Attack and Defend Android Applications

This course focuses on the android application ecosystem covering both the offense & defense sides of the application development process. We start with attacks, covering various possible attacks on Android applications. Then we provide solutions to various challenges routinely encountered by Android security engineers and pen testers:Traffic interception (HTTP/HTTPS/web socket/non-HTTP)Root detection bypassStatic & dynamic analysisPerform dynamic instrumentation (Frida / Magisk)Analyzing non-Java/ Kotlin apps (React Native and Flutter)Next, we shift gears and focus on defending the applications and major areas covered are:Application Threat ModelingIdentifying weaknessesAdding Security into CI / CD Pipeline for the applicationAnalysis of the results (centralized dashboard and prioritization)We then cap this course of by covering secure coding strategies and defense in depth implementational logics: Anti-tamperingCode obfuscationSSL Pinning / Root Detection strategies The aim is not to create a “zero to hero” experience, but to provide a methodical approach with which the participants could perform any Android application assessment. We provide students with access to learning portal (cloud VM's), a soft copy of slides, detailed answer sheets as well as AMI's to continue learning after class.