Android App Hacking – Google DEFCON 31 Edition

The upcoming Defcon 31 conference (August 10-12) at Las Vegas is set to host a workshop on Android Hacking, led by the esteemed Google Android Security Team. This article has been diligently prepared, drawing from their comprehensive training materials. Special acknowledgment goes to Sajjad “JJ” Arshad (Senior Security SWE, Android Security & Privacy at Google), Kavia Venkatesh (Technical Program Manager, Android Security Team at Google), Maria Uretsky (VRP Technical Lead, Android Vulnerability Rewards Program at Google), Olivier Tuchon (Security Engineer, Android Vulnerability Research Team at Google) and Hao Ke (Senior Security Engineer, Android Security Team at Google) for their invaluable contributions.

Life of an Android Application – Bug Hunter POV

Sources of APKs (not limited to)

• Google Play
• Getapk
• GetJar
• F-droid
• APKPure
• Aptoide

AndroidManifest.xml

A detailed write-up on AndroidManifest.xml can be found here.

• Package Name (Unique app identifier): Two apps cannot have the same package name on one device.
• Permissions: https://developer.android.com/guide/topics/manifest/uses-permission-element
• App Components: https://developer.android.com/guide/components/fundamentals
  • Activities: https://developer.android.com/reference/android/app/Activity
  • Services: https://developer.android.com/reference/android/app/Service
  • Broadcast Receivers: https://developer.android.com/reference/android/content/BroadcastReceiver
  • Content Providers: https://developer.android.com/guide/topics/providers/content-provider-basics

Google Challenge APP

Google Android Security Team has developed vulnerable application that contains 8 challenges. Download the apk file from here.

Tools

ADB, apktool, Python & pip, JDK, jadx, Burp Suite, Wireshark, Frida, Ghidra, MobSF.

Prerequisites (Setup Instruction)

Misc Resources

• Android Course
  • https://mobisec.reyammer.io/
  • https://www.ragingrock.com/AndroidAppRE/
  • https://blog.oversecured.com/
• Capture The Flag (CTF)
  • CTF Archives: https://github.com/sajjadium/ctf-archives
  • GoogleCTF: https://github.com/google/google-ctf
• Vulnerability Finding Helpers
  • Mariana Trench: https://github.com/facebook/mariana-trench
  • MobSF: https://github.com/MobSF/Mobile-Security-Framework-MobSF
  • SPECK: https://github.com/SPRITZ-Research-Group/SPECK
• Reverse Engineering
  • https://0xinfection.github.io/reversing/
  • https://sat-smt.codes/
  • Unicorn: https://www.unicorn-engine.org
  • QDBI: https://qbdi.quarkslab.com
• Vulnerable Android App
  • InjuredAndroid: https://github.com/B3nac/InjuredAndroid
  • Damn Vulnerable Bank: https://github.com/rewanthtammana/Damn-Vulnerable-Bank
  • InsecureShop: https://github.com/optiv/InsecureShop
  • OverSecured Vuln App: https://github.com/oversecured/ovaa