Learning Pentesting for Android Devices -- Table of Contents -- Learning Pentesting for Android Devices -- Credits -- Foreword -- About the Author -- Acknowledgments -- About the Reviewers -- www.PacktPub.com -- Support files, eBooks, discount offers, and more -- Why subscribe? -- Free access for Packt account holders -- Preface -- What this book covers -- What you need for this book -- Who this book is for -- Conventions -- Reader feedback -- Customer support -- Downloading the example code -- Downloading the color images of the book -- Errata -- Piracy -- Questions -- 1. Getting Started with Android Security -- Introduction to Android -- Digging deeper into Android -- Sandboxing and the permission model -- Application signing -- Android startup process -- Summary -- 2. Preparing the Battlefield -- Setting up the development environment -- Creating an Android virtual device -- Useful utilities for Android Pentest -- Android Debug Bridge -- Burp Suite -- APKTool -- Summary -- 3. Reversing and Auditing Android Apps -- Android application teardown -- Reversing an Android application -- Using Apktool to reverse an Android application -- Auditing Android applications -- Content provider leakage -- Insecure file storage -- Path traversal vulnerability or local file inclusion -- Client-side injection attacks -- OWASP top 10 vulnerabilities for mobiles -- Summary -- 4. Traffic Analysis for Android Devices -- Android traffic interception -- Ways to analyze Android traffic -- Passive analysis -- Active analysis -- HTTPS Proxy interception -- Other ways to intercept SSL traffic -- Extracting sensitive files with packet capture -- Summary -- 5. Android Forensics -- Types of forensics -- Filesystems -- Android filesystem partitions -- Using dd to extract data -- Using a custom recovery image -- Using Andriller to extract an application's data.

Using AFLogical to extract contacts, calls, and text messages -- Dumping application databases manually -- Logging the logcat -- Using backup to extract an application's data -- Summary -- 6. Playing with SQLite -- Understanding SQLite in depth -- Analyzing a simple application using SQLite -- Security vulnerability -- Summary -- 7. Lesser-known Android Attacks -- Android WebView vulnerability -- Using WebView in the application -- Identifying the vulnerability -- Infecting legitimate APKs -- Vulnerabilities in ad libraries -- Cross-Application Scripting in Android -- Summary -- 8. ARM Exploitation -- Introduction to ARM architecture -- Execution modes -- Setting up the environment -- Simple stack-based buffer overflow -- Return-oriented programming -- Android root exploits -- Summary -- 9. Writing the Pentest Report -- Basics of a penetration testing report -- Writing the pentest report -- Executive summary -- Vulnerabilities -- Scope of the work -- Tools used -- Testing methodologies followed -- Recommendations -- Conclusion -- Appendix -- Summary -- Security Audit of -- Attify's Vulnerable App -- Table of Contents -- 1. Introduction -- 1.1 Executive Summary -- 1.2 Scope of the Work -- 1.3 Summary of Vulnerabilities -- 2. Auditing and Methodology -- 2.1 Tools Used -- 2.2 Vulnerabilities -- Issue #1: Injection vulnerabilities in the Android application -- Issue #2: Vulnerability in the WebView component -- Issue #3: No/Weak encryption -- Issue #4: Vulnerable content providers -- 3. Conclusions -- 3.1 Conclusions -- 3.2 Recommendations -- Index.