Learning Pentesting for Android Devices

Learning Pentesting for Android Devices

Aditya Gupta

Language: English

Pages: 154

ISBN: 1783288981

Format: PDF / Kindle (mobi) / ePub

Android is the most popular mobile smartphone operating system at present, with over a million applications. Every day hundreds of applications are published to the PlayStore, which users from all over the world download and use. Often, these applications have serious security weaknesses in them, which could lead an attacker to exploit the application and get access to sensitive information. This is where penetration testing comes into play to check for various vulnerabilities. 

Learning Pentesting for Android is a practical and hands-on guide to take you from the very basic level of Android Security gradually to pentesting and auditing Android. It is a step-by-step guide, covering a variety of techniques and methodologies that you can learn and use in order to perform real life penetration testing on Android devices and applications. The book starts with the basics of Android Security and the permission model, which we will bypass using a custom application, written by us. Thereafter we will move to the internals of Android applications from a security point of view, and will reverse and audit them to find the security weaknesses using manual analysis as well as using automated tools. 
We will then move to a dynamic analysis of Android applications, where we will learn how to capture and analyze network traffic on Android devices and extract sensitive information and files from a packet capture from an Android device. We will look into SQLite databases, and learn to find and exploit the injection vulnerabilities. Also, we will look into root exploits, and how to exploit devices to get full access along with a reverse connect shell. Finally, we will learn how to write a penetration testing report for an Android application auditing project.

How to Count (Programming for Mere Mortals, Volume 1)

TCP/IP Sockets in C#: Practical Guide for Programmers (The Practical Guides)

Harley Hahn's Guide to Unix and Linux

Penetration Testing with Raspberry Pi

Sed & awk (2nd Edition)

Java: A Beginner's Guide (6th Edition)

















it is easier to acquire logical information in most cases than physical acquisition. However, one limitation of this method, in some cases, is that the evidence (smartphone and its data) in this case has a high risk of getting tampered with. Physical acquisition: This means a bit-by-bit copy of the entire physical storage medium. We could also target different individual partitions while performing physical acquisition. In comparison to logical acquisition, this method is much slower, but more

only help us extract the information from the applications that use databases in order to store applications and other related information. In some of the applications, we might also notice that the application is storing data in an XML file or using shared preferences, which we need to manually review. Android uses the SQLite database (which we'll be covering in depth in the next chapter) with the file format of the files .db. Here is how we could go ahead and extract all the databases

https://code.google.com/p/getlogs/. Using backup to extract an application's data Android from 4.0 introduced a feature of backup using adb. This functionality could be used to create the backup of an application along with its entire data. This could be highly useful in forensics as the examiner will be capturing the application along with its entire data. Refer to the following steps: This could be done by issuing the adb backup command to the terminal followed by the application's

then the address of ShouldNotBeCalled, as shown in the following command: r `printf "AAAABBBBCCCCDDDD\x38\x84"` As we can see in the following screenshot, we have added the starting address of IShouldNeverBeCalled to the argument: Notice that the bytes are written in reverse order because of the little endian architecture here. Once we have run this, we can see the program calling the ShouldNotBeCalled function, as shown in the following screenshot: Return-oriented programming

root exploits RageAgainstTheCage / Android root exploits Zimperlich / Android root exploits KillingInTheNameOf / Android root exploits Android filesystem partitionsabout / Android filesystem partitions AndroidManifest.xmlabout / Sandboxing and the permission model Android Package (APK)about / Digging deeper into Android Android Pentestdevelopment environment, setting up / Setting up the development environment useful utilities / Useful utilities for Android Pentest ADB /

Download sample