Back to Pre-Conference Training Page

Back to Conference Home Page

Introduction to Android Application Penetration Testing

Two-Day Interactive (Classroom) Training - OWASP New Zealand Day 2024

Abstract

Mobile app testing is one of the most common types of testing performed by cyber security companies. This training provides practical experience and foundational knowledge for performing security reviews on and discovering and exploiting vulnerabilities in Android applications.

Course Details

Dates: Tuesday and Wednesday, 3-4 September 2024

Time: 8:45 a.m. to 5:30 p.m. (NZST)

Instructors: Gavin Neale and Shofe Miraz (Cyber CX)

Course Fee: NZ $1,000.00 (plus GST and ticketing fees)

Registration Site: https://events.humanitix.com/owaspnz2024-training

Maximum Enrolment: 36 attendees

Prerequisites - What Students Should Bring

• A laptop with Internet access, a SSH client, and a Remote Desktop Protocol (RDP) client

Course Description

Mobile application testing is one of the most common types of testing performed by cyber security companies. However, the vulnerability classes and testing methodologies are often less well-known than for other types of testing. This training will provide attendees the skills to analyze Android applications for security issues.

During the course of the training attendees will cover vulnerabilities and configuration issues that are commonly found in mobile applications during penetration tests and will make use of tools and methodologies for identifying these. The following are some of the areas of mobile application testing that will be covered:

• Static analysis and reverse engineering of Android application files to understand the internal functionality and configuration, discover attack surface and bypass protections
• Configure an android device for network traffic interception and identify vulnerabilities in TLS and certificate pinning implementations
• Reviewing data storage risks and handling of sensitive data
• Dynamic analysis and instrumentation of applications to bypass local protections and assist in other areas of vulnerability discovery
• Understand local authentication, biometrics and common implementation flaws
• Discover and exploit vulnerabilities in inter-process communication mechanisms and deep links

Each of these areas will involve multiple practical exercises in our virtual Android lab on each of the topics discussed, as well as discussions around mobile application threat models to provide a foundation for evaluating the risk posed by various vulnerability types. The training will focus on Android applications however many of the techniques will apply to iOS applications as well.

This training would suit anyone interested in becoming a penetration tester/security consultant, or developers who wish to understand the threats and attack surface facing mobile applications.

Your Instructors

Gavin Neale and Shofe Miraz are security consultants at CyberCX NZ and have over 20 years’ combined experience performing security consulting and penetration testing, and both have presented internal training on Android app testing. Together they have performed hundreds of mobile application penetration tests. Gavin is the Service Lead for mobile application testing for a practice of over 150 security consultants across New Zealand and Australia.

Shofe is an organizer of Hack And Learn, an InfoSec Meetup group with an emphasis on practical learning for IT security professionals and enthusiasts. Our training makes use of a virtual lab to run Android OS, removing the need for physical devices, maintaining the same configuration across attendees, and allowing scalability. The content of our training will incorporate interesting vulnerability classes which we have seen during penetration tests as well as cover the baseline threats that mobile applications face.