How to practice Android security testing?

Android security testing or android vapt helps you to find security loopholes/vulnerabilities in android(mobile) applications. The companies are coming up with different applications for different operations. Therefore, security testing or VAPT should be done  in order to protect and secure those applications from hackers or threat actors.

The testing involves de-compiling, static and dynamic analysis and testing the android application from security perspective to find the vulnerabilities inside it. The testing involves - insecure data storage, client side injection, hardcoding issues, authentication and access control issues, etc. This could be done with the help of android vapt tools like : burp suite, drozer, adb, apktool, logcat, Mobsf, dex2jar, android studio or genymotion, frida, sdk platform tool, etc. 

OWASP Top 10 Mobile Risks 2016 : 

• M1: Improper Platform Usage

• M2: Insecure Data Storage

• M3: Insecure Communication

• M4: Insecure Authentication

• M5: Insufficient Cryptography

• M6: Insecure Authorization

• M7: Client Code Quality

• M8: Code Tampering

• M9: Reverse Engineering

• M10: Extraneous Functionality

To learn and practice android penetration testing or vapt one has to know about some basic details like:

1. Android basics and it’s architecture

2. Components of android application

3. Lab setup for android penetration testing

4. OWASP Top 10 Mobile Risks

5. Android VAPT tools like : adb, drozer, apktool, dex2jar, etc.

6. Setting up vulnerable android applications like : DIVA, InjuredAndroid, InscureShop, AndroidInsecureBank v2, Damn-Vulnerable-Ban, etc. 

Helpful resources: 

Android basics : 

https://www.javatpoint.com/android-tutorial

https://www.tutorialspoint.com/android/android_application_components.htm

Lab setup for android vapt :

https://payatu.com/blog/amit/android_pentesting_lab

https://www.hackingarticles.in/android-pentest-lab-setup-adb-command-cheatsheet/

https://www.infoworld.com/article/3095406/android-studio-for-beginners-part-1-installation-and-setup.html

https://medium.com/@meghana_/lab-setup-for-android-penetration-testing-8bf668d99c86

https://medium.com/mobis3c/setting-up-an-android-pentesting-environment-29991aa0c3f1

Android Studio installation guide : 

https://developer.android.com/studio/install

OWASP Mobile Top 10 :

https://owasp.org/www-project-mobile-top-10/

Vulnerable android applications :

InjuredAndroid : https://github.com/B3nac/InjuredAndroid

Damn Vulnerable Bank :https://github.com/rewanthtammana/Damn-Vulnerable-Bank

InsecureShop : https://github.com/optiv/InsecureShop

AndroGoat : https://github.com/satishpatnayak/AndroGoat

DIVA : https://github.com/payatu/diva-android

           https://danishzia.medium.com/diva-android-app-walkthrough-bce72b7f273a

YouTube : 

Android Pen-testing : https://youtube.com/playlist?list=PLgnrksnL_Rn09gGTTLgi-FL7HxPOoDk3R

https://youtu.be/lq4wprdLpbo

https://youtu.be/6DIeR8CtVww

DIVA : https://youtube.com/playlist?list=PLOlyU7jql72BBJv7rXmv_ef__qE4Xyu0b

Android Studio Installation : https://youtu.be/0zx_eFyHRU0

Genymotion Installation : https://youtu.be/SL-QvKz20I4

GitHub :

Android Penetration Testing: https://github.com/Ignitetechnologies/Android-Penetration-Testing

https://github.com/ChetanPathade/Penetration-Testing-Books/blob/master/Android%20Hacker's%20Handbook.pdf

Mobile-App-Pentest : https://github.com/kyawthiha7/Mobile-App-Pentest