Android Security and Penetration Testing

  1. Dynamic Analysis (DAST)
    1. Runtime Environment Exploration
      1. Interacting with the Device via ADB Shell
        1. Shell Commands
          1. File System Navigation
            1. Process Management
            2. Exploring the Application's Data Directory
              1. /data/data/<package_name>/
                1. File and Directory Structure
                  1. Permission Analysis
                  2. Analyzing SharedPreferences
                    1. Location and Format
                      1. Sensitive Data Storage
                        1. XML Structure
                        2. Examining SQLite Databases
                          1. Database File Identification
                            1. Data Extraction and Analysis
                              1. Schema Analysis
                              2. Checking for Insecure File Permissions
                                1. World-readable Files
                                  1. World-writable Files
                                    1. Permission Misconfigurations
                                  2. Runtime Manipulation and Hooking
                                    1. Introduction to Frida
                                      1. Setting up Frida Server
                                        1. Writing Frida Scripts
                                          1. Function Hooking
                                            1. Bypassing Client-side Controls
                                            2. Using Xposed Framework
                                              1. Framework Installation
                                                1. Writing Xposed Modules
                                                  1. Common Modules for Security Testing
                                                    1. Hook Management
                                                    2. Method Tracing and Logging
                                                      1. Function Call Tracing
                                                        1. Parameter Logging
                                                          1. Return Value Modification
                                                        2. Analyzing Inter-Process Communication (IPC)
                                                          1. Fuzzing Exported Activities with ADB
                                                            1. Intent Crafting
                                                              1. Activity Invocation
                                                                1. Parameter Manipulation
                                                                2. Interacting with Exported Services
                                                                  1. Service Binding
                                                                    1. Service Communication
                                                                      1. AIDL Interface Testing
                                                                      2. Exploiting Insecure Broadcast Receivers
                                                                        1. Sending Crafted Broadcasts
                                                                          1. Privilege Escalation
                                                                            1. Data Injection
                                                                            2. Querying and Manipulating Content Providers with Drozer
                                                                              1. Data Extraction
                                                                                1. Permission Bypass Techniques
                                                                                  1. SQL Injection Testing
                                                                                2. Memory Analysis
                                                                                  1. Dumping Process Memory
                                                                                    1. Using GDB
                                                                                      1. Using LLDB
                                                                                        1. Memory Dump Tools
                                                                                        2. Searching for Sensitive Data in Memory
                                                                                          1. Credentials
                                                                                            1. Cryptographic Keys
                                                                                              1. Session Tokens
                                                                                              2. Using Memory Editing Tools
                                                                                                1. GameGuardian
                                                                                                  1. Cheat Engine
                                                                                                    1. Value Searching
                                                                                                      1. Real-time Modification
                                                                                                    2. Behavioral Analysis
                                                                                                      1. Monitoring File System Access
                                                                                                        1. File Creation and Modification
                                                                                                          1. Permission Changes
                                                                                                          2. Network Activity Monitoring
                                                                                                            1. Connection Establishment
                                                                                                              1. Data Transmission
                                                                                                              2. System Call Tracing
                                                                                                                1. Strace Usage
                                                                                                                  1. System Call Analysis

                                                                                                              Previous

                                                                                                              3. Static Analysis (SAST)

                                                                                                              Go to top

                                                                                                              Next

                                                                                                              5. Network Traffic Analysis