3,013
Posts
2,938
Threads
Retired
![[Image: Screenshot-7.png]](https://i.postimg.cc/TwfGwN8j/Screenshot-7.png)
Requirements
Either a rooted physical Android device running at least Android 12, or the ability to run an Android emulator within Android Studio
How to setup a hooking environment, preferably with Frida
Have beginner level experience hooking into Android applications
Understanding of what the External Storage is and how it works
What the different types of IPCs are in Android (Activity / Content Provider / Service / etc)
Description
Are you an Android penetration tester looking to expand your skill set beyond the usual vulnerabilities and dive deep into the more advanced areas of Android security? This hands-on course is precisely for you.
It’s not just about examining exported activities and keystore access. This course delves into the intricacies of how Android applications communicate with each other. You’ll see firsthand how a malicious application can exploit misconfigurations in Intents, Content Providers, and other components to compromise or abuse target apps.
Using our Axolotl test application, created specifically for this course, you’ll practice building your own “attacker” application designed to exploit each discovered vulnerability. Real-life examples will help you connect the dots between theoretical knowledge and practical attacks frequently encountered in the wild. By the end, you’ll not only have honed your existing penetration testing expertise, but also gained the highly specialized insight needed to tackle loopholes in Android apps.
What this course covers:
Intent Mechanics: Explore `getIntent()`, Browsable Intents, NFC tag exploits, and MIME-type hijacking.
Unexported Content Providers: Abuse `grantUriPermissions` in ways typical testing overlooks.
WebView Vulnerabilities: Understand JavaScript Bridge threats, file access tricks, and Cross-Origin policy flaws.
Custom Permissions: Delve into custom permission structures for exploitation scenarios.
Loading Custom DEX Files: Dynamically inject malicious code into target apps to bypass security measures.
If you already understand the foundations of Android penetration testing and want to push the limits by exploring additional vulnerabilities and attack surfaces, this course is your gateway to the cutting edge of Android security.
Who this course is for:
People that have done *some* Android application penetration testing, such as for pentesting client engagements, but want to learn about exploiting more obscure Android behaviors.
People that understand what an "exported Activity" is, but don't really understand how it can be used in a malicious way.
People that have done some Frida scripting to finish some of the public Android training apps (like DIVA)
Hidden Content
You must register or login to view this content.
 Until Further Notice I Am Retired
(4 months ago)Sauron Wrote:
Requirements
Either a rooted physical Android device running at least Android 12, or the ability to run an Android emulator within Android Studio
How to setup a hooking environment, preferably with Frida
Have beginner level experience hooking into Android applications
Understanding of what the External Storage is and how it works
What the different types of IPCs are in Android (Activity / Content Provider / Service / etc)
Description
Are you an Android penetration tester looking to expand your skill set beyond the usual vulnerabilities and dive deep into the more advanced areas of Android security? This hands-on course is precisely for you.
It’s not just about examining exported activities and keystore access. This course delves into the intricacies of how Android applications communicate with each other. You’ll see firsthand how a malicious application can exploit misconfigurations in Intents, Content Providers, and other components to compromise or abuse target apps.
Using our Axolotl test application, created specifically for this course, you’ll practice building your own “attacker” application designed to exploit each discovered vulnerability. Real-life examples will help you connect the dots between theoretical knowledge and practical attacks frequently encountered in the wild. By the end, you’ll not only have honed your existing penetration testing expertise, but also gained the highly specialized insight needed to tackle loopholes in Android apps.
What this course covers:
Intent Mechanics: Explore `getIntent()`, Browsable Intents, NFC tag exploits, and MIME-type hijacking.
Unexported Content Providers: Abuse `grantUriPermissions` in ways typical testing overlooks.
WebView Vulnerabilities: Understand JavaScript Bridge threats, file access tricks, and Cross-Origin policy flaws.
Custom Permissions: Delve into custom permission structures for exploitation scenarios.
Loading Custom DEX Files: Dynamically inject malicious code into target apps to bypass security measures.
If you already understand the foundations of Android penetration testing and want to push the limits by exploring additional vulnerabilities and attack surfaces, this course is your gateway to the cutting edge of Android security.
Who this course is for:
People that have done *some* Android application penetration testing, such as for pentesting client engagements, but want to learn about exploiting more obscure Android behaviors.
People that understand what an "exported Activity" is, but don't really understand how it can be used in a malicious way.
People that have done some Frida scripting to finish some of the public Android training apps (like DIVA)
ty
|
