Low Level Android For Researchers And Red Teamers

Cam Buchanan and Sam P

BOOK NOW

ABSTRACT

This course teaches you the tools and techniques used to work with low-level Android features and native code. It is a practical class aimed at researchers and developers who want to better understand the native Android environment or start developing their own red-teaming tools.

Students will begin by learning the architecture of Android including how APKs and native code interface, moving on to building and debugging standalone native binaries with NDK toolchains. Students will learn how to replicate the system calls of an APK from native code by working directly with Binder, the underlying information broker of Android. Students will gain experience in instrumenting and debugging native binaries with Frida and GDB, and an introduction to working with AOSP to aid research into system components. This course features a deep dive into how security is enforced in Android from sandboxed APKs to protected system services in an SELinux locked environment. The course will be a combination of practical and lecture-based sessions with examples provided throughout. The course has recently been updated to cover hwbinder and our new Binder-trace tool.

INTENDED AUDIENCE

💡
Red teamers looking to build their own Android toolsets. Researchers interested in analysing and interfacing directly with platform subsystems. Penetration testers looking to expand their low-level Android knowledge. Developers interested in understanding more about the internals of Android

KEY LEARNING OBJECTIVES

  • Setting up your Android device and PC for native research
  • How Android runs native code and how it fits into the Android architecture
  • Using ADB to look under-the-hood and explore Android processes
  • How to build, deploy, execute and debug your own native code on Android, both launched from within an APK, and from a (simulated) exploit.
  • How to use the NDK toolchain to target different architectures
  • How to communicate between the native and Java environments using JNI
  • The differences between developing for emulators and real devices
  • Accessing device data from native code
  • Android's security measures and how they limit what you can do
  • How to use common Android reverse engineering tools to investigate and instrument native code
  • How to interface with hwbinder
  • How to use binder-trace

COURSE DETAILS

AGENDA

SESSION 1 - INTRODUCTION TO ANDROID

  • Android eco-system
  • Android architecture and boot process
  • Looking under the hood
  • Emulators v Devices

SESSION 2 - BUILDING AND DEBUGGING NATIVE CODE IN APKS

  • APK form and format
  • Native code in APKs
  • Debugging in Android Studio

SESSION 3 - BUILDING AND DEBUGGING CODE WITHOUT ANDROID STUDIO

  • What is the NDK
  • Building native code with the NDK
  • Debugging native code outside APKs
  • Debugging native code inside APKs

SESSION 4 - INTERACTING WITH THE ANDROID OS

  • How to get data from different places on a device
  • Introduction to Binder
  • Working with Binder
  • Working with hwbinder
  • Working with intents
  • Using binder-trace

SESSION 5 - ANDROID SECURITY MEASURES

  • SELinux
  • App signing
  • Partitions
  • App sandboxing

SESSION 6 - REVERSE ENGINEERING

  • Working with Frida
  • Researching into AOSP
  • Editing AOSP

SESSION 7 - WRAP-UP AND FINAL EXERCISE

  • Open Q&A
  • End exercise

KNOWLEDGE PREQUISITES

  • Some experience in working with Android, development, research or penetration testing.
  • Some experience in C/C++ and basic development skills.
  • Basic Linux knowledge, able to carry out basic commands.

REQUIREMENTS

HARDWARE

  • A Windows or Linux device with root/administrator rights.

SOFTWARE

  • Android Studio and AVD
  • Docker
  • Whilst most of the course will be taught using AVD virtual machines, students are encouraged to bring a physical Android phone to gain experience working with real devices.

ABOUT THE TRAINERS

Cam Buchanan is a director of Foundry Zero, a cyber security consultancy and training company.

With 10 years of experience in cyber security, Cam has had multiple roles from penetration tester to software engineer with a focus on research. He has performed large scale penetration testing exercises and written multiple books about the subject.

Having worked with android across his entire career with a focus on low-level research into native vulnerabilities, cam is experienced in taking apart android libraries and investigating deep into the android OS.

Sam P is a senior software engineer at foundry zero, a cyber security consultancy and training company. Sam has worked within cyber security since 2012 across multiple roles as both a researcher and software engineer, leading teams delivering cutting edge research and developing software solutions.

He has spent his career working on low-level native solutions and platforms, including embedded systems, wearables and mobile.

Great! Next, complete checkout for full access to Ringzer0
Welcome back! You've successfully signed in
You've successfully subscribed to Ringzer0
Success! Your account is fully activated, you now have access to all content
Success! Your billing info has been updated
Your billing was not updated