Training ARM Android Xploitation

Training ARM Android Xploitation

From BruCON 2014

Jump to: navigation, search

ARM Android Xploitation by Aseem Jakhar & Aditya Gupta

Course Description

ARM Android Xploitation training takes up one of the finest operating system used for smartphones a.k.a Android and tears it apart. As the name suggests the training takes a deep dive into all the components of Android starting right from the ARM assembly, shellcoding, buffer overflows, OS security, App security model, reverse engineering to App security and exploitation. ARM Android Xploitation is specifically designed to have more hands-on and exercises for the trainees to grasp the intrinsic technical details of Android.

This unique hands-on training covers real world aspects of exploitation, finding vulnerabilities in android applications, bypassing the protections in place and exploiting ARM based devices. At the end of this training, the attendees will be able to find vulnerabilities, audit any android application, create an automated pentest environment and exploit their devices. An open source, customized distribution for android development and security testing known as Android Tamer is also provided with the training material. The training provides a base to the trainees to develop security research expertise on the Android platform way beyond the conventional security testing skills.

Who should attend ?

  • Information security professionals
  • Security researchers and penetration testers
  • Anyone with interest in Android security
  • Android developers/QA



  • Interactive hands-on training session
  • Code analysis, trial and errors
  • Reversing and Analysing Android Applications
  • Android Malware Analysis
  • Android App Auditing
  • Getting familiar with the ARM Android platform


  • Becoming an Android hacker overnight. Use the knowledge gained and research further to master the platform.
  • Being able to track cyber hackers using android platforms..

Course Contents

Day 1

Module 1 - Introduction to Android

  • What is Android?
  • The architecture
  • Getting the Android source
  • Setting up the Android Pentest environment

Module 2: Android Native Dev Primer

  • NDK
  • Introduction to ADB
  • Compiling C code
  • Assembly code
  • Execution
  • Debugging

Module 3: System Architecture

  • The Linux Lineage
  • File System and Hierarchy
  • Radio Interface Layer

Module 4: Application Architecture

  • Dalvik Virtual Machine
  • Dex Format
  • Application components

Module 5 - ARM Assembly

  • ARM overview
  • Processor modes
  • Registers
  • Instruction set
  • Stack implementation
  • System call convention
  • Procedure call convention
  • Exercises

Module 6 - ARM Shellcode primer

  • Introduction
  • System interaction
  • Relative addressing
  • Four byte hell
  • Null byte hell
  • ARM-THUMB state transition
  • Exercises

Module 7 – Buffer overflow Primer• Buffer overflow 101

  • The ARM/Linux stack
  • Stack overflow
  • Controlling the flow of execution
  • Ret2libc
  • ARM-THUMB state transition example
  • Exercises

Day 2

Module 8 - Indroid - Code Injection

  • Borrowing from Windows
  • Linux Ptrace
  • Library Injection
  • Indroid
  • Memory Allocation and Execution
  • Threadification
  • Payload
  • The API
  • Putting it all together i.e. DIY Injection

Module 9 - Android Security Architecture

  • Kernel Protection
  • File System based protection
  • Application Sandboxing
  • Permissions

Module 10: Intro to Android Pentesting

  • Traffic Interception (Active and Passive)
  • Infecting legitimate applications
  • Introduction to AFE - Android Framework for Exploitation
  • Using DroidSE to pentest applications

Module 11: Android Reversing

  • Reverse Engineering Android Application
  • APK Tool and Dex2Jar with JD GUI
  • Analyzing Android Root Exploits
  • Introduction to Android Forensics
  • Data Extraction from Android smartphones
  • Analysing Android Malwares
  • Introduction to IDA
  • IDA for Android Analysis

Day 3

Module 12: App Auditing

  • OWASP Top 10 for Mobile
  • Exploiting Leaking content provider
  • SQLite based vulnerabilities
  • Injection based attacks
  • Authorisation and Authentication vulnerabilities
  • LFI/Directory traversal vulnerabilities in android apps
  • Using Drozer to audit applications
  • Extending drozer by creating custom modules
  • Automating Application Auditing
  • MDM and BYOD Security Issues

Module 13: Lesser Known Android Vulnerabilities

  • WebView vulnerabilities in Android
  • Exploiting Ad Libraries
  • Cross Application Scripting
  • Exploiting applications by Chaining vulnerabilities
  • Exploiting Android Backups
  • Vulnerabilities in HTML5 Android Applications


Students should have a :

  • Basic knowledge of Linux command line
  • Basic knowledge of C
  • Passion to learn ARM and Android security

It is assumed that the attendees will not have any prior experience of ARM assembly and programming, x86 assembly knowledge will be a plus.

Hardware and Software

  • Bring your own laptop
  • 15+ GB free hard disk space
  • 2+ GB RAM
  • Vmplayer/VirtualBox installed on the system

Trainer Biography


Aseem Jakhar is the Director, research at Payatu Technologies Pvt Ltd a boutique security testing company and the founder of nullcon security conference. He has extensive experience in system programming, security research, consulting and managing security software development projects. He has worked on various security software including UTM appliances, messaging/security appliances, anti-spam engine, anti-virus software, multicast packet reflector, Transparent HTTPS proxy with captive portal, bayesian spam filter to name a few. He is an active speaker at security and open source conferences; some of the conferences he has spoken at include AusCERT, Defcon,, Blackhat, Xcon, Cyber security summit, Cocon, OSI Days, Clubhack, Gnunify.

His research includes Linux remote thread injection, automated web application detection and dynamic web filter. He is the author of open source Linux thread injection kit - Jugaad and Indroid which demonstrate a stealthy in-memory malware infection technique. He is well known in the hacking and security community as the founder of null -The open security community, registered not-for-profit organization


Aditya Gupta is the founder of Attify, and a leading mobile security expert and evangelist. Apart from being the lead developer and co-creator of Android Framework for Exploitation, he has done a lot of in-depth research on the security of mobile devices including Android, iOS and Blackberry, as well as BYOD Enterprise Security. He has also discovered serious web application security flaws in websites such as Google, Facebook, PayPal, Apple, Microsoft, Adobe, Skype and many more. In his previous work at, his main responsibilities were to look after the Web Application Security and lead security automation. He also developed several internal security tools for the organisation to handle security issues.In his work with XYSEC, he was committed to perform VAPT and Mobile Security Analysis. He has also been working with various organisations and government clients in India, as well as providing them trainings and services on Mobile security, Exploit Development and Advanced Web App Hacking.

He also gives talks and trainings on Mobile Security in various national and international conferences such as Syscan, Toorcon, OWASP AppSec, BlackHat, ClubHack, Nullcon, ISACA etc

Mon. 22 - Wed. 24 September 2014 (09:00 - 17:00)


Back to Training Overview