Learning Android applications security

Recently, I decided to learn about Android application security. Since good learning always requires certain amount of practice, I decided to apply obtained knowledge by analyzing one of the existing Android applications with known vulnerabilities. I chose InsecureBankv2 as an application under test. My goal was not only to find out vulnerable pieces of an application, but also figure out how to change the code to remove vulnerability. The result of this exercise was a series of blog posts which I am sharing now here:

One should bear in mind that the content described in these posts is mostly between a basic and an intermediate level. There are a multitude of more advanced topics which I would like to learn at some point, including but not limiting to WebView vulnerabilities, Java/JavaScript bridges, etc. It should, nevertheless, give a reader a head start and allow him or her to continue his Android exploration further. Another note worth mentioning is that not all the vulnerabilities present in the application were covered here. Check Walkthrough Guides for other issues.

Tools

When evaluating applications, I was using several tools:

Drozer makes it easy to analyze attack surface by showing exported Android components: activities, services, content providers, and broadcast receivers.
Fiddler HTTP proxy was my choice to monitor traffic generated by an application.
Bytecode Viewer is very handy to reverse engineer Android apks and view source code using various decompilers.

Books on Android Security

When learning about Android security, I used the following books:

The Mobile Applications Hacker’s Handbook. At the time of writing (January 2017), this was the newest book on Android security. Written by several authors, including a person from MWR - the company which developed Drozer, this book covers not only Android, but also iOS, Windows phone and Blackberry. Security researchers would probably benefit from this book more than regular Android developers. Android content is presented on approximately 280 pages. If you can afford only one book to buy, get this one.

Application Security for the Android Platform. This book is more developer-focused, and presents information from the point of view of a builder, not a breaker. It’s short, less than 100 pages, and up to the point. It is also relatively inexpensive. I enjoyed the chapter on “Protecting Stored Data” which among others showed how to encrypt data with user-assisted key derivation. Buy this book if you are developing applications yourself and want them to be solid from security point of view.

Android Hacker’s Handbook. A bit older than The Mobile Applications Hacker’s Handbook, it is still quite useful and features more content, as it is dedicated only to Android as oppose to different mobile platforms. Case studies featuring vulnerable Android applications are very entertaining as well as educational. When reading this book, keep in mind that Android platform advanced after the book was published.

Disclosure: We are a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for us to earn fees by linking to Amazon.com and affiliated sites.