For direct assistance contact us! +91-9999508202 [email protected]

Android For Pentesters

Android for pentesters aims to provide a holistic android app security guideline with a control checklist. It lists the best practices to protect applications from malware attacks. This training covers the entire Android application security model for both developers and users. 

Enterprises develop Android applications at breakneck speed to meet business needs. And, yet they fail to consider Android security as part of their app development focus.

with Android for pentesters training candidate will be able to evaluate the security vulnerabilities of built-in and third-party mobile applications. You’ll learn how to bypass platform crypto ,encryption and manipulate apps to circumvent client-side security techniques. You’ll leverage automated and manual mobile application dynamic analysis tools to identify deficiencies in mobile apps network traffic, file system data storage, and inter-application communication channels. By Understanding and identifying vulnerabilities and threats to Android devices is a valuable skill, but it must be pair with the ability to communicate the targeted risks.

Throughout the Android for pentesters training course, you’ll review ways to effectively communicate issues to key stakeholders. You’ll leverage Pentesting tools, including Mobile App Report Card, to characterize threats for top level people and decision-maker, while also identifying sample code and libraries that developers can use to address risks for in-house application.

Mobile device deployment introduce new threats to enterprises, including advanced malwares, data leak, and the disclosure to attackers of organization secrets, intellectual properties, and personally identifiable information data assets. Further complicating matters, there are not enough people with the security skills needed to identify and manage secure mobile phone and tablet deployments. By completing this certified android for pentesters training course, you’ll be able to differentiate yourself as someone who prepared to evaluate the security of android devices, effectively assess and identify flaws in android applications, and conduct a android device penetration test – all critical skills to protect and defend mobile device deployments.

Android For Pentesters - APS-101 1









Android For Pentesters - APS-101 2
module 1 : Essentials of Android exploitation and security
  • Mobile device overview
  • Android Architecture and Security Models
  • Mobile security frameworks and methodologies
  • Android Application Threat modeling
  • Android application security checklist for pentesters
  • BYOD guidelines in the organizations
  • Setting up lab OS and environments for the Android Security testing
Android For Pentesters - APS-101 3
module 2 : static code analysis of android applications
  • Reversing engineering of android APks
  • Analyzing permissions from manifest.xml files
  • Static code review of Android applications
    • Insecure Hardcoding – API Keys Leakage
    •  Insecure Hardcoding – Authentication Token
    •  Insecure Hardcoding – Internal IP Disclosure
    •  Insecure Hardcoding – Git Repository Disclosure
    •  Insecure Hardcoding – Embedded Third-Party Secrets
    •  Insecure Hardcoding – Sensitive Information Disclosure
    • Clear text data in Logs
    • Race Conditions in the vulnerable code
    • Insecure Java functions in application code
    • Weak encryption implementation detections
    • Weak Hashing Algorithms
    • Predictable Random Number Generators (PRNG)
    • Weak Encryption Implementation (AES-ECB)
    • Weak Initialization Vectors (IV) (AES-CBC)
    • Weak Encoding identification in the code
    • Untrusted CA acceptance
    • Usage of banned API functions
    • Self-signed CA enabled in WebView
    • Cleartext SQLite database
    • Temporary file creation
    • Insecure Logging mechanism
    • Android Pasteboard vulnerability
    • Android keyboard cache issues
    • Android Backup vulnerability
    • Insecure SDCard storage
    • Insecure HTTP connections
    • Parameter Manipulation
    • Developer Backdoors
    • Weak change password implementation 


Android For Pentesters - APS-101 4
module 3 : Dynamic code Analysis of android applications
  • Scanning android applications 
  • Setting up burpsuite and fiddler proxy for android exploitation
  • Automating the Code quality check process
  • SQL Injection in android applications
  • Local file inclusion 
  • Cross-site scripting attack
  • HTML injection in android apps
  • Remote code execution in android apps
  • Application Level Denial-of-Service attack
  • Flawed Broadcast Receivers
  • Intent Sniffing and Injection
  • Weak Authorization mechanism
  • Session related vulnerabilities
  • Business logic vulnerabilities
  • Transport layer security implementation
  • Man-In-The-Middle Attack
  • Remote URL load in WebView
  • Object deserialization
  • Authorization / Authentication checks
  • Weak server-side controls
certified android pentester
module 4 : Beyond Android Exploitation Security testing
    • Setting up FRIDA and JWDP 
    • Use case -Google firebase database leaks
    • Use case – Android Deeplinking vulnerability 
    • Bypass One Time Verification Codes
    • OTP SMS or Voice Code Leaked in Response
    • Bypass Second Factor Authentication (2FA)
    • brute forcing android apps 
    • Improper Session Handling
    • Leakage of API Auth Tokens
    • Improper Restriction of Misconfigured API
    • Improper Restriction of Unprotected APIs Endpoint
    • Transporting API Auth tokens as Cleartext Allowed
    • Insufficient Anti Automation – Registration
    • Insufficient Anti Automation – Login (static)
    • Insufficient Anti Automation – Password Reset Function
    • Tapjacking Vulnerability
    • Remote Wipe Vulnerability
    • Use case – AAPT Time Zone Disclosure Bug
    • Use case -android Master Key vulnerability
    • Use case -Address Bar Spoofing Vulnerability
    • Use case – Samsung S20 RCE bug
    • Use case –  RCE via insecure kramdown configuration
    • Signing an Android Applications Manually
    • Android SSL Verification and Certificate Pinning
    • Bypass SSL Pinning to Perform Active Man-in-the-Middle
    Android For Pentesters - APS-101 5
    module 5 : Secure application development & rerporting
    • Android Secure code guidelines
    • SSL unpinning
    • Debugging Detection and prevention
    • Root Detection and Defenses 
    • Investigating malfunctioned applications
    • Android application security report writing guidelines


    who should attend this training?
    • Freshers

    • Ethical hackers

    • System Administrators

    • Network Administrators

    • Engineers

    • Web admins

    • Auditors

    • Security Professionals

    why should i take this training?

    The era of the technology is now growing every day but due to dependency on the technology cyber frauds and attacks are also increased so to take defense for yourself and your business this is best suitable training to take entry in this domain.

    prerequisite of the training ?

    The person should familiar with basic computer operations 

    what is the total duration of the training ?

    Its an Instructor-led online training and the total duration of the training is 20 hours.

    Android for pentesters inquiry form

    10 + 3 =

    Our clients


    Today I’ve completed my one 2 one online training by Mr Naresh sir from Certcube Labs .
    This is the first time I have attended a class in this format and wondered how effective it would be. It was very effective and therefore I would definitely be interested in attending other classes in the same format. The instructor was very knowlegeable and provided a wealth of information about the current version, especially since the last version I used was several releases ago.
    Satyam Singh

    BCA, Delhi University

    A good place to learn every small detail in cybersecurity.Really nice and helpful teacher.


    Btech, BITS Mesra

    together Let’s Create the future

    8 + 15 =