Hackfest 2023 - Back to the Future

Android Application and APIs hacking
2023-10-13, 13:30–14:20, Track #1

As mobile devices have become increasingly prevalent, the security of Android applications has become a critical concern.
Pentesting is an essential process for identifying and mitigating potential vulnerabilities in these applications, but Android app hacking is a specialized area that is less well-documented than other pentesting techniques.
In this session, the focus will be on how to pentest Android apps and their APIs.

The presentation will address key questions such as what Android pentesting is, how to set up an Android App pentest lab, and how to pentest an Android App and its APIs from start to finish.

Participants will leave the session with tips and resources for learning, practicing, and setting up a complete set of tools for Android application pentesting, including detailed examples on a purposefully vulnerable application.
The goal is to equip attendees with the knowledge and skills necessary to conduct thorough and effective pentests of Android applications.

Who am I?
From blogger to pentester
What is Android
What is an Android App Pentest?
Why Android App Pentest? (example for KellyTech malware)
Some figures (Impactful key figures in the Android vulnerabilities and attacks)
What about Android APIs?
Android App pentest process (Presentation of the different phases for this type of pentest)
The importance of the lab (Why this lab is different from labs of other pentests)
Which tools will you need (Presentation of Jadx, ADB, Android Studio and Burpsuite)
How to set up the lab
Create an emulator (video demo)
Configure Burp (video demo)
Deep dive in the process
Presentation of the vulnerable Apps used for the examples
Static Analysis
How to check the code
Example Android Manifest, permissions
Example Android Manifest, allow backup and debuggable
Find the API endpoints
How are APIs called - Example
Fetch API Javascript - Example
API vulnerabilities
Example - Strings.xml (hardcoded API key)
Grep it (how to use grep to search for secrets
General tips for static Analysis
Tools for static analysis (firebase enum, firebaseScanner, Cloud Enum)
Dynamic Analysis
Find API endpoints
Example - Background Capture (video demo)
Common API vulnerabilities to look for
Use checklists
Automatic tools (Mobsf Qark)
What about Mobile API vulnerabilities (A focus on specific API vulnerabilities and attack)
How to report
Example of reporting (for the vulnerability BG capture)
Courses and Misc
References and Reads
Go Further with certificate pinning
Quiz to go (a link to a an online quiz will be given)

Are you releasing a tool? – Non