Chapter 8. Client-Side Attacks – Dynamic Analysis Techniques
In the previous chapter, we covered client-side attacks associated with Android applications that we often see with Android apps from a static analysis perspective. In this chapter, we will cover same client-side attacks from a dynamic application security testing (DAST) perspective and will also see some automated tools. As mentioned in the previous chapter, to successfully execute most of the attacks covered in this chapter, an attacker needs to convince the victim to install a malicious application in his/her phone. Additionally, it is also possible for an attacker to successfully exploit the apps if he has physical access to the device.
Following are some of the major topics that we will discuss in this chapter:
Attacking debuggable applications
Hooking using Xposed framework
Dynamic instrumentation using Frida
Automated assessments with Introspy
Automated assessments with Drozer
Attacking app components
Injection attacks
File inclusion...