The upcoming Defcon 31 conference (August 10-12) at Las Vegas is set to host a workshop on Android Hacking, led by the esteemed Google Android Security Team. This article has been diligently prepared, drawing from their comprehensive training materials. Special acknowledgment goes to Sajjad “JJ” Arshad (Senior Security SWE, Android Security & Privacy at Google), Kavia Venkatesh (Technical Program Manager, Android Security Team at Google), Maria Uretsky (VRP Technical Lead, Android Vulnerability Rewards Program at Google), Olivier Tuchon (Security Engineer, Android Vulnerability Research Team at Google) and Hao Ke (Senior Security Engineer, Android Security Team at Google) for their invaluable contributions.

Life of an Android Application – Bug Hunter POV

Sources of APKs (not limited to)

  • Google Play
  • Getapk
  • GetJar
  • F-droid
  • APKPure
  • Aptoide

AndroidManifest.xml

A detailed write-up on AndroidManifest.xml can be found here.

Google Challenge APP

Google Android Security Team has developed vulnerable application that contains 8 challenges. Download the apk file from here.

Tools

ADB, apktool, Python & pip, JDK, jadx, Burp Suite, Wireshark, Frida, Ghidra, MobSF.

Prerequisites (Setup Instruction)

Misc Resources