Attack and Defend Android Applications - Black Hat USA 2023

Overview

This course takes a focused approach on android application security. We start with identifying various ways by which an android application could be attacked and then cover various scenarios in which android application pen testers will struggle.

• How to intercept the traffic (http/https/WebSocket/non-http)
• How to bypass root detection
• How to perform static and dynamic analysis of the application
• Exploiting deep link flaws
• How to perform dynamic instrumentation (Frida / Xposed / Magisk)
• How to analyze HTML 5 and non-Java/ Kotlin application

Throughout the day students will be exposed to multiple applications with deliberate weaknesses that they will exploit using the techniques covered in the class. We will also have additional applications that students can play with after the class.

Then, we shift gears and focus on defending the applications, and major areas covered are

• Application Threat Modeling
• Application Source code Review
• Identifying weaknesses
• Adding Security into CI / CD Pipeline for the application
• Result analysis and further actions

This section will be covered in a hand-holding fashion with focus on ensuring everyone is able to set up a pipeline for a deliberately insecure application, discover and subsequently fix the flaws.

We then cap this course of by covering secure coding strategies and defense in-depth implementational logics:

• Anti-tampering
• Code obfuscation
• SSL Pinning / Root Detection strategies

The aim is not to create zero to hero but provide a methodical approach with which any android application assessment could be performed by the participants. Students are provided with access to a learning portal and a soft copy of slides, detailed answer sheets and AMI’s for the environment.

Course Outline

Android Basics

• OS Architecture
• Android Permission model and recent advancements in android 10-13
• Inter process communication (Intents / Binders, Deep linking)
• Application Structure
• Exercise: Setup build environment and build a basic application with a deep link registered (base code provided)

Attacking Android Application

• Attack surface mapping for the applicationIntroduction to common references MITRE ATT&CK and OWASP MSTG
• Overview of OWASP MSTG and different attacks
• Attacks on Data at rest
• Attacking the network traffic
• Authentication attacks
• Application logic attacks
• Exploiting Cryptographic flaws in applications

Answers to Tricky Questions

• Intercepting the traffic (http/https / WebSocket/ non-http)
• Bypassing root detection (simple to complex)
• Deobfuscating application code and where it might fail
• Dynamic instrumentation via Frida / Xposed + Magisk
• Static or dynamic analysis of applications (manual and automated approach)
• Testing non kotlin / Java applications (HTML5/Flutter/React Native/PWA/.net)

Exercise: Each question is accompanied by at least one challenge. There are more if scenarios are tricky such as interception and rooting

Defending Android Application

• Android Ecosystem threat modeling from defense perspective (a slightly deep version of attack surface mapping covering NIST Mobile Threat catalogue)
• Introduction to OWASP MASVS and its usage along with additional observations
• Establish defense methodology and strategy
• Enforcing basic security hygiene in applications
• Identify various issues in code via static code analysis (semgrep and codeql)
• Introduction to CI / CD Pipeline for Android applications (github actions)
• Identifying various tools to be placed in the CI / CD pipeline (SAST/ DAST/ Third party library tracking)
• Consolidate results from various tools at one place and identify action points

Exercise : Each tool discussed will have an exercise in it to identify various flaws in applications.

Defense Strategies for app developers

• Defense in-depth strategies
• Ideal ssl pinning strategies
• Anti tampering methodologies
• Exploratory overview of App Sealing solutions
• Code obfuscation and protection
• API security techniques

Sample techniques and strategies on these topics will be shared for attendees to get a better understanding of development pitfalls.

Key Takeaways

• How to attack real-world Android applications.
• How to integrate security into CI / CD Pipeline for Android Applications
• How to establish defenses for the android application.

Who Should Take this Course

• Resident android security engineers,
• Android Devops engineer,
• Mobile application developers,
• Pentesters or anyone interested in android security

Audience Skill Level

Beginner

Student Requirements

Course assumes basic familiarity with command-line and Linux. A user level understanding of Android phones is good to have knowledge.

What Students Should Bring

Our labs are cloud-based, and a browser should be sufficient. However, we will still suggest following hardware specs:

• Laptop with working browser and unrestricted internet access ( at least port 80 and 443. However, some web-socket connections might be required.)
• We would still recommend bringing a laptop with full administrative access in case any troubleshooting is required.

Please ensure if any HIDS or Firewall is installed, we have admin access to disable in case it interferes with the lab setup.

What Students Will Be Provided With

• Lifetime access to course content via online portal.
• Very Detailed step-by-step instruction manual for all challenges covered during the class.
• A Slide deck containing the slides covered during the class.
• A knowledge vault compatible with Obsidian / Logseq for continuous learning and note-taking.

Trainers

Anant Shrivastava is the founder of Cyfinoid Research which specializes in cybersecurity research. Previously he was a Technical Director at NotSoSecure Global Services, a boutique cybersecurity consultancy firm. He has been a trainer & a speaker at various international conferences (BlackHat-USA/ASIA/EU, Nullcon, c0c0n & many more). Anant also leads Open-Source projects, Tamer Platform & CodeVigilant. He also maintains the archive portal named Hacking Archives of India. In his free time, he likes to take part in open communities targeted towards spreading information security knowledge such as the null community, Garage4Hackers, hasgeek & OWASP.

Ankur Bhargava is leading the Product Security team at PhonePe. With many years of experience in this field, Mobile and REST API Security have become his forte. He is also well-versed in different flavors of Security such as Application, Network, and API testing. He has been speaking at many conferences in India, viz Cocon, Ground Zero, and Nullcon on topics like ‘PDF Exploitation’, ‘Mobile Automation Framework’, and ‘Android Security. He also provided training at Nullcon, c0c0n in 2012, and 2013,2020,2021 on Android Security. He also presented an Android security automation tool called ‘Mafia’ in Blackhat EU 2017. The tool was also presented in Blackhat USA 2018.

Official Website link

Official Link