Android Applications Reverse Engineering

This 2-day workshop provides the knowledge for conducting a security assessment of Android mobile apps leveraging a pure “black box” approach, thus simulating activities performed by real-world adversaries against such software components.

$1,399.00

Duration

2 days

Delivery Method

in-person

Level

beginner

Seats Available

20

Duration

2 days

Delivery Method

in-person

Level

beginner

ATTEND IN-PERSON: Onsite in Bangkok, Thailand

DATE: 27-28 August 2024

TIME: 09:00 to 17:00 ICT/GMT+7

Date Day Time Duration
27 Aug Tuesday 0900-17:00 ICT/GMT+7 8 Hours
28 Aug Wednesday 0900-17:00 ICT/GMT+7 8 Hours

This workshop offers an introductive analysis of the essential principles and practices crucial for testing and assessing Android mobile applications in today’s landscape. This course equips participants with the fundamental knowledge needed to understand and address security vulnerabilities prevalent in mobile applications. Through a tested curriculum, students will start with foundational concepts and methodologies used in application testing, then they will learn to employ a diverse array of tools and resources essential for identifying and mitigating security risks effectively.

Participants also gain hands-on experience in assessing device security, including techniques for bypassing security mechanisms, and key concepts and tricks in conducting efficiently and effectively Static Code Analysis (SCA) of Android apps and reverse engineered code. Moreover, the course provides insights into testing local authentication mechanisms, input validation, and the security implications of interacting with third-party applications. Finally, students are introduced to backend security considerations, focusing on securing APIs and web services.

By the end of the workshop, participants will have a good understanding of mobile application security principles and practical skills to identify, assess, and validate mobile app vulnerabilities effectively.

 

What will the students get
  • Practical knowledge on the latest techniques and methodology for testing the security of Android apps without any prior knowledge on the app’s innerworkings.
  • An arsenal of tools to be leveraged for the reverse engineering and analysis of modern Android apps.

 

 Agenda /Topics Covered

Introduction to Mobile App Security

  • Fundamental concepts in mobile app security.
  • Overview of mobile app testing methodology.
  • Tools and resources for the reverse engineering and analysis of Android apps.

 

Android App Reverse Engineering and Static Analysis

  • Android apps package’s structure and key components.
  • Device rooting techniques for bypassing device security mechanisms.
  • Decompiling Android apps and execute static code analysis.
  • Overview on code obfuscation & binary protection mechanisms.
  • Intercepting network traffic and testing communication security.
  • Analyzing data stored by the app on the device.

 

Android App Dynamic Analysis

  • Assessing local authentication mechanisms.
  • Testing local and remote input validation mechanism.
  • Security of interaction with third-party applications.
  • Introduction to (ab)use of platform features and their mitigations.
  • Introduction to backend security (APIs and web services)

Why You Should Take This Course

This 2-day workshop provides the knowledge for conducting a security assessment of Android mobile apps leveraging a pure “black box” approach, thus simulating activities performed by real-world adversaries against such software components.

Who Should Attend

This workshop is designed for anyone interested in learning the foundation for performing static and dynamic security testing activities against Android apps, including:
  • Security professionals new to mobile application security.
  • Application security experts willing to extend their knowledge to mobile app security, with a focus on Android platforms.
  • Developers and aspiring security engineers willing to learn a practical methodology to effectively validate the security mechanisms of mobile apps.

Key Learning Objectives

  • Understanding fundamental concepts in mobile application security, including testing methodologies, and tools used in the reverse engineering ad analysis process.

  • Gaining proficiency in assessing and bypassing device security mechanisms, such as rooting devices and conducting static code analysis.

  • Developing skills in testing various aspects of mobile applications, including authentication mechanisms, input validation, interaction with third-party applications, and backend security.
  • Prerequisite Knowledge

    • Basic knowledge about Android Application architecture.
    • Android application development basics are preferred, thu not required.

    Hardware / Software Requirements

    • Laptop running a Microsoft Windows 10+ or Apple macOS platform
    • CPU: 64-bit Intel i5/i7 with 4th generation + (2.0 GHz)
    • 8 GB of RAM or higher
    • 100 GB free space
    • Wi-Fi 802.11 capability (no wired connection available in the classroom)
    • Installed VMware Workstation / Player for Windows or VMWare Fusion for macOS
    • Local administrative access to the host OS is required

    Your Instructor

    Cezar Lungu is a cybersecurity professional specialized in Android application security and web application security assessment.

    During his career, he has been delivering advanced penetration testing, secure code review, and reverse engineering services to government and private clients including Fortune Global 500 companies.

    He has an in-depth knowledge of the security landscape of the Android platform and its application model; his expertise includes the security of Android developers’ toolchain, analysis and bypass of mechanisms implemented by armored / self-defending apps, and development of proprietary tools to increase testing coverage and support automated exploitation of vulnerabilities.

    Cezar is a strong advocate of Open-Source, and he is a regular contributor to multiple projects.

    Adverse Theory is a disruptive startup focused on delivering “unconventional” cybersecurity advisory services to support organizations in establishing security teams, managing large-scare security programs, and developing innovative security technologies.