KEMBAR78
The art of android hacking | PDF
Abhinav Mishra, profile picture
Uploaded byAbhinav Mishra
1,209 views

The art of android hacking

This document discusses Android application security and provides an overview of assessing Android applications for vulnerabilities. It covers Android architecture, application structure, tools for analysis including emulators and Drozer, and demonstrates reversing an APK file. The document also lists examples of vulnerabilities the presenter has found in Android apps with associated bounty amounts, and how to detect each one. It proposes using a virtual machine called Droider for Android application assessments.

Downloaded 41 times
The Art Of Android Hacking by, Abhinav Mishra (0ctac0der)
Who is this weird tall guy?? Abhinav Mishra | @0ctac0der Senior Security Consultant @ TOTHENEW Digital Top 5 Mobile Security Researcher | Synack Red Team (@SynackRedTeam) Web and Mobile Application Security Researcher Bug Bounty Hunter, Speaker, Trainer, Traveler, Movie buff Have you seen “Mr. Robot” ? Any comments? Link
What is he talking about?? ● Android application security ○ Android architecture ○ Application structure ○ Cool tools and distributions ○ Emulators, Devices, Attacks, Vulnerabilities ….. ● What (& How) to look for in an android application ● Some interesting findings ● (Random talks) ● Cool demonstrations ● Next steps to learn android appsec
Que le jeu commence….. Quick Questions ● What all you know about android… ● Application structure ● Vulnerability ? Okay, my turn now ● What you want to know/learn? ● What you want me to demo? ● Any tool you love? We can talk….
Quick Android Walkthrough ● Linux Kernel ● Privilege separation Model (UID & GID) ● Android Permission model (android manifest) ● APK components: ○ AndroidManifest.xml ○ Classes.dex ○ META-INF ○ Resources.arsc ○ Assets ○ Res ○ Lib
Reversing a cute APK Things I am going to do in next 10-15 minutes: ● Choose any apk ● Decompile with apktool | $apktool d package_name.apk ● Read and understand the AndroidManifest.xml ● Showing components in the code: ○ Activities, Broadcast receivers, Content providers …. ● Extract the apk with any extractor ● Change the classes.dex to jar | $dex2jar classes.dex ● Show multiple java classes ● Possible issues to be discovered ● SMALI files and converting to JAR
Tools & Demos ● Emulators??? ○ Genymotion ○ Android Studio | AVD ● ADB (Android Debug Bridge) ○ $adb install ○ $ adb pull / push ● AppUse Virtual Machine ● Android Monitor / Logcat ● Application Local files
Drozer Basics ● Drozer client and server ● Setting up the console ● Basic commands: ○ $ run app.packer.list ○ $run app.package.info ○ $run app.package.attacksurface ○ $ run app.activity.start
15 min checks 1. Debuggable | Backup : True ??? 2. AndroidManifest: Permissions 3. Hardcoded stuff 4. SSL Pinning ?? 5. Drozer: attack surface | exported components 6. Local storage encryption 7. Sdcard storage | public folder usage 8. TLS protection check
Because Money matters Vulnerability 1 Date: Mar-2014 Issue: Debuggable = True Bounty: $500 How to check: APK AndroidManifest.xml “debuggable=true”
Because Money matters Vulnerability 2 Date: May-2015 Issue: App fragment injection Bounty: $250 How to check: Anyone?
Because Money matters Vulnerability 3 Date: May-2015 Issue: Hardcoded Account Credentials Bounty: $200 How to check: Anyone?
Because Money matters Vulnerability 4 Date: June-2015 Issue: Exported component malicious usage Bounty: $1000 How to check: Anyone?
Because Money matters Vulnerability 5 Date: Oct-2015 Issue: Parameter manipulation Bounty: $1000 How to check: Let me explain this one to you.
My virtual machine (Droider) Prerequisites ● 16 GB RAM ● Intel COREi7 processor ● 500 GB free hard disk space ● Minimum internet speed required 50 MBPS ● Google Nexus 7 device, rooted
What Next …. ● Learn more ● Read online ● Use tools: Drozer, QARK etc. ● Start practising

More Related Content

PPTX
Peerlyst Delhi NCR Chapter Meet
byAbhinav Mishra
 
PDF
Android Hacking
byantitree
 
PDF
Learning by hacking - android application hacking tutorial
byLandice Fu
 
PDF
Hacking your Android (slides)
byJustin Hoang
 
PDF
Android "Fight Club" : In pursuit of APPiness -- null Humla Delhi Chapter
byAbhinav Mishra
 
PPTX
[Wroclaw #1] Android Security Workshop
byOWASP
 
PDF
Hacking android apps by srini0x00
bysrini0x00
 
PDF
Android security and penetration testing | DIVA | Yogesh Ojha
byYogesh Ojha
 
Peerlyst Delhi NCR Chapter Meet
byAbhinav Mishra
 
Android Hacking
byantitree
 
Learning by hacking - android application hacking tutorial
byLandice Fu
 
Hacking your Android (slides)
byJustin Hoang
 
Android "Fight Club" : In pursuit of APPiness -- null Humla Delhi Chapter
byAbhinav Mishra
 
[Wroclaw #1] Android Security Workshop
byOWASP
 
Hacking android apps by srini0x00
bysrini0x00
 
Android security and penetration testing | DIVA | Yogesh Ojha
byYogesh Ojha
 

What's hot

PDF
My Null Android Penetration Session
byAvinash Sinha
 
PPTX
Pentesting Android Applications
byCláudio André
 
PPTX
[Wroclaw #2] iOS Security - 101
byOWASP
 
PDF
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
byAnant Shrivastava
 
PDF
Mobile Application Pentest [Fast-Track]
byPrathan Phongthiproek
 
PDF
Android Security & Penetration Testing
bySubho Halder
 
PDF
Owasp advanced mobile-application-code-review-techniques-v0.2
bydrewz lin
 
PDF
Pentesting Mobile Applications (Prashant Verma)
byClubHack
 
PDF
Stealing sensitive data from android phones the hacker way
byn|u - The Open Security Community
 
PPTX
Webinar On Ethical Hacking & Cybersecurity - Day2
byMohammed Adam
 
PDF
Security Best Practices for Mobile Development
bySalesforce Developers
 
PPTX
Ransomware - what is it, how to protect against it
byZoltan Balazs
 
PDF
Android Tamer (Anant Shrivastava)
byClubHack
 
PDF
Android Security Development
byhackstuff
 
PDF
Security Issues in Android Custom ROM
byAnant Shrivastava
 
PDF
Android App Hacking - Erez Metula, AppSec
byDroidConTLV
 
PPTX
Hacking with Remote Admin Tools (RAT)
byZoltan Balazs
 
PDF
BYOM Build Your Own Methodology (in Mobile Forensics)
byReality Net System Solutions
 
PDF
The Game of Bug Bounty Hunting - Money, Drama, Action and Fame
byAbhinav Mishra
 
PDF
Android Security - Common Security Pitfalls in Android Applications
byBlrDroid
 
My Null Android Penetration Session
byAvinash Sinha
 
Pentesting Android Applications
byCláudio André
 
[Wroclaw #2] iOS Security - 101
byOWASP
 
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
byAnant Shrivastava
 
Mobile Application Pentest [Fast-Track]
byPrathan Phongthiproek
 
Android Security & Penetration Testing
bySubho Halder
 
Owasp advanced mobile-application-code-review-techniques-v0.2
bydrewz lin
 
Pentesting Mobile Applications (Prashant Verma)
byClubHack
 
Stealing sensitive data from android phones the hacker way
byn|u - The Open Security Community
 
Webinar On Ethical Hacking & Cybersecurity - Day2
byMohammed Adam
 
Security Best Practices for Mobile Development
bySalesforce Developers
 
Ransomware - what is it, how to protect against it
byZoltan Balazs
 
Android Tamer (Anant Shrivastava)
byClubHack
 
Android Security Development
byhackstuff
 
Security Issues in Android Custom ROM
byAnant Shrivastava
 
Android App Hacking - Erez Metula, AppSec
byDroidConTLV
 
Hacking with Remote Admin Tools (RAT)
byZoltan Balazs
 
BYOM Build Your Own Methodology (in Mobile Forensics)
byReality Net System Solutions
 
The Game of Bug Bounty Hunting - Money, Drama, Action and Fame
byAbhinav Mishra
 
Android Security - Common Security Pitfalls in Android Applications
byBlrDroid
 

Viewers also liked

PPT
Mobile phone Data Hacking
byMd Abu Syeem Dipu
 
PDF
Mobile Hacking
byNovizul Evendi
 
PDF
Android Security Basics
byAbhinav Mishra
 
PDF
Growth Hacking For Mobile - Hack 2 Validate & Hack 2 Grow
byandreehuk
 
PDF
Hacking Android OS
byJimmy Software
 
PPTX
Hacking Mobile Apps
bySophos Benelux
 
PPTX
Android Hacking + Pentesting
bySina Manavi
 
PDF
How not to make a hacker friendly application
byAbhinav Mishra
 
PDF
Discovering Google Secrets
bySteve Yuen
 
PPTX
password cracking and Key logger
byPatel Mit
 
PPTX
Password Cracking
bySina Manavi
 
PPTX
Password Attack
bySina Manavi
 
PDF
Grow Hack Athens Pt.1: Growth Hacking For Web Apps
byGrowthRocks
 
PPT
TYPES OF HACKING
bySHERALI445
 
PPTX
Hacking ppt
bygiridhar_sadasivuni
 
PPTX
Hacking & its types
bySai Sakoji
 
Mobile phone Data Hacking
byMd Abu Syeem Dipu
 
Mobile Hacking
byNovizul Evendi
 
Android Security Basics
byAbhinav Mishra
 
Growth Hacking For Mobile - Hack 2 Validate & Hack 2 Grow
byandreehuk
 
Hacking Android OS
byJimmy Software
 
Hacking Mobile Apps
bySophos Benelux
 
Android Hacking + Pentesting
bySina Manavi
 
How not to make a hacker friendly application
byAbhinav Mishra
 
Discovering Google Secrets
bySteve Yuen
 
password cracking and Key logger
byPatel Mit
 
Password Cracking
bySina Manavi
 
Password Attack
bySina Manavi
 
Grow Hack Athens Pt.1: Growth Hacking For Web Apps
byGrowthRocks
 
TYPES OF HACKING
bySHERALI445
 
Hacking ppt
bygiridhar_sadasivuni
 
Hacking & its types
bySai Sakoji
 

Similar to The art of android hacking

PDF
Getting started with Android pentesting
byMinali Arora
 
PPTX
Getting started with android
byVandana Verma
 
PDF
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
byFelipe Prado
 
PDF
CNIT 128 6. Analyzing Android Applications (Part 1)
bySam Bowne
 
PDF
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
byRomansh Yadav
 
PPTX
Advanced Malware Analysis Training Session 8 - Introduction to Android
bysecurityxploded
 
PPTX
Rapid Android Application Security Testing
byNutan Kumar Panda
 
PDF
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
bynullowaspmumbai
 
PPTX
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
byRomansh Yadav
 
PPTX
Hacker Halted 2014 - Reverse Engineering the Android OS
byEC-Council
 
PDF
Hacking your Droid (Aditya Gupta)
byClubHack
 
PDF
Reading Group Presentation: Why Eve and Mallory Love Android
byMichael Rushanan
 
PDF
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
byArea41
 
PPTX
Android village @nullcon 2012
byhakersinfo
 
PPTX
How to Test Security and Vulnerability of Your Android and iOS Apps
byBitbar
 
PDF
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
byStephan Chenette
 
PDF
Testing Android Security Codemotion Amsterdam edition
byJose Manuel Ortega Candel
 
PDF
Testing Android Security - Jose Manuel Ortega Candel - Codemotion Amsterdam 2016
byCodemotion
 
PPTX
Untitled 1
bySergey Kochergan
 
PPTX
Android Security
byArqum Ahmad
 
Getting started with Android pentesting
byMinali Arora
 
Getting started with android
byVandana Verma
 
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
byFelipe Prado
 
CNIT 128 6. Analyzing Android Applications (Part 1)
bySam Bowne
 
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
byRomansh Yadav
 
Advanced Malware Analysis Training Session 8 - Introduction to Android
bysecurityxploded
 
Rapid Android Application Security Testing
byNutan Kumar Panda
 
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
bynullowaspmumbai
 
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
byRomansh Yadav
 
Hacker Halted 2014 - Reverse Engineering the Android OS
byEC-Council
 
Hacking your Droid (Aditya Gupta)
byClubHack
 
Reading Group Presentation: Why Eve and Mallory Love Android
byMichael Rushanan
 
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
byArea41
 
Android village @nullcon 2012
byhakersinfo
 
How to Test Security and Vulnerability of Your Android and iOS Apps
byBitbar
 
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
byStephan Chenette
 
Testing Android Security Codemotion Amsterdam edition
byJose Manuel Ortega Candel
 
Testing Android Security - Jose Manuel Ortega Candel - Codemotion Amsterdam 2016
byCodemotion
 
Untitled 1
bySergey Kochergan
 
Android Security
byArqum Ahmad
 

Recently uploaded

PPTX
GAS chromatography ppt (Presentation) by Jatin Chauhan
byjatinchauhan1618
 
PPTX
Welcome to our Open Evening 2025 Ballinrobe CS
byjacollins1515
 
PPTX
ILA 2025 Prague CLS Presentation of Leadership journal
byjohanalvehus
 
PPTX
Nerve lecture 2:strength-duration curve and an introduction to action potential
bydina merzeban
 
PPTX
🧪“Blood Chemistry Tests in Pharmacy Practice: Clinical Laboratory Guide for P...
byBanny S.V
 
PPTX
Capitol Webinar October 2025 Dr. Jha.pptx
byCapitolTechU
 
PDF
Nernst Distribution Law and factors affecting distribution constant
byMithil Fal Desai
 
PDF
Admin Slides for Oct'25 semester (Progression)
byGreat Files
 
PDF
1.1 Historical background & development of Profession of Pharmacy.pdf
byMr. SAKHARE R. S.
 
DOCX
PRESS STATEMENT - Response to Minority_ Press Ready.docx
bynservice241
 
PPTX
Basics for Conducting Bibliometric Analysis - Dr Ahsan Riaz
bySystematic Reviews Network (SRN)
 
PPTX
PECTORAL REGION.pptx Human anatomy,Bmls,
byKISMAT ALI
 
PPTX
psychoanalytic Theory.pptx, MSc. Nursing
byKomalJaiswal46
 
PDF
Admin Slides for Oct'25 semester - PB1_MC5.pdf
byGreat Files
 
PDF
TUYỂN CHỌN 30 ĐỀ THI CHỌN HỌC SINH GIỎI LỚP 9 CÁC TỈNH NĂM 2024-2025 MÔN TIẾN...
byNguyen Thanh Tu Collection
 
PPTX
How can education build trust in a polarised world_Jonathan James_OECD .pptx
byEduSkills OECD
 
PPTX
Single entry System Vs Double entry System.pptx
bylavanyafranklin0804
 
PPTX
DBP - BITA Introduction Slides Oct 202526
byGreat Files
 
PDF
Phase Equilibria and Colligative Properties.pdf
byMithil Fal Desai
 
PPTX
Capital Budgeting - Risk Analysis Using Payback Period Method
bySundar B N
 
GAS chromatography ppt (Presentation) by Jatin Chauhan
byjatinchauhan1618
 
Welcome to our Open Evening 2025 Ballinrobe CS
byjacollins1515
 
ILA 2025 Prague CLS Presentation of Leadership journal
byjohanalvehus
 
Nerve lecture 2:strength-duration curve and an introduction to action potential
bydina merzeban
 
🧪“Blood Chemistry Tests in Pharmacy Practice: Clinical Laboratory Guide for P...
byBanny S.V
 
Capitol Webinar October 2025 Dr. Jha.pptx
byCapitolTechU
 
Nernst Distribution Law and factors affecting distribution constant
byMithil Fal Desai
 
Admin Slides for Oct'25 semester (Progression)
byGreat Files
 
1.1 Historical background & development of Profession of Pharmacy.pdf
byMr. SAKHARE R. S.
 
PRESS STATEMENT - Response to Minority_ Press Ready.docx
bynservice241
 
Basics for Conducting Bibliometric Analysis - Dr Ahsan Riaz
bySystematic Reviews Network (SRN)
 
PECTORAL REGION.pptx Human anatomy,Bmls,
byKISMAT ALI
 
psychoanalytic Theory.pptx, MSc. Nursing
byKomalJaiswal46
 
Admin Slides for Oct'25 semester - PB1_MC5.pdf
byGreat Files
 
TUYỂN CHỌN 30 ĐỀ THI CHỌN HỌC SINH GIỎI LỚP 9 CÁC TỈNH NĂM 2024-2025 MÔN TIẾN...
byNguyen Thanh Tu Collection
 
How can education build trust in a polarised world_Jonathan James_OECD .pptx
byEduSkills OECD
 
Single entry System Vs Double entry System.pptx
bylavanyafranklin0804
 
DBP - BITA Introduction Slides Oct 202526
byGreat Files
 
Phase Equilibria and Colligative Properties.pdf
byMithil Fal Desai
 
Capital Budgeting - Risk Analysis Using Payback Period Method
bySundar B N
 

The art of android hacking

  • 1.
    The Art Of AndroidHacking by, Abhinav Mishra (0ctac0der)
  • 2.
    Who is thisweird tall guy?? Abhinav Mishra | @0ctac0der Senior Security Consultant @ TOTHENEW Digital Top 5 Mobile Security Researcher | Synack Red Team (@SynackRedTeam) Web and Mobile Application Security Researcher Bug Bounty Hunter, Speaker, Trainer, Traveler, Movie buff Have you seen “Mr. Robot” ? Any comments? Link
  • 3.
    What is hetalking about?? ● Android application security ○ Android architecture ○ Application structure ○ Cool tools and distributions ○ Emulators, Devices, Attacks, Vulnerabilities ….. ● What (& How) to look for in an android application ● Some interesting findings ● (Random talks) ● Cool demonstrations ● Next steps to learn android appsec
  • 4.
    Que le jeucommence….. Quick Questions ● What all you know about android… ● Application structure ● Vulnerability ? Okay, my turn now ● What you want to know/learn? ● What you want me to demo? ● Any tool you love? We can talk….
  • 5.
    Quick Android Walkthrough ●Linux Kernel ● Privilege separation Model (UID & GID) ● Android Permission model (android manifest) ● APK components: ○ AndroidManifest.xml ○ Classes.dex ○ META-INF ○ Resources.arsc ○ Assets ○ Res ○ Lib
  • 6.
    Reversing a cuteAPK Things I am going to do in next 10-15 minutes: ● Choose any apk ● Decompile with apktool | $apktool d package_name.apk ● Read and understand the AndroidManifest.xml ● Showing components in the code: ○ Activities, Broadcast receivers, Content providers …. ● Extract the apk with any extractor ● Change the classes.dex to jar | $dex2jar classes.dex ● Show multiple java classes ● Possible issues to be discovered ● SMALI files and converting to JAR
  • 7.
    Tools & Demos ●Emulators??? ○ Genymotion ○ Android Studio | AVD ● ADB (Android Debug Bridge) ○ $adb install ○ $ adb pull / push ● AppUse Virtual Machine ● Android Monitor / Logcat ● Application Local files
  • 8.
    Drozer Basics ● Drozerclient and server ● Setting up the console ● Basic commands: ○ $ run app.packer.list ○ $run app.package.info ○ $run app.package.attacksurface ○ $ run app.activity.start
  • 9.
    15 min checks 1.Debuggable | Backup : True ??? 2. AndroidManifest: Permissions 3. Hardcoded stuff 4. SSL Pinning ?? 5. Drozer: attack surface | exported components 6. Local storage encryption 7. Sdcard storage | public folder usage 8. TLS protection check
  • 10.
    Because Money matters Vulnerability1 Date: Mar-2014 Issue: Debuggable = True Bounty: $500 How to check: APK AndroidManifest.xml “debuggable=true”
  • 11.
    Because Money matters Vulnerability2 Date: May-2015 Issue: App fragment injection Bounty: $250 How to check: Anyone?
  • 12.
    Because Money matters Vulnerability3 Date: May-2015 Issue: Hardcoded Account Credentials Bounty: $200 How to check: Anyone?
  • 13.
    Because Money matters Vulnerability4 Date: June-2015 Issue: Exported component malicious usage Bounty: $1000 How to check: Anyone?
  • 14.
    Because Money matters Vulnerability5 Date: Oct-2015 Issue: Parameter manipulation Bounty: $1000 How to check: Let me explain this one to you.
  • 15.
    My virtual machine(Droider) Prerequisites ● 16 GB RAM ● Intel COREi7 processor ● 500 GB free hard disk space ● Minimum internet speed required 50 MBPS ● Google Nexus 7 device, rooted
  • 16.
    What Next …. ●Learn more ● Read online ● Use tools: Drozer, QARK etc. ● Start practising