Learning Pentesting for Android电子书

Learning Pentesting for Android Devices

Table of Contents

Learning Pentesting for Android Devices

Credits

Foreword

About the Author

Acknowledgments

About the Reviewers

www.PacktPub.com

Support files, eBooks, discount offers, and more

Why subscribe?

Free access for Packt account holders

Preface

What this book covers

What you need for this book

Who this book is for

Conventions

Reader feedback

Customer support

Downloading the example code

Downloading the color images of the book

Errata

Piracy

Questions

1. Getting Started with Android Security

Introduction to Android

Digging deeper into Android

Sandboxing and the permission model

Application signing

Android startup process

Summary

2. Preparing the Battlefield

Setting up the development environment

Creating an Android virtual device

Useful utilities for Android Pentest

Android Debug Bridge

Burp Suite

APKTool

Summary

3. Reversing and Auditing Android Apps

Android application teardown

Reversing an Android application

Using Apktool to reverse an Android application

Auditing Android applications

Content provider leakage

Insecure file storage

Path traversal vulnerability or local file inclusion

Client-side injection attacks

OWASP top 10 vulnerabilities for mobiles

Summary

4. Traffic Analysis for Android Devices

Android traffic interception

Ways to analyze Android traffic

Passive analysis

Active analysis

HTTPS Proxy interception

Other ways to intercept SSL traffic

Extracting sensitive files with packet capture

Summary

5. Android Forensics

Types of forensics

Filesystems

Android filesystem partitions

Using dd to extract data

Using a custom recovery image

Using Andriller to extract an application's data

Using AFLogical to extract contacts, calls, and text messages

Dumping application databases manually

Logging the logcat

Using backup to extract an application's data

Summary

6. Playing with SQLite

Understanding SQLite in depth

Analyzing a simple application using SQLite

Security vulnerability

Summary

7. Lesser-known Android Attacks

Android WebView vulnerability

Using WebView in the application

Identifying the vulnerability

Infecting legitimate APKs

Vulnerabilities in ad libraries

Cross-Application Scripting in Android

Summary

8. ARM Exploitation

Introduction to ARM architecture

Execution modes

Setting up the environment

Simple stack-based buffer overflow

Return-oriented programming

Android root exploits

Summary

9. Writing the Pentest Report

Basics of a penetration testing report

Writing the pentest report

Executive summary

Vulnerabilities

Scope of the work

Tools used

Testing methodologies followed

Recommendations

Conclusion

Appendix

Summary

Security Audit of

Attify's Vulnerable App

Table of Contents

1. Introduction

1.1 Executive Summary

1.2 Scope of the Work

1.3 Summary of Vulnerabilities

2. Auditing and Methodology

2.1 Tools Used

2.2 Vulnerabilities

Issue #1: Injection vulnerabilities in the Android application

Issue #2: Vulnerability in the WebView component

Issue #3: No/Weak encryption

Issue #4: Vulnerable content providers

3. Conclusions

3.1 Conclusions

3.2 Recommendations

Index