AI Generated Content Disclaimer
Note: This summary is AI-generated and may contain inaccuracies, errors, or omissions. If you spot any issues, please contact the site owner for corrections. Errors or omissions are unintended.
This is a comprehensive two-day training workshop titled “Xtreme Android Exploitation Lab” delivered by Anant Shrivastava and Anto Joseph at Nullcon 2017. The training takes a hands-on, scenario-based approach to Android security — covering the full spectrum from APK reverse engineering, traffic interception, SSL pinning bypass, and root detection evasion on Day 1, through dynamic analysis, instrumentation frameworks (Xposed and Frida), and Android fuzzing on Day 2. The lab uses Android Tamer as the base environment with Genymotion emulator, and maps exercises against the OWASP Mobile Top 10 risks.
Workshop Setup and Philosophy: The training uses VirtualBox with two VMs: Android Tamer (Nullcon Edition) and a Genymotion Android emulator. The philosophy prioritizes hands-on exercises over theory, using real-world attack scenarios that security professionals encounter. Credentials: username android, password tamer.
Day 1: Static Analysis and Traffic Interception
Understanding Android Application Code: APK files are modified Java code packages that can be decompiled to human-readable Java (easier to read but may lose accuracy) or Smali (bytecode representation that preserves accuracy). An APK is structurally similar to a ZIP/JAR file containing classes.dex, resources, and binary-encoded XML files.
Decompilation Techniques: Using dex2jar or enjarify to convert DEX to JAR files, apktool to decode binary XML to human-readable format, and Android Tamer’s custom apk2java script that automates the full pipeline — decrypting XML files and producing Java code from two different decompilers (jad and jadx) simultaneously. APKs can be retrieved from devices using adb shell pm list packages -f and adb pull.
Handling Obfuscated Code: Common obfuscation techniques include control flow manipulation, string encryption, class and method renaming, and Java reflection to hide method calls. De-obfuscation tools covered include Simplify (generic de-obfuscation) and JEB with custom modules. The training emphasizes that obfuscation defers analysis but should never replace secure coding practices.
Dalvik and ART VM Internals: The Android runtime uses register-based bytecode. DEX files are device-independent code while ODEX/OAT files are device-optimized. Dalvik uses dexopt for optimization and stores files in dalvik-cache, while ART eliminates JIT compilation. Oat2dex converter is used for decrypting Lollipop-era apps and JARs. System apps typically ship as ODEX/OAT files.
Traffic Interception: Configuring proxy tools (Burp Suite, Charles, OWASP ZAP) by setting up the proxy in Android Tamer, configuring proxy settings in the device’s WiFi settings, and verifying interception for HTTP traffic.
HTTPS Traffic Interception and PKI Weaknesses: The PKI system has inherent weaknesses — the system trusts all CAs in the trust store, any CA can issue certificates for any website (citing Diginotar, Trustwave, NIC incidents), and stolen certificates create “revocation hell.” Breaking HTTPS interception involves extracting the proxy’s root CA and importing it into the Android device via adb push or browser import.
Certificate Pinning and Bypass: Certificate pinning validates certificates against hardcoded pins rather than the OS trust store. Implementation approaches include default platform code, frameworks, or custom code. Bypass methods: decompile the APK and modify the pinning code, or use the Xposed framework with the JustTrustMe module (root device, install Xposed, install and enable JustTrustMe, reboot).
Root Detection and Bypass: Applications detect root to protect data integrity and prevent tampering. Detection techniques are mainly blacklist-based: checking for binary presence (/usr/bin/su), command availability (which), and superuser controller apps (superuser.apk). Bypass approaches: hide root binaries or overload system calls that check for them.
HTML5 Hybrid Application Analysis: Cross-platform apps built with HTML/CSS/JS (using frameworks like PhoneGap, Titanium). Common issues include source code disclosure in assets/www, DOM-based XSS, SSL misconfigurations, local storage data leakage, framework-specific vulnerabilities, and easy repackaging.
Static Analysis Tools: Using Android Tamer’s built-in tools including Mobilizer and droidscan.sh for identifying flaws without running the application.
Decompile-Modify-Recompile Workflow: Using apktool d to decompile, modifying Smali code, recompiling with apktool b, then signing with keytool (generate keystore) and jarsigner (sign the APK).
Day 2: Dynamic Analysis, Instrumentation, and Fuzzing
Manual Dynamic Analysis: Runtime analysis using adb, ddms/Android Monitor, and pidcat for log monitoring. Key locations to inspect: /data/data/<app>/, /sdcard/, and /sdcard1/ for data leakage.
Automated Analysis Frameworks: MobSF (by Ajin), Marvin, Cuckoo-Droid, drozer, and Qark — tools for automated static and dynamic analysis of Android applications.
Xposed Framework — Hooking and Dynamic Instrumentation: Runtime behavior modification without recompilation. The training includes writing custom Xposed modules to hook into application methods at runtime.
Frida — Dynamic Code Instrumentation: A cross-platform instrumentation toolkit that injects JavaScript snippets into native apps on Windows, Mac, Linux, iOS, and Android, with Python and Node.js API bindings. Hands-on exercises using frida-android-hooks (by Anto Joseph) covering: root detection bypass, debugger check bypass, WebView logging, device ID spoofing, certificate pinning bypass, and login screen brute-force.
Fuzzing Android: Introduction to fuzzing concepts and their application to Android security — including intent fuzzing, C binary fuzzing, and finding vulnerabilities in Android’s core (referencing how to find the “next Stagefright”). The lab covers setting up a fuzzing environment, generating datasets, running datasets against targets, writing glue scripts, and writing log collection scripts using DroidFuzzer.
OWASP Mobile Top 10 Coverage: The training maps its exercises against the OWASP Mobile Top 10 (2014 edition), covering M2 (Insecure Data Storage), M3 (Insufficient Transport Layer Protection), M4 (Unintended Data Leakage), M5 (Poor Authorization and Authentication), M6 (Broken Cryptography), M7 (Client Side Injection), M8 (Security Decisions Via Untrusted Inputs), M9 (Improper Session Handling), and M10 (Lack of Binary Protections). M1 (Weak Server Side Controls) is noted as covered in a separate Xtreme Web Hacking course.
apk2java for rapid decompilation and always cross-reference output from multiple decompilers (jad and jadx) for accuracy./data/data/<app>/, /sdcard/, and /sdcard1/ during dynamic analysis for insecure data storage — many applications leak sensitive data to these locations.apktool d → edit Smali → apktool b → keytool → jarsigner) as it is essential for bypassing client-side controls and modifying application behavior during assessments.