Learning Pentesting for Android Devices
eBook - ePub

Learning Pentesting for Android Devices

  1. 154 pages
  2. English
  3. ePUB (mobile friendly)
  4. Available on iOS & Android
eBook - ePub

Learning Pentesting for Android Devices

Book details
Book preview
Table of contents
Citations

About This Book

In Detail

Android is the most popular mobile smartphone operating system at present, with over a million applications. Every day hundreds of applications are published to the PlayStore, which users from all over the world download and use. Often, these applications have serious security weaknesses in them, which could lead an attacker to exploit the application and get access to sensitive information. This is where penetration testing comes into play to check for various vulnerabilities.

Learning Pentesting for Android is a practical and hands-on guide to take you from the very basic level of Android Security gradually to pentesting and auditing Android. It is a step-by-step guide, covering a variety of techniques and methodologies that you can learn and use in order to perform real life penetration testing on Android devices and applications.

The book starts with the basics of Android Security and the permission model, which we will bypass using a custom application, written by us. Thereafter we will move to the internals of Android applications from a security point of view, and will reverse and audit them to find the security weaknesses using manual analysis as well as using automated tools.

We will then move to a dynamic analysis of Android applications, where we will learn how to capture and analyze network traffic on Android devices and extract sensitive information and files from a packet capture from an Android device. We will then learn some different ways of doing Android forensics and use tools such as Lime and Volatility. After that, we will look into SQLite databases, and learn to find and exploit the injection vulnerabilities. Also, we will look into webkit-based vulnerabilities; root exploits, and how to exploit devices to get full access along with a reverse connect shell. Finally, we will learn how to write a penetration testing report for an Android application auditing project.

Approach

This is an easy-to-follow guide, full of hands-on and real-world examples of applications. Each of the vulnerabilities discussed in the book is accompanied with the practical approach to the vulnerability, and the underlying security issue.

Who this book is for

This book is intended for all those who are looking to get started in Android security or Android application penetration testing. You dont need to be an Android developer to learn from this book, but it is highly recommended that developers have some experience in order to learn how to create secure applications for Android.

Frequently asked questions

Simply head over to the account section in settings and click on “Cancel Subscription” - it’s as simple as that. After you cancel, your membership will stay active for the remainder of the time you’ve paid for. Learn more here.
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
Both plans give you full access to the library and all of Perlego’s features. The only differences are the price and subscription period: With the annual plan you’ll save around 30% compared to 12 months on the monthly plan.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Yes, you can access Learning Pentesting for Android Devices by Aditya Gupta in PDF and/or ePUB format, as well as other popular books in Computer Science & Cyber Security. We have over one million books available in our catalogue for you to explore.

Information

Publisher
Packt Publishing
Year
2014
ISBN
9781783288984
Edition
1
Topic
Computer Science
Subtopic
Cyber Security
Index
Computer Science

Learning Pentesting for Android Devices

Table of Contents

Learning Pentesting for Android Devices
Credits
Foreword
About the Author
Acknowledgments
About the Reviewers
www.PacktPub.com
Support files, eBooks, discount offers, and more
Why subscribe?
Free access for Packt account holders
Preface
What this book covers
What you need for this book
Who this book is for
Conventions
Reader feedback
Customer support
Downloading the example code
Downloading the color images of the book
Errata
Piracy
Questions
1. Getting Started with Android Security
Introduction to Android
Digging deeper into Android
Sandboxing and the permission model
Application signing
Android startup process
Summary
2. Preparing the Battlefield
Setting up the development environment
Creating an Android virtual device
Useful utilities for Android Pentest
Android Debug Bridge
Burp Suite
APKTool
Summary
3. Reversing and Auditing Android Apps
Android application teardown
Reversing an Android application
Using Apktool to reverse an Android application
Auditing Android applications
Content provider leakage
Insecure file storage
Path traversal vulnerability or local file inclusion
Client-side injection attacks
OWASP top 10 vulnerabilities for mobiles
Summary
4. Traffic Analysis for Android Devices
Android traffic interception
Ways to analyze Android traffic
Passive analysis
Active analysis
HTTPS Proxy interception
Other ways to intercept SSL traffic
Extracting sensitive files with packet capture
Summary
5. Android Forensics
Types of forensics
Filesystems
Android filesystem partitions
Using dd to extract data
Using a custom recovery image
Using Andriller to extract an application's data
Using AFLogical to extract contacts, calls, and text messages
Dumping application databases manually
Logging the logcat
Using backup to extract an application's data
Summary
6. Playing with SQLite
Understanding SQLite in depth
Analyzing a simple application using SQLite
Security vulnerability
Summary
7. Lesser-known Android Attacks
Android WebView vulnerability
Using WebView in the application
Identifying the vulnerability
Infecting legitimate APKs
Vulnerabilities in ad libraries
Cross-Application Scripting in Android
Summary
8. ARM Exploitation
Introduction to ARM architecture
Execution modes
Setting up the environment
Simple stack-based buffer overflow
Return-oriented programming
Android root exploits
Summary
9. Writing the Pentest Report
Basics of a penetration testing report
Writing the pentest report
Executive summary
Vulnerabilities
Scope of the work
Tools used
Testing methodologies followed
Recommendations
Conclusion
Appendix
Summary
Security Audit of
Attify's Vulnerable App
Table of Contents
1. Introduction
1.1 Executive Summary
1.2 Scope of the Work
1.3 Summary of Vulnerabilities
2. Auditing and Methodology
2.1 Tools Used
2.2 Vulnerabilities
Issue #1: Injection vulnerabilities in the Android application
Issue #2: Vulnerability in the WebView component
Issue #3: No/Weak encryption
Issue #4: Vulnerable content providers
3. Conclusions
3.1 Conclusions
3.2 Recommendations
Index

Learning Pentesting for Android Devices

Copyright © 2014 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book.
Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.
First published: March 2014
Production Reference: 1190314
Published by Packt Publishing Ltd.
Livery Place
35 Livery Street
Birmingham B3 2PB, UK.
ISBN 978-1-78328-898-4
www.packtpub.com
Cover Image by Michal Jasej ()

Credits

Author
Aditya Gupta
Reviewers
Seyton Bradford
Rui Gonçalo
Glauco MĂĄrdano
Elad Shapira
Acquisition Editors
Nikhil Chinnari
Kartikey Pandey
Content Development Editor
Priya Singh
Technical Editors
Manan Badani
Shashank Desai
Akashdeep Kundu
Copy Editors
Sayanee Mukherjee
Karuna Narayanan
Alfida Paiva
Laxmi Subramanian
Project Coordinator
Jomin Varghese
Proofreaders
Maria Gould
Ameesha Green
Paul Hindle
Indexer
Hemangini Bari
Graphics
Sheetal Aute
Yuvraj Mannari
Production Coordinator
Kyle Albuquerque
Cover Work
Kyle Albuquerque

Foreword

Mobile phones are a necessity in our lives and the majority of us have become completely dependent on them in our daily lives.
The majority of mobile phones today are running on the Android OS. The main reason for this is the ever growing community of developers and massive number of applications released for the Android OS.
However, one mustn't make the mistake of thinking that Android is only used in mobile devices. The Android operating system is commonly used in cars, cameras, refrigerators, televisions, game consoles, smart watches, smart glass, and many other gadgets too.
This massive usage is not risk free and the main concern is security. One cannot tell whether the applications that are based on the Android operating system are secure. How can a common user tell if the application they are using is not malicious? Are those...

Table of contents

  1. Learning Pentesting for Android Devices