Chapter 1, Getting Started with Android Security, teaches readers the basics of Android security architecture. It will discuss Permission Models and how permissions are enforced in applications. It will also talk about Dalvik Virtual Environment and the application APK basics.

Chapter 2, Preparing the Battlefield, provides the reader with a step-by-step process to set up a penetration testing environment to perform Android pentesting. It will also talk about Android Debug Bridge, as well as some of the important tools required for pentesting Android.

Chapter 3, Reversing and Auditing Android Apps, covers some of the methods and techniques that are used to reverse the Android applications. It will also discuss different tools, which could help a penetration tester in Android application auditing. Also, it will list the various kinds of vulnerabilities existing in Android applications, (the ones that put the user's data at risk).

Chapter 4, Traffic Analysis for Android Devices, covers the interception of traffic in applications on the Android device. It explains both the active and passive ways of intercepting the traffic, as well as intercepting both HTTP and HTTPS network traffic. It will also look at how to capture traffic and analyze its services as one of the most useful steps for application auditing on the Android platform.

Chapter 5, Android Forensics, starts with a basic walkthrough of Android Forensics, and takes the reader through various techniques of data extraction on Android-based smartphones. It will cover both logical and physical acquisition of forensic data, as well as the tools that could ease the process of data extraction.

Chapter 6, Playing with SQLite, helps the reader to gain an in-depth knowledge of the SQLite databases used by Android to store data. Often, due to the mistakes made by developers, the SQLite query accepts unsanitized input, or is not used without proper permissions, which leads to injection attacks.

Chapter 7, Lesser-known Android Attacks, covers various lesser-known techniques helpful in Android penetration testing. It will include topics such as WebView vulnerabilities and exploitation, infecting legitimate applications, and cross application scripting.

Chapter 8, ARM Exploitation, allows readers to gain introductory exploitation knowledge about the ARM platform on which most smartphones run today. Readers will learn about ARM assembly, as well as exploiting Buffer Overflows, Ret2Libc, and ROP.

Chapter 9, Writing the Pentest Report, provides a short walkthrough on how to write reports to audit an Android application. It takes the reader through various components of a pentesting report one-by-one, and finally helps them build a penetration testing report.

In order to follow this book, you will need to have the following software tools in your computer. Also, a step-by-step walkthrough of how to download and install the tools will be provided in the chapter, wherever required.

The following is a list of the software applications required for this book:

This book is for you if you are a security professional who is interested in entering into Android security, and getting an introduction and hands-on experience of various tools and methods in order to perform Android penetration testing.

Also, this book will be useful for Android application developers, as well as anyone inclined towards Android security.

In this book, you will find a number of styles of text that distinguish between different kinds of information. The following are some examples of these styles, and an explanation of their meaning:

Code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles are shown as follows:

"Now, just like we saw in the earlier section, the application will store its data in the location /data/data/[package name]."

A block of code is set as follows:

shell@android:/data # cd /data/system
shell@android:/data/system # rm gesture.key

When we wish to draw your attention to a particular part of a code block, the relevant lines or items are set in bold:

    <permission name="android.permission.BLUETOOTH" >
        <group gid="net_bt" />
    </permission>

Any command-line input or output is written as follows:

$ unzip testing.apk
$ cd META-INF

New terms and important words are shown in bold. Words that you see on the screen, in menus or dialog boxes for example, appear in the text like the following:

"You could set up your own pattern by navigating to Settings | Security | Screen Lock."

Feedback from our readers is always welcome. Let us know what you think about this book—what you liked or may have disliked. Reader feedback is important for us to develop titles that you really get the most out of.

To send us general feedback, simply send an e-mail to <[email protected]>, and mention the book title via the subject of your message.

If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, see our author guide on www.packtpub.com/authors.

Now that you are the proud owner of a Packt book, we have a number of things to help you to get the most from your purchase.