Search content
Frequently asked questions
How to practice Android security testing?
Helpful resources
Android security testing or android vapt helps you to find security loopholes/vulnerabilities in android(mobile) applications. The companies are coming up with different applications for different operations. Therefore, security testing or VAPT should be done in order to protect and secure those applications from hackers or threat actors.
The testing involves de-compiling, static and dynamic analysis and testing the android application from security perspective to find the vulnerabilities inside it. The testing involves - insecure data storage, client side injection, hardcoding issues, authentication and access control issues, etc. This could be done with the help of android vapt tools like : burp suite, drozer, adb, apktool, logcat, Mobsf, dex2jar, android studio or genymotion, frida, sdk platform tool, etc.
OWASP Top 10 Mobile Risks 2016 :
M1: Improper Platform Usage
M2: Insecure Data Storage
M3: Insecure Communication
M4: Insecure Authentication
M5: Insufficient Cryptography
M6: Insecure Authorization
M7: Client Code Quality
M8: Code Tampering
M9: Reverse Engineering
M10: Extraneous Functionality
To learn and practice android penetration testing or vapt one has to know about some basic details like:
Android basics and it’s architecture
Components of android application
Lab setup for android penetration testing
OWASP Top 10 Mobile Risks
Android VAPT tools like : adb, drozer, apktool, dex2jar, etc.
Setting up vulnerable android applications like : DIVA, InjuredAndroid, InscureShop, AndroidInsecureBank v2, Damn-Vulnerable-Ban, etc.
Links
Android basics :
https://www.javatpoint.com/android-tutorial
https://www.tutorialspoint.com/android/android_application_components.htm
Lab setup for android vapt :
https://payatu.com/blog/amit/android_pentesting_lab
https://www.hackingarticles.in/android-pentest-lab-setup-adb-command-cheatsheet/
https://medium.com/@meghana_/lab-setup-for-android-penetration-testing-8bf668d99c86
https://medium.com/mobis3c/setting-up-an-android-pentesting-environment-29991aa0c3f1
Android Studio installation guide :
https://developer.android.com/studio/install
OWASP Mobile Top 10 :
https://owasp.org/www-project-mobile-top-10/
Vulnerable android applications :
InjuredAndroid : https://github.com/B3nac/InjuredAndroid
Damn Vulnerable Bank :https://github.com/rewanthtammana/Damn-Vulnerable-Bank
InsecureShop : https://github.com/optiv/InsecureShop
AndroGoat : https://github.com/satishpatnayak/AndroGoat
DIVA : https://github.com/payatu/diva-android
https://danishzia.medium.com/diva-android-app-walkthrough-bce72b7f273a
YouTube :
Android Pen-testing : https://youtube.com/playlist?list=PLgnrksnL_Rn09gGTTLgi-FL7HxPOoDk3R
DIVA : https://youtube.com/playlist?list=PLOlyU7jql72BBJv7rXmv_ef__qE4Xyu0b
Android Studio Installation : https://youtu.be/0zx_eFyHRU0
Genymotion Installation : https://youtu.be/SL-QvKz20I4
GitHub :
Android Penetration Testing: https://github.com/Ignitetechnologies/Android-Penetration-Testing
Mobile-App-Pentest : https://github.com/kyawthiha7/Mobile-App-Pentest