+ All Categories
Home > Documents > Android Mobile Application Pentesting · testing is to try reverse engineer the application because...

Android Mobile Application Pentesting · testing is to try reverse engineer the application because...

Date post: 02-Jun-2020
Category:

Documents
Upload: others
View: 2 times
Download: 0 times
Download Report this document
Share this document with a friend
50
Android Mobile Application Pentesting Williams [email protected] OWASP 29 April 2018
Transcript
Page 1: Android Mobile Application Pentesting · testing is to try reverse engineer the application because once u get the code u already do half of the works . With APKTOOLS. With Dex2jar.

Android Mobile Application Pentesting

[email protected]

OWASP29 April 2018

Page 2: Android Mobile Application Pentesting · testing is to try reverse engineer the application because once u get the code u already do half of the works . With APKTOOLS. With Dex2jar.

Who Am I ?

Page 3: Android Mobile Application Pentesting · testing is to try reverse engineer the application because once u get the code u already do half of the works . With APKTOOLS. With Dex2jar.

Who Am I

Page 4: Android Mobile Application Pentesting · testing is to try reverse engineer the application because once u get the code u already do half of the works . With APKTOOLS. With Dex2jar.

Noted to all audience:

Semua materi yang diberikan dalam pertemuan hanya untuk tujuan pendidikan. Kerusakan yang terjadi pada suatu aplikasi sistem bukan merupakan tanggung jawab dari pengarang

Peace out yoo!

Page 5: Android Mobile Application Pentesting · testing is to try reverse engineer the application because once u get the code u already do half of the works . With APKTOOLS. With Dex2jar.

Android Mobile Application Security Testing

Page 6: Android Mobile Application Pentesting · testing is to try reverse engineer the application because once u get the code u already do half of the works . With APKTOOLS. With Dex2jar.
Page 7: Android Mobile Application Pentesting · testing is to try reverse engineer the application because once u get the code u already do half of the works . With APKTOOLS. With Dex2jar.

Source:

Page 8: Android Mobile Application Pentesting · testing is to try reverse engineer the application because once u get the code u already do half of the works . With APKTOOLS. With Dex2jar.

Source:

Page 9: Android Mobile Application Pentesting · testing is to try reverse engineer the application because once u get the code u already do half of the works . With APKTOOLS. With Dex2jar.

OWASP Mobile top 10 Vulnerability

Page 10: Android Mobile Application Pentesting · testing is to try reverse engineer the application because once u get the code u already do half of the works . With APKTOOLS. With Dex2jar.

Linux Kernel

Android Runtime

Native Libraries

Application framework

Application

Taken from learning pentesting for android device

Page 11: Android Mobile Application Pentesting · testing is to try reverse engineer the application because once u get the code u already do half of the works . With APKTOOLS. With Dex2jar.

Linux Kernel

Android Runtime

Native Libraries

Application framework

Application

Page 12: Android Mobile Application Pentesting · testing is to try reverse engineer the application because once u get the code u already do half of the works . With APKTOOLS. With Dex2jar.

Android Application Package

It is just a zip file

Page 13: Android Mobile Application Pentesting · testing is to try reverse engineer the application because once u get the code u already do half of the works . With APKTOOLS. With Dex2jar.

Android Application Package

Taken from: Android Security: A Survey of Issues, MalwarePenetration and Defenses

Page 14: Android Mobile Application Pentesting · testing is to try reverse engineer the application because once u get the code u already do half of the works . With APKTOOLS. With Dex2jar.

Android Application Package

Taken from: Android Security: A Survey of Issues, MalwarePenetration and Defenses

Page 15: Android Mobile Application Pentesting · testing is to try reverse engineer the application because once u get the code u already do half of the works . With APKTOOLS. With Dex2jar.

Android Application Package

Taken from: Android Security: A Survey of Issues, MalwarePenetration and Defenses

Page 16: Android Mobile Application Pentesting · testing is to try reverse engineer the application because once u get the code u already do half of the works . With APKTOOLS. With Dex2jar.

Taken from fileinfo.com

Page 17: Android Mobile Application Pentesting · testing is to try reverse engineer the application because once u get the code u already do half of the works . With APKTOOLS. With Dex2jar.

OWASP Mobile top 10 Vulnerability

Page 18: Android Mobile Application Pentesting · testing is to try reverse engineer the application because once u get the code u already do half of the works . With APKTOOLS. With Dex2jar.

OWASP Mobile top 10 Vulnerability

First step into android mobile application penetration testing is to try reverse engineer the application because once u get the code u already do half of the works

Page 19: Android Mobile Application Pentesting · testing is to try reverse engineer the application because once u get the code u already do half of the works . With APKTOOLS. With Dex2jar.

With APKTOOLS

Page 20: Android Mobile Application Pentesting · testing is to try reverse engineer the application because once u get the code u already do half of the works . With APKTOOLS. With Dex2jar.

With Dex2jar

Page 21: Android Mobile Application Pentesting · testing is to try reverse engineer the application because once u get the code u already do half of the works . With APKTOOLS. With Dex2jar.

With jdx-core

Page 22: Android Mobile Application Pentesting · testing is to try reverse engineer the application because once u get the code u already do half of the works . With APKTOOLS. With Dex2jar.

With jdx-core

Page 23: Android Mobile Application Pentesting · testing is to try reverse engineer the application because once u get the code u already do half of the works . With APKTOOLS. With Dex2jar.

Where to get Free apk other than play store?

Taken from APKpure.com

Page 24: Android Mobile Application Pentesting · testing is to try reverse engineer the application because once u get the code u already do half of the works . With APKTOOLS. With Dex2jar.

Improper Platform Usage

Page 25: Android Mobile Application Pentesting · testing is to try reverse engineer the application because once u get the code u already do half of the works . With APKTOOLS. With Dex2jar.

Improper Platform Usage

Page 26: Android Mobile Application Pentesting · testing is to try reverse engineer the application because once u get the code u already do half of the works . With APKTOOLS. With Dex2jar.

Improper Platform Usage

Page 27: Android Mobile Application Pentesting · testing is to try reverse engineer the application because once u get the code u already do half of the works . With APKTOOLS. With Dex2jar.

A Good Tools that every android pentester must have

Taken from mac afee blog. All right reserved to the author

Page 28: Android Mobile Application Pentesting · testing is to try reverse engineer the application because once u get the code u already do half of the works . With APKTOOLS. With Dex2jar.

Target:

Page 29: Android Mobile Application Pentesting · testing is to try reverse engineer the application because once u get the code u already do half of the works . With APKTOOLS. With Dex2jar.

Improper Platform Usage

Page 30: Android Mobile Application Pentesting · testing is to try reverse engineer the application because once u get the code u already do half of the works . With APKTOOLS. With Dex2jar.

Improper Platform Usage

Page 31: Android Mobile Application Pentesting · testing is to try reverse engineer the application because once u get the code u already do half of the works . With APKTOOLS. With Dex2jar.

Improper Platform Usage

~# adb shell am start -n com.xllusion.quicknote/.EditNote -e android.intent.extra.SUBJECT dumbass -e android.intent.extra.TEXT dumbass

Package name and the activity

Put the first string Put the second string

Page 32: Android Mobile Application Pentesting · testing is to try reverse engineer the application because once u get the code u already do half of the works . With APKTOOLS. With Dex2jar.

Improper Platform Usage

Page 33: Android Mobile Application Pentesting · testing is to try reverse engineer the application because once u get the code u already do half of the works . With APKTOOLS. With Dex2jar.

OWASP Mobile top 10 Vulnerability

Page 34: Android Mobile Application Pentesting · testing is to try reverse engineer the application because once u get the code u already do half of the works . With APKTOOLS. With Dex2jar.

Insecure Data Storage

Page 35: Android Mobile Application Pentesting · testing is to try reverse engineer the application because once u get the code u already do half of the works . With APKTOOLS. With Dex2jar.

Target:

Page 36: Android Mobile Application Pentesting · testing is to try reverse engineer the application because once u get the code u already do half of the works . With APKTOOLS. With Dex2jar.

Insecure Data Storage

Page 37: Android Mobile Application Pentesting · testing is to try reverse engineer the application because once u get the code u already do half of the works . With APKTOOLS. With Dex2jar.

Insecure Data Storage

Page 38: Android Mobile Application Pentesting · testing is to try reverse engineer the application because once u get the code u already do half of the works . With APKTOOLS. With Dex2jar.

Insecure Data Storage

Page 39: Android Mobile Application Pentesting · testing is to try reverse engineer the application because once u get the code u already do half of the works . With APKTOOLS. With Dex2jar.

Insecure Data Storage

Page 40: Android Mobile Application Pentesting · testing is to try reverse engineer the application because once u get the code u already do half of the works . With APKTOOLS. With Dex2jar.

Insecure Data Storage

Page 41: Android Mobile Application Pentesting · testing is to try reverse engineer the application because once u get the code u already do half of the works . With APKTOOLS. With Dex2jar.

OWASP Mobile top 10 Vulnerability

Page 42: Android Mobile Application Pentesting · testing is to try reverse engineer the application because once u get the code u already do half of the works . With APKTOOLS. With Dex2jar.

Insecure Communication

What do you need ?

Page 43: Android Mobile Application Pentesting · testing is to try reverse engineer the application because once u get the code u already do half of the works . With APKTOOLS. With Dex2jar.

Insecure Communication

Page 44: Android Mobile Application Pentesting · testing is to try reverse engineer the application because once u get the code u already do half of the works . With APKTOOLS. With Dex2jar.

Insecure Communication

Page 45: Android Mobile Application Pentesting · testing is to try reverse engineer the application because once u get the code u already do half of the works . With APKTOOLS. With Dex2jar.

Insecure Communication

Page 46: Android Mobile Application Pentesting · testing is to try reverse engineer the application because once u get the code u already do half of the works . With APKTOOLS. With Dex2jar.

Insecure Communication

Page 47: Android Mobile Application Pentesting · testing is to try reverse engineer the application because once u get the code u already do half of the works . With APKTOOLS. With Dex2jar.

Insecure Communication

Page 48: Android Mobile Application Pentesting · testing is to try reverse engineer the application because once u get the code u already do half of the works . With APKTOOLS. With Dex2jar.

Insecure Communication

Page 49: Android Mobile Application Pentesting · testing is to try reverse engineer the application because once u get the code u already do half of the works . With APKTOOLS. With Dex2jar.

Insecure Communication

Page 50: Android Mobile Application Pentesting · testing is to try reverse engineer the application because once u get the code u already do half of the works . With APKTOOLS. With Dex2jar.

Thank You


Recommended
Pentesting RESTful webservices

Pentesting RESTful webservices

Technology

iOS Application Pentesting

iOS Application Pentesting

Internet

Pentesting with linux

Pentesting with linux

Technology

Practical pentesting of ERP’s and businessmedia.blackhat.com/us-13/US-13-Polyakov-Practical-Pentesting-of-ERPs... · ERPScan Pentesting Tool • ERPScan's Pentesting Tool is a freeware

Practical pentesting of ERP’s and businessmedia.blackhat.com/us-13/US-13-Polyakov-Practical-Pentesting-of-ERPs... · ERPScan Pentesting Tool • ERPScan's Pentesting Tool is a freeware

Documents

PenTesting the Internal Network

PenTesting the Internal Network

Documents

Pentesting Android Apps

Pentesting Android Apps

Technology

Introducción al pentesting free security

Introducción al pentesting free security

Technology

Practical SAP Pentesting

Practical SAP Pentesting

Documents

The State Of Pentesting 2021

The State Of Pentesting 2021

Documents

Pentesting for startups

Pentesting for startups

Technology

Pentesting django and rails

Pentesting django and rails

Technology

Pentesting VOIP

Pentesting VOIP

Documents

Pentesting iOS Applications

Pentesting iOS Applications

Technology

Episodio de pentesting

Episodio de pentesting

Technology

PCI DSS for Pentesting

PCI DSS for Pentesting

Documents

Pentesting Using Burp Suite

Pentesting Using Burp Suite

Documents

Pentesting With BT Offensive Security

Pentesting With BT Offensive Security

Documents

BackBox 3 - Iniciación al Pentesting

BackBox 3 - Iniciación al Pentesting

Documents