Welcome to Android Application Security Series. This series contains some blog post about different types of vulnerabilities which are possible in Android Application’s and there exploitation methods.
Q. Who can follow this series ?
- As in the whole series i have demonstrated common vulnerabilities possible in android applications, Penetration Testers, Security Researchers, Security Analyst are the main audience.
- In nearly every post i have also described the ways you can fix the given vulnerability, so android application developers can get to know common vulnerabilities and ways to fix them.
Q. What are the prequisties of this series ?
- Well i have tried my best to make these series simple and elaborative. So anyone with basic knowledge about Internet can just start right away.
- It would be good if you are already aware of android apps development and some common web application vulnerabilities like SQL Injection, Cross Site Scripting(XSS), but not to worry if you are not already aware of those, there is always a way out. If you have been in web application security then you will love this series.
Q. From where does the inspiration of writing these blogs came ?
Actually i got interested Web Application Security in 2013 and gained lot of interest in it and then also participated in so many Bug Bounty Programs. But for me learning web application security was an easy task because of so many resources available on the internet(like OWASP.org) but that is not the case when it comes to Mobile Application Security(espically Android) despite of the fact that Android has around 82.8% share in the mobile market.
Source : IDC
The main reason for this because of the fact that Android started in 2008 and web around 1995. And another reason most of the people have started commercializing the courses they made instead of making that free.
So, you can consider this series as a little payback to the community from which i have learned too many things.
In this series, i will be using Appie to demonstrate vulnerabilities and highly recommend you to use that but you could use your own installation of those tools or have a virtual machine. If you are on Linux or Mac then i would suggest you to use AndroidTamer.
I have tried to put blog post in this series according to OWASP Mobile Top 10 and arranged in a manner so that you can gain better understanding of the vulnerabilities.
Note: If you are new to this series then you can start reading Second Part, Third Part till Appie gets Downloaded and then proceed on the First Part and if you visited this series before then you can start from Part 8.
If you have any suggestion for making this series more interesting or wanted to see any new post, then please let me know . Leave your comments if you face any problem or just shoot me a email at aditya@manifestsecurity.com
If you find this series helpful, then please consider it sharing on Facebook or Twitter.
- Android Application Security Part 1- Setup Mobile Pentesting Platform
- Android Application Security Part 2- Understanding Android Operating System
- Android Application Security Part 3- Android Application Fundamentals
- Android Application Security Part 4 – Get to know about your Arsenals
- Android Application Security Part 5 – Drozer
- Android Application Security Part 6-Let the Fun Begin
- Android Application Security Part 7-Understanding AndroidManifest.xml File
- Android Application Security Part 8 – Insecure Data Storage
- Android Application Security Part 9 – Binary Protections
- Android Application Security Part 10 – Insufficient Transport Layer Protection
- Android Application Security Part 11 – Unintended Data Leakage
- Android Application Security Part 12 – Poor Authentication And Authorization
- Android Application Security Part 13 – Broken Cryptography
- Android Application Security Part 14 – Security Decisions via Untrusted Input
- Android Application Security Part 15 – Attacking Content Providers
- Android Application Security Part 16 – Attacking Services
- Android Application Security Part 17 – Attacking Activities
- Android Application Security Part 18 – Attacking Broadcast Receivers
- Android Application Security Part 19 – Improper Session Handling
- Android Application Security Part 20 – Client Side Injections
- Android Application Security Part 21 – Exploiting Debuggable Applications
- Android Application Security Part 22 – Developer Backdoor
- Spoofing your location in Play Store
- Configuring your Device for Pentesting
- Install Google Play Store in Genymotion
- Android Application Security Part 26 – Intercept Traffic on Android version after 4.2.2