Security Auditing Android Apps

2015 Community College Cyber Summit (3CS)
9-12 and 2-5 Thurs, Room 1743 (Mac Lab)
Thu, June 18, 2015 -- Sam Bowne

Entire Class Page · Home Page


Abstract

Students will set up an environment that makes it easy to test Android apps for common security flaws such as insecure data transmission, insecure file storage, and data exposure in logs and memory dumps.

We will use Android Studio, Burp, VirtualBox, Genymotion, and the Google Play Store. Students need to have laptops. Macs and Linux machines work best, but Windows can also be used.

Reference Book

"Hacking Exposed Mobile: Security Secrets & Solutions", by Bergman, Stanfield, Rouse, Scambray, Geethakumar, Deshmukh, Matsumoto, Steven and Price, McGraw-Hill Osborne Media; 1 edition (July 9, 2013) ISBN-10: 0071817018 Buy from Amazon

Presentation

Android Security Auditing (pptx)
Android and iOS Vulnerabilities Research

3CS Instructions

1. Genymotion and Google Play

2. Observing the TD Ameritrade Log

3. Mayo Clinic Medical Transport App Hardcoded Password Exposure

4. Making a Signed App with Android Studio

5. Trojaning the Charles Schwab App

6. Configure Genymotion & Burp Prep for Auditing SSL Traffic

7. Maine EMS App Plaintext Data Transmission

8. GenieMD Broken SSL

Project 2: SSL Auditing Proxy

Making an SSL Auditing Proxy with a Mac, Burp, and pf
Comparing Secure and Insecure iOS Apps (not public yet)

More Projects

More Projects

Old Stuff

Project 1: Complete Android Auditing System

Do One of These

Ubuntu Prep for Android Security Auditing
Mac or Windows Prep for Android Security Auditing

Do Both of These

Making a Signed App with Android Studio
Genymotion and Google Play for Android Security Audits

Fun & Games

Observing the TD Ameritrade Log

Ameritrade APK file Maine EMS Apps Plaintext Data Transmission

Mayo Clinic Medical Transport App Hardcoded Password Exposure

Download Mayo Clinic APK

Wolf Apps LLC Security Problems

Trojaning the Charles Schwab App

Last Updated: 6-18-15 11 am