Language: English
10-13, 13:30–14:20 (Canada/Eastern), Track #1
As mobile devices have become increasingly prevalent, the security of Android applications has become a critical concern.
Pentesting is an essential process for identifying and mitigating potential vulnerabilities in these applications, but Android app hacking is a specialized area that is less well-documented than other pentesting techniques.
In this session, the focus will be on how to pentest Android apps and their APIs.
The presentation will address key questions such as what Android pentesting is, how to set up an Android App pentest lab, and how to pentest an Android App and its APIs from start to finish.
Participants will leave the session with tips and resources for learning, practicing, and setting up a complete set of tools for Android application pentesting, including detailed examples on a purposefully vulnerable application.
The goal is to equip attendees with the knowledge and skills necessary to conduct thorough and effective pentests of Android applications.
Outline
Who am I?
From blogger to pentester
What is Android
What is an Android App Pentest?
Why Android App Pentest? (example for KellyTech malware)
Some figures (Impactful key figures in the Android vulnerabilities and attacks)
What about Android APIs?
Android App pentest process (Presentation of the different phases for this type of pentest)
The importance of the lab (Why this lab is different from labs of other pentests)
Which tools will you need (Presentation of Jadx, ADB, Android Studio and Burpsuite)
How to set up the lab
Installations
Create an emulator (video demo)
Configure Burp (video demo)
Deep dive in the process
Presentation of the vulnerable Apps used for the examples
Static Analysis
How to check the code
Example Android Manifest, permissions
Example Android Manifest, allow backup and debuggable
Find the API endpoints
How are APIs called - Example
Fetch API Javascript - Example
API vulnerabilities
Example - Strings.xml (hardcoded API key)
Grep it (how to use grep to search for secrets
General tips for static Analysis
Tools for static analysis (firebase enum, firebaseScanner, Cloud Enum)
Dynamic Analysis
Find API endpoints
Example - Background Capture (video demo)
Common API vulnerabilities to look for
Use checklists
Automatic tools (Mobsf Qark)
What about Mobile API vulnerabilities (A focus on specific API vulnerabilities and attack)
How to report
Methodology
Example of reporting (for the vulnerability BG capture)
Resources
Practice
Courses and Misc
References and Reads
Tools
Go Further with certificate pinning
Quiz to go (a link to a an online quiz will be given)
Non
Gabrielle Botbol is a Pentester at Desjardins, the largest financial cooperative in North america. With a deep focus on the banking industry, Gabrielle specializes in exploring mobile applications and API.
Gabrielle is an avid blog writer who advocates for access to education for all. In addition, she has a large following on social media, where she shares many educational resources about technical training and many other cyber topics.
She actively contributes to various organizations as a member of their Advisory Board, such as APIsec University. She is a speaker and trainer at global events and prestigious universities, like Blackhat, APIsecure, Apidays, Bsides, Owasp, Cuny University, Toronto University…
With her contributions to the community, Gabrielle has been the recipient of multiple prestigious awards. Among them, she was honored as one of the Top 20 women in cybersecurity in Canada, Pentest Ninja at WSCJ, Educator of the Year at AYA, Top Influencer in Cybersecurity by IFSEC Global, and Woman Hacker of the Year by CSWY.