Our Android workshop aims to provide an insight into every aspect of secure mobile application development. In order to cover everything a developer needs to commit and publish secure code through the Play Store, the agenda is built from the ground up and has been designed to provide practical exercises throughout the entire training, with a heavy focus on how Android as a development platform offers security features to developers.
After a short introduction, we take a look at the overall Google/Android philosophy, the OS security features and their implications on the daily life of a developer. We take a look at typical issues in Android applications with some now-infamous bugs and exploits from the past, how problematic challenges can be tackled and how typical pitfalls can be avoided. Throughout the course, a plethora of in-house demo applications are provided to highlight issues.
The 'Mobile security baseline' module can be taken as general preps to this course. While the 'Mobile testing automation' module greatly extends the coverage of the practical field.
The course has been tested and used successfully with several mobile heavy developer companies.
We'll use several demo apps and also work with our vulnerable Kotlin app (Vulnabank)..
title: Android security design and secure coding
audience: Android developers, architects and testers, security engineers, security champions
duration: 1 XL day (7hrs education time), or 2 days combined with the 'Mobile security baseline' module
developed by: Zsombor Kovács
We assume that the developers attending the Android secdev course:
Are familiar with with the mobile apps development process and technologies;
Have a suitable IDE installed on their laptop (labs desktop) with
Android Studio with 6.0 SDK installed,
Genymotion emulator (personal licence is sufficient) with an initialized 6.0 image.
'Into the middle of things' demo: "Bugs and flaws in your app help bad guys"
Security mechanisms in Android
Common design patterns
Architecture of and Android app
Secure API design
Designing a reasonable communication flow
Hands-on: the manifest.xml
Storage locations, which one to use?
Different formats (sqlite, xml, prefs file etc.) and security implications
Threats to stored data (backups, data leak etc.)
Logging
Hands-on: Exploiting weak data storage methods
Designing and implementing a secure communication flow
Hands-on: SSL cert pinning implementation and bypass
Securing activities
Securing content providers
Securing broadcast listeners
Hands-on: typical IPC issues
Libraries
Hands-on: extraction of hard coded crypto material
Java
Kotlin
Non-native/hybrid app development: Flutter, React, etc.
Rooting, implications of running on a rooted device
Hands-on: dynamic hooking exercise
Hands-on: bypassing root detection in several ways
Lead trainer:
Co-trainer: