Android Security and Penetration Testing

  1. Network Traffic Analysis
    1. Setting up a Man-in-the-Middle (MitM) Proxy
      1. Configuring Burp Suite
        1. Proxy Listener Setup
          1. Certificate Generation
          2. Configuring OWASP ZAP
            1. Proxy Configuration
              1. Certificate Management
              2. Setting up the Device Proxy
                1. WiFi Proxy Configuration
                  1. Global Proxy Settings
                  2. Installing the Proxy's CA Certificate
                    1. Certificate Installation Process
                      1. Trust Store Management
                        1. User vs. System Certificates
                      2. Intercepting and Analyzing HTTP/HTTPS Traffic
                        1. Capturing Login and Session Management Traffic
                          1. Session Tokens
                            1. Authentication Flows
                            2. Testing for Insecure API Endpoints
                              1. Unauthenticated Endpoints
                                1. Sensitive Data Exposure
                                  1. API Versioning Issues
                                  2. Modifying Requests and Responses
                                    1. Tampering with Parameters
                                      1. Testing for Input Validation
                                        1. Response Manipulation
                                        2. Analyzing API Security
                                          1. REST API Testing
                                            1. GraphQL Security
                                              1. API Rate Limiting
                                            2. Bypassing SSL Pinning
                                              1. Understanding Certificate and Public Key Pinning
                                                1. Pinning Mechanisms
                                                  1. Security Rationale
                                                    1. Implementation Methods
                                                    2. Methods for Bypassing
                                                      1. Using Frida Scripts
                                                        1. Using Objection
                                                          1. Modifying APK to Disable Pinning
                                                            1. Using Xposed Modules
                                                            2. Advanced Pinning Bypass Techniques
                                                              1. Runtime Patching
                                                                1. Library Hooking
                                                              2. Analyzing Non-HTTP Traffic
                                                                1. Using Wireshark for Low-level Traffic Analysis
                                                                  1. Packet Capture Setup
                                                                    1. Protocol Dissection
                                                                      1. Filter Creation
                                                                      2. Analyzing WebSocket Communication
                                                                        1. Message Inspection
                                                                          1. Security Risks
                                                                            1. Real-time Communication
                                                                            2. Reverse Engineering Custom Protocols
                                                                              1. Protocol Identification
                                                                                1. Message Structure Analysis
                                                                                  1. Binary Protocol Analysis
                                                                                2. Advanced Network Testing
                                                                                  1. Testing for Network Security Misconfigurations
                                                                                    1. Weak TLS Configurations
                                                                                      1. Certificate Validation Issues
                                                                                      2. Analyzing Push Notification Security
                                                                                        1. FCM Security
                                                                                          1. Message Interception
                                                                                          2. Testing WebRTC Security
                                                                                            1. Media Stream Security
                                                                                              1. Signaling Security

                                                                                          Previous

                                                                                          4. Dynamic Analysis (DAST)

                                                                                          Go to top

                                                                                          Next

                                                                                          6. Common Android Vulnerabilities (OWASP Mobile Top 10)