eBook - ePub
Hacking Android
Srinivasa Rao Kotipalli, Mohammed A. Imran
This is a test
Share book
- 376 pages
- English
- ePUB (mobile friendly)
- Available on iOS & Android
eBook - ePub
Hacking Android
Srinivasa Rao Kotipalli, Mohammed A. Imran
Book details
Book preview
Table of contents
Citations
About This Book
Explore every nook and cranny of the Android OS to modify your device and guard it against security threats
About This Book
- Understand and counteract against offensive security threats to your applications
- Maximize your device's power and potential to suit your needs and curiosity
- See exactly how your smartphone's OS is put together (and where the seams are)
Who This Book Is For
This book is for anyone who wants to learn about Android security. Software developers, QA professionals, and beginner- to intermediate-level security professionals will find this book helpful. Basic knowledge of Android programming would be a plus.
What You Will Learn
- Acquaint yourself with the fundamental building blocks of Android Apps in the right way
- Pentest Android apps and perform various attacks in the real world using real case studies
- Take a look at how your personal data can be stolen by malicious attackers
- Understand the offensive maneuvers that hackers use
- Discover how to defend against threats
- Get to know the basic concepts of Android rooting
- See how developers make mistakes that allow attackers to steal data from phones
- Grasp ways to secure your Android apps and devices
- Find out how remote attacks are possible on Android devices
In Detail
With the mass explosion of Android mobile phones in the world, mobile devices have become an integral part of our everyday lives. Security of Android devices is a broad subject that should be part of our everyday lives to defend against ever-growing smartphone attacks. Everyone, starting with end users all the way up to developers and security professionals should care about android security.
Hacking Android is a step-by-step guide that will get you started with Android security. You'll begin your journey at the absolute basics, and then will slowly gear up to the concepts of Android rooting, application security assessments, malware, infecting APK files, and fuzzing. On this journey you'll get to grips with various tools and techniques that can be used in your everyday pentests. You'll gain the skills necessary to perform Android application vulnerability assessment and penetration testing and will create an Android pentesting lab.
Style and approach
This comprehensive guide takes a step-by-step approach and is explained in a conversational and easy-to-follow style. Each topic is explained sequentially in the process of performing a successful penetration test. We also include detailed explanations as well as screenshots of the basic and advanced concepts.
Frequently asked questions
How do I cancel my subscription?
Can/how do I download books?
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
What is the difference between the pricing plans?
Both plans give you full access to the library and all of Perlego’s features. The only differences are the price and subscription period: With the annual plan you’ll save around 30% compared to 12 months on the monthly plan.
What is Perlego?
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.
Do you support text-to-speech?
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Is Hacking Android an online PDF/ePUB?
Yes, you can access Hacking Android by Srinivasa Rao Kotipalli, Mohammed A. Imran in PDF and/or ePUB format, as well as other popular books in Computer Science & Computer Networking. We have over one million books available in our catalogue for you to explore.
Information
Hacking Android
Table of Contents
Hacking Android
Credits
About the Authors
About the Reviewer
www.PacktPub.com
eBooks, discount offers, and more
Why subscribe?
Preface
What this book covers
What you need for this book
Who this book is for
Conventions
Reader feedback
Customer support
Downloading the example code
Errata
Piracy
Questions
1. Setting Up the Lab
Installing the required tools
Java
Android Studio
Setting up an AVD
Real device
Apktool
Dex2jar/JD-GUI
Burp Suite
Configuring the AVD
Drozer
Prerequisites
QARK (No support for windows)
Getting ready
Advanced REST Client for Chrome
Droid Explorer
Cydia Substrate and Introspy
SQLite browser
Frida
Setting up Frida server
Setting up frida-client
Testing the setup
Vulnerable apps
Kali Linux
ADB Primer
Checking for connected devices
Getting a shell
Listing the packages
Pushing files to the device
Pulling files from the device
Installing apps using adb
Troubleshooting adb connections
Summary
2. Android Rooting
What is rooting?
Why would we root a device?
Advantages of rooting
Unlimited control over the device
Installing additional apps
More features and customization
Disadvantages of rooting
It compromises the security of your device
Bricking your device
Voids warranty
Locked and unlocked boot loaders
Determining boot loader unlock status on Sony devices
Unlocking boot loader on Sony through a vendor specified method
Rooting unlocked boot loaders on a Samsung device
Stock recovery and Custom recovery
Prerequisites
Rooting Process and Custom ROM installation
Installing recovery softwares
Using Odin
Using Heimdall
Rooting a Samsung Note 2
Flashing the Custom ROM to the phone
Summary
3. Fundamental Building Blocks of Android Apps
Basics of Android apps
Android app structure
How to get an APK file?
Storage location of APK files
/data/app/
/system/app/
/data/app-private/
Example of extracting preinstalled apps
Example of extracting user installed apps
Android app components
Activities
Services
Broadcast receivers
Content providers
Android app build process
Building DEX files from the command line
What happens when an app is run?
ART – the new Android Runtime
Understanding app sandboxing
UID per app
App sandboxing
Is there a way to break out of this sandbox?
Summary
4. Overview of Attacking Android Apps
Introduction to Android apps
Web Based apps
Native apps
Hybrid apps
Understanding the app's attack surface
Mobile application architecture
Threats at the client side
Threats at the backend
Guidelines for testing and securing mobile apps
OWASP Top 10 Mobile Risks (2014)
M1: Weak Server-Side Controls
M2: Insecure Data Storage
M3: Insufficient Transport Layer Protection
M4: Unintended Data Leakage
M5: Poor Authorization and Authentication
M6: Broken Cryptography
M7: Client-Side Injection
M8: Security Decisions via Untrusted Inputs
M9: Improper Session Handling
M10: Lack of Binary Protections
Automated tools
Drozer
Performing Android security assessments with Drozer
Installing testapp.apk
Listing out all the modules
Retrieving package information
Identifying the attack surface
Identifying and exploiting Android app vulnerabilities using Drozer
Attacks on exported activities
What is the problem here?
QARK (Quick Android Review Kit)
Running QARK in interactive mode
Reporting
Running QARK in seamless mode:
Summary
5. Data Storage and Its Security
What is data storage?
Android local data storage techniques
Shared preferences
SQLite databases
Internal storage
External storage
Shared preferences
Real world application demo
SQLite databases
Internal storage
External storage
User dictionary cache
Insecure data storage – NoSQL database
NoSQL demo application functionality
Backup techniques
Backup the app data using adb backup command
Convert .ab format to tar format using Android backup extractor
Extracting the TAR file using the pax or star utility
Analyzing the extracted content for security issues
Being safe
Summary
6. Server-Side Attacks
Different types of mobile apps and their threat model
Mobile applications server-side attack surface
Mobile application architecture
Strategies for testing mobile backend
Setting up Burp Suite Proxy for testing
Proxy setting via APN
Proxy setting via Wi-Fi
Bypass certificate warnings and HSTS
HSTS – HTTP Strict Transport Security
Bypassing certificate pinning
Bypass SSL pinning using AndroidSSLTrustKiller
Setting up a demo application
Installing OWASP GoatDroid
Threats at the backend
Relating OWASP top 10 mobile risks and web attacks
Authentication/authorization issues
Authentication vulnerabilities
Authorization vulnerabilities
Session management
Insufficient Transport Layer Security
In...