnerabilities found during Android
application testing:
OTP bypass
Authentication bypass
IDOR
Information Leakage
Privilege Escalation
24.
25.
26. Store data safely
Enforce secure communication
Use web view objects carefully
Provide the right permissions to application
Update security provider to protect against exploits
Share only sensitive data to cache files
Use shared preferences in private mode
https://developer.android.com/topic/security/best-
practices