You are previewing Hacking Android.
O'Reilly logo
Hacking Android

Book Description

Explore every nook and cranny of the Android OS to modify your device and guard it against security threats

About This Book

  • Understand and counteract against offensive security threats to your applications

  • Maximize your device’s power and potential to suit your needs and curiosity

  • See exactly how your smartphone’s OS is put together (and where the seams are)

  • Who This Book Is For

    This book is for anyone who wants to learn about Android security. Software developers, QA professionals, and beginner- to intermediate-level security professionals will find this book helpful. Basic knowledge of Android programming would be a plus.

    What You Will Learn

  • Acquaint yourself with the fundamental building blocks of Android Apps in the right way

  • Pentest Android apps and perform various attacks in the real world using real case studies

  • Take a look at how your personal data can be stolen by malicious attackers

  • Understand the offensive maneuvers that hackers use

  • Discover how to defend against threats

  • Get to know the basic concepts of Android rooting

  • See how developers make mistakes that allow attackers to steal data from phones

  • Grasp ways to secure your Android apps and devices

  • Find out how remote attacks are possible on Android devices

  • In Detail

    With the mass explosion of Android mobile phones in the world, mobile devices have become an integral part of our everyday lives. Security of Android devices is a broad subject that should be part of our everyday lives to defend against ever-growing smartphone attacks. Everyone, starting with end users all the way up to developers and security professionals should care about android security.

    Hacking Android is a step-by-step guide that will get you started with Android security. You’ll begin your journey at the absolute basics, and then will slowly gear up to the concepts of Android rooting, application security assessments, malware, infecting APK files, and fuzzing. On this journey you’ll get to grips with various tools and techniques that can be used in your everyday pentests. You’ll gain the skills necessary to perform Android application vulnerability assessment and penetration testing and will create an Android pentesting lab.

    Style and approach

    This comprehensive guide takes a step-by-step approach and is explained in a conversational and easy-to-follow style. Each topic is explained sequentially in the process of performing a successful penetration test. We also include detailed explanations as well as screenshots of the basic and advanced concepts.

    Downloading the example code for this book. You can download the example code files for all Packt books you have purchased from your account at If you purchased this book elsewhere, you can visit and register to have the code file.

    Table of Contents

    1. Hacking Android
      1. Table of Contents
      2. Hacking Android
      3. Credits
      4. About the Authors
      5. About the Reviewer
        1. eBooks, discount offers, and more
          1. Why subscribe?
      7. Preface
        1. What this book covers
        2. What you need for this book
        3. Who this book is for
        4. Conventions
        5. Reader feedback
        6. Customer support
          1. Downloading the example code
          2. Errata
          3. Piracy
          4. Questions
      8. 1. Setting Up the Lab
        1. Installing the required tools
          1. Java
        2. Android Studio
        3. Setting up an AVD
          1. Real device
          2. Apktool
          3. Dex2jar/JD-GUI
          4. Burp Suite
        4. Configuring the AVD
          1. Drozer
            1. Prerequisites
          2. QARK (No support for windows)
            1. Getting ready
          3. Advanced REST Client for Chrome
          4. Droid Explorer
          5. Cydia Substrate and Introspy
          6. SQLite browser
          7. Frida
            1. Setting up Frida server
            2. Setting up frida-client
              1. Testing the setup
          8. Vulnerable apps
          9. Kali Linux
        5. ADB Primer
          1. Checking for connected devices
          2. Getting a shell
          3. Listing the packages
          4. Pushing files to the device
          5. Pulling files from the device
          6. Installing apps using adb
          7. Troubleshooting adb connections
        6. Summary
      9. 2. Android Rooting
        1. What is rooting?
          1. Why would we root a device?
          2. Advantages of rooting
            1. Unlimited control over the device
            2. Installing additional apps
            3. More features and customization
          3. Disadvantages of rooting
            1. It compromises the security of your device
            2. Bricking your device
            3. Voids warranty
        2. Locked and unlocked boot loaders
          1. Determining boot loader unlock status on Sony devices
          2. Unlocking boot loader on Sony through a vendor specified method
          3. Rooting unlocked boot loaders on a Samsung device
        3. Stock recovery and Custom recovery
          1. Prerequisites
        4. Rooting Process and Custom ROM installation
          1. Installing recovery softwares
            1. Using Odin
            2. Using Heimdall
        5. Rooting a Samsung Note 2
        6. Flashing the Custom ROM to the phone
        7. Summary
      10. 3. Fundamental Building Blocks of Android Apps
        1. Basics of Android apps
          1. Android app structure
            1. How to get an APK file?
          2. Storage location of APK files
            1. /data/app/
            2. /system/app/
            3. /data/app-private/
              1. Example of extracting preinstalled apps
              2. Example of extracting user installed apps
        2. Android app components
          1. Activities
          2. Services
          3. Broadcast receivers
          4. Content providers
          5. Android app build process
        3. Building DEX files from the command line
        4. What happens when an app is run?
          1. ART – the new Android Runtime
        5. Understanding app sandboxing
          1. UID per app
          2. App sandboxing
          3. Is there a way to break out of this sandbox?
        6. Summary
      11. 4. Overview of Attacking Android Apps
        1. Introduction to Android apps
          1. Web Based apps
          2. Native apps
          3. Hybrid apps
        2. Understanding the app's attack surface
          1. Mobile application architecture
        3. Threats at the client side
        4. Threats at the backend
        5. Guidelines for testing and securing mobile apps
          1. OWASP Top 10 Mobile Risks (2014)
          2. M1: Weak Server-Side Controls
          3. M2: Insecure Data Storage
          4. M3: Insufficient Transport Layer Protection
          5. M4: Unintended Data Leakage
          6. M5: Poor Authorization and Authentication
          7. M6: Broken Cryptography
          8. M7: Client-Side Injection
          9. M8: Security Decisions via Untrusted Inputs
          10. M9: Improper Session Handling
          11. M10: Lack of Binary Protections
        6. Automated tools
          1. Drozer
          2. Performing Android security assessments with Drozer
            1. Installing testapp.apk
            2. Listing out all the modules
            3. Retrieving package information
        7. Identifying the attack surface
          1. Identifying and exploiting Android app vulnerabilities using Drozer
            1. Attacks on exported activities
              1. What is the problem here?
        8. QARK (Quick Android Review Kit)
          1. Running QARK in interactive mode
            1. Reporting
          2. Running QARK in seamless mode:
        9. Summary
      12. 5. Data Storage and Its Security
        1. What is data storage?
          1. Android local data storage techniques
            1. Shared preferences
            2. SQLite databases
            3. Internal storage
            4. External storage
        2. Shared preferences
          1. Real world application demo
        3. SQLite databases
        4. Internal storage
        5. External storage
        6. User dictionary cache
        7. Insecure data storage – NoSQL database
          1. NoSQL demo application functionality
        8. Backup techniques
          1. Backup the app data using adb backup command
          2. Convert .ab format to tar format using Android backup extractor
          3. Extracting the TAR file using the pax or star utility
          4. Analyzing the extracted content for security issues
        9. Being safe
        10. Summary
      13. 6. Server-Side Attacks
        1. Different types of mobile apps and their threat model
        2. Mobile applications server-side attack surface
          1. Mobile application architecture
        3. Strategies for testing mobile backend
          1. Setting up Burp Suite Proxy for testing
            1. Proxy setting via APN
            2. Proxy setting via Wi-Fi
            3. Bypass certificate warnings and HSTS
              1. HSTS – HTTP Strict Transport Security
          2. Bypassing certificate pinning
          3. Bypass SSL pinning using AndroidSSLTrustKiller
            1. Setting up a demo application
              1. Installing OWASP GoatDroid
          4. Threats at the backend
            1. Relating OWASP top 10 mobile risks and web attacks
            2. Authentication/authorization issues
              1. Authentication vulnerabilities
              2. Authorization vulnerabilities
            3. Session management
            4. Insufficient Transport Layer Security
            5. Input validation related issues
            6. Improper error handling
            7. Insecure data storage
            8. Attacks on the database
        4. Summary
      14. 7. Client-Side Attacks – Static Analysis Techniques
        1. Attacking application components
          1. Attacks on activities
            1. What does exported behavior mean to an activity?
            2. Intent filters
          2. Attacks on services
            1. Extending the Binder class:
            2. Using a Messenger
            3. Using AIDL
            4. Attacking AIDL services
          3. Attacks on broadcast receivers
          4. Attacks on content providers
            1. Querying content providers:
            2. Exploiting SQL Injection in content providers using adb
              1. Querying the content provider
              2. Writing a where condition:
          5. Testing for Injection:
            1. Finding the column numbers for further extraction
            2. Running database functions
            3. Finding out SQLite version:
            4. Finding out table names
        2. Static analysis using QARK:
        3. Summary
      15. 8. Client-Side Attacks – Dynamic Analysis Techniques
        1. Automated Android app assessments using Drozer
          1. Listing out all the modules
          2. Retrieving package information
          3. Finding out the package name of your target application
          4. Getting information about a package
          5. Dumping the AndroidManifes.xml file
          6. Finding out the attack surface:
          7. Attacks on activities
          8. Attacks on services
          9. Broadcast receivers
          10. Content provider leakage and SQL Injection using Drozer
          11. Attacking SQL Injection using Drozer
          12. Path traversal attacks in content providers
            1. Reading /etc/hosts
            2. Reading kernel version
          13. Exploiting debuggable apps
        2. Introduction to Cydia Substrate
        3. Runtime monitoring and analysis using Introspy
        4. Hooking using Xposed framework
        5. Dynamic instrumentation using Frida
          1. What is Frida?
            1. Prerequisites
            2. Steps to perform dynamic hooking with Frida
        6. Logging based vulnerabilities
        7. WebView attacks
          1. Accessing sensitive local resources through file scheme
          2. Other WebView issues
        8. Summary
      16. 9. Android Malware
        1. What do Android malwares do?
        2. Writing Android malwares
          1. Writing a simple reverse shell Trojan using socket programming
        3. Registering permissions
          1. Writing a simple SMS stealer
            1. The user interface
              1. Code for
              2. Code for reading SMS
              3. Code for the uploadData() method
              4. Complete code for
            2. Registering permissions
            3. Code on the server
            4. A note on infecting legitimate apps
        4. Malware analysis
          1. Static analysis
            1. Disassembling Android apps using Apktool
              1. Exploring the AndroidManifest.xml file
              2. Exploring smali files
            2. Decompiling Android apps using dex2jar and JD-GUI
          2. Dynamic analysis
            1. Analyzing HTTP/HTTPS traffic using Burp
            2. Analysing network traffic using tcpdump and Wireshark
        5. Tools for automated analysis
          1. How to be safe from Android malwares?
        6. Summary
      17. 10. Attacks on Android Devices
        1. MitM attacks
        2. Dangers with apps that provide network level access
        3. Using existing exploits
        4. Malware
        5. Bypassing screen locks
          1. Bypassing pattern lock using adb
            1. Removing the gesture.key file
            2. Cracking SHA1 hashes from the gesture.key file
          2. Bypassing password/PIN using adb
          3. Bypassing screen locks using CVE-2013-6271
        6. Pulling data from the sdcard
        7. Summary
      18. Index