Reverse Engineering Mobile Apps

Sam Bowne

Submitting Projects

CCSF students must do these things to get credit:

  • Perform the project steps until you find a flag
  • Capture a whole-desktop image showing the flag
  • Outline or highlight the flag in the image
  • Submit the image in the appropriate Project in Canvas
  • Type the flag into the text field

Android Emulator Setup


Any OS

M 140: Android Studio Emulator 15
M 141: Burp with Android Studio's Emulator 20
M 142: Rooting Android Studio's Emulator 15 extra
M 105: Plaintext Login (Updated 3-26-2021) 15
M 107: GenieMD Broken SSL (Harvard & IBM)    15 + 40 extra
M 111: Debian Linux Virtual Machine    15
M 108: Kali Virtual Machine not recommended 15 extra
M 109: Broken SSL 30 extra
M 120: Burp and Android 8 10 extra
Download Kali VM

Alternative Android Emulators

Not Recommended

Mac or Linux

M 101: Genymotion 15
M 103: Burp 20

Windows

Do M 108 first
M 104: BlueStacks 15
M 106: Burp and Nox 20
M 601: Rooting BlueStacks on Windows    10 extra

ADB


Any OS

M 200: ADB with Android Studio 15
M 207: ES Explorer Command Injection    10 + 10 extra
M 210: Security Audit of an App    15 extra
M 211: Find a New App Vulnerability and Report it    50 extra

ADB for Alternative Emulators

Not Recommended

Mac or Linux

M 201: ADB on Genymotion on a Mac    15
M 202: BlueStacks on a Mac 15 extra

Windows

M203: ADB & Nox on Windows    15

Vulnerability Scanners

M 302: AndroBugs    10
M 303: Yaazhini Android Vulnerability Scanner    15 extra
M 310: Android Malware and VirusTotal    20 extra

Smali

M 401: Trojaning the Progressive App    20
M 402: mAadhaar Code Modification    20
M 404: Safeway Reversible Encryption -- REMOVED 10-28-22    
M 410: Exploiting an Android Phone with Metasploit    15 extra
M 412: Reversing FlareBear    20 extra

Attacking App Components

M 503: SomNote Vulnerable Content Provider    15
M 511: Exploiting Sieve: a Vulnerable App    20
M 512: Exploiting EVABS    55 extra
M 513: Instrumenting with Frida    15 extra
M 520: Stealing Secrets from Lastpass on Android    15 extra
M 521: Stealing Secrets from Keeper on Android    15 extra

iPhones

ED 420: Jailbreaking an iPhone with Checkra.in    15 extra
M 711: Insecure Local Storage by iPhone Apps    15 extra
M 712: Plaintext Network Transmissions by iPhone Apps    15 extra


M 140 and 141 added 8-28-22
Rearranged to deprecate alternative emulators 8-30-22
M 111 recommended, not M 108, 9-12-22
M 301 removed, M 303 added 9-26-22
M 511 added 10-3-22
M 142 added 10-7-22
M 401 updated 10-16-22
M 512 added 10-16-22
M 404 removed 10-28-22
M 410a and 503 updated and added back in 10-31-22
M 520 added 11-2-22
M 411 removed 11-7-22
M 521 added 11-8-22