Reviewing book – Learning Pentesting for Android Devices
My personal background in computer security, penetration testing and vulnerability assessment started in my early age when I explored the world of programming, and later on practiced it more regularly when I adopted the GNU/Linux operating system. Back then, planting backdoors and holes in Loadable Kernel Modules (LKM) in Linux was an exciting journey to explore.
In the spirit of software security, in the past week I’ve been reading through PacktPub’s Learning Pentesting for Android Devices title, which is a first dive for me into the world of mobile security forensics.
The first chapter swiftly beings by introducing the reader to the Android mobile OS, scanning through the architecture layers, OS libraries, and an overview of the underlying modified Linux kernel with adoption to mobile devices. At this point already, the target audience of the book becomes quite clear – the author is aiming this book towards readers with previous security industry experience and familiarity with programming and Linux OS (or general OS architecture).
The follow-up chapters enable a more hands-on experience with an actual Android emulated environment and the author takes the reader through a review of series security related tools and begins a more in-depth security analysis in Chapter 3, such as reverse engineering Android apps with various tools (dex2jar and apktool) and exploring some well known attack vectors like path directory traversal, client-side injections and Android environment-specific vulnerabilities.
Chapter 4 is entirely dedicated to exploring network security forensics, covering various ways to sniff network traffic and perform man-in-the-middle SSL interception, where the author employs familiar tools like tcpdump and wireshark.
Last chapters are reviewing other aspects of exploiting the Android operating system, including a dedicated chapter for ARM based exploitation and old school buffer overflow review. To conclude the book, the author describes the security report document and provides template with an actual report example.
In an overall impression, the book is geared towards security professionals with experience in the mobile platforms, although Android application developers with a little bit of security experience or will to learn would benefit from this book. If you fall under any of these categories, then the author Aditya Gupta has done a great job in providing you with good reference of security tools, security overview of the Android OS and general vulnerabilities and methods of attack to be aware of.