Certified Android Penetration Tester (CAPT)

Course details

Certified Android penetration testing Training will help the students and application developers to discover new techniques for android based application hacking. Android is a Linux based kernel mobile platform which had gained its popularity in mobile based smart phone devices. Due to the rise in competition organizations have adopted the new technology of android based application in order to remain in touch with their customers every time. Starting from banking industry to hospital industry every organization has shifted their focus in developing android applications to be in touch with their clients.

Just like the web based application requires periodical penetration testing android applications also requires the same as they are exposed to the same risks. Android penetration testing is the integral part of SDLC. Our Certified Android Penetration Testing Training focuses on how students and android developers can test their application before they launch it into the market. Android platform need to be secure in two levels i.e application level & device level. We will use virtual machine for testing android application with the use of different tools like Burp suite, Mallory, APK tool, Manifest explorer, Android SDK etc.

Course Content:

Lesson 1: Introduction To Android Security

Android is a Linux kernel mobile platform. Android runs on a wide range of devices, from mobile smartphones and tablets, to set-top boxes. The Android mobile operating system is dependent upon the mobile device's processer capabilities for its performance.

Lesson 2: Creating a Suitable Penetration Testing Environment

• Introduction To Custom ROMs And Kernels 
  
• Introduction to Bootloaders and Recoveries 
  
• CWM and TWRP 
  
• Flashing custom Recoveries 
  
• Flashing custom ROMs and Kernels 
  
• Introduction to CyanogenMod, AOSP, AOKP and other Android projects 
  

Lesson 3: Application dynamic run-time analysis

• Monitoring process activity 
  
• Observing file access 
  
• Monitoring network connectivity 
  
• Analyzing logs 
  
• Run time instrumentation and manipulation 
  
• Memory modification for running applications 
  

Lesson 4: Traffic analysis and manipulation

• Common Vulnerabilities Related to Traffic 
  
• Proxies and sniffers 
  
• Sensitive information transmission 
  
• Importing SSL certificates & trusted CA's 
  
• Bypassing server certificate validations 
  
• Exposing insecure traffic 
  
• Validating server certificates and avoiding man-in-the-middle 
  
• Client side certificate authentication 
  

Lesson 5: Pentesting Server-side Communication

• Common app-to-server vulnerabilities 
  
• Proxies vs Transparent Proxies 
  
• Installing Trusted CA on an Android device 
  
• Performing fuzzing on the Application Server 
  
• Testing for conventional vulnerabilities server-side (Eg. SQLi, XSS, CSRF, Cookie Hijacking etc) 
  

Lesson 6: Android Malware

• Students will be provided an Android malware sample to test and decompile and analyze 
  
• Android malware apk testing to decrypt communication 
  
• Providing Source-code of a second Android malware for manual modification and compiling 
  
• Identifying connection strings and API calls 

Lesson 7: Penetration Testing with Android

• Setting up various tools and security suites to facilitate penetration testing with an Android device 
  
• Packet sniffing and DOS attacks on Android 
  
• ARP Spoofing on Android devices 
  

Lesson 8: Vulnerability scanners

Lesson 9: Maintaining anonymity on an Android device

Lesson 10: Network Pentesting using Android devices

Lesson 11: Web Application attack techniques on Android

Lesson 12: Running Kali tools within Android devices