Low Level Android for Researchers and Red Teamers


Cam Buchanan and Tim P


This course teaches you the tools and techniques used to work with low-level Android features and native code. It is a practical class aimed at researchers and developers who want to better understand the native Android environment or start developing their own red-teaming tools.

Students will begin by learning the architecture of Android including how APKs and native code interface, moving on to building and debugging standalone native binaries with NDK toolchains. Students will learn how to replicate the system calls of an APK from native code by working directly with Binder, the underlying information broker of Android. Students will gain experience in instrumenting and debugging native binaries with Frida and GDB, and an introduction to working with AOSP to aid research into system components. This course features a deep dive into how security is enforced in Android from sandboxed APKs to protected system services in an SELinux locked environment. The course will be a combination of practical and lecture-based sessions with examples provided throughout.

Course Topics

  • Setting up your Android device and PC for native research
  • How Android runs native code and how it fits into the Android architecture
  • Using ADB to look under-the-hood and explore Android processes
  • How to build, deploy, execute and debug your own native code on Android, both
    • launched from within an APK, and
    • from a (simulated) exploit.
  • How to use the NDK toolchain to target different architectures
  • How to communicate between the native and Java environments using JNI
  • The differences between developing for emulators and real devices
  • Accessing device data from native code
  • Android's security measures and how they limit what you can do
  • How to use common Android reverse engineering tools to investigate and instrument native code

Detailed Agenda

Session 1 - Introduction to Android

  • Android eco-system
  • Android architecture and boot process
  • Looking under the hood
  • Emulators v Devices

Session 2 - Building and Debugging native code in APKs

  • APK form and format
  • Native code in APKs
  • Debugging in Android Studio

Session 3 - Building and Debugging code without Android Studio

  • What is the NDK
  • Building native code with the NDK
  • Debugging native code outside APKs
  • Debugging native code inside APKs

Session 4 - Interacting with the Android OS

  • How to get data from different places on a device
  • Introduction to Binder
  • Working with Binder
  • Working with intents

Session 5 - Android Security Measures

  • SELinux
  • App signing
  • Partitions
  • App sandboxing

Session 6 - Reverse Engineering

  • Working with Frida
  • Researching into AOSP
  • Editing AOSP

Session 7 - Wrap-up and final exercise

  • Open Q&A
  • End exercise

Who Should Attend

  • Red teamers looking to build their own Android toolsets
  • Researchers interested in analysing and interfacing directly with platform subsystems
  • Penetration testers looking to expand their low-level Android knowledge
  • Developers interested in understanding more about the internals of Android


  • Some experience in working with Android, development, research or penetration testing.
  • Some experience in C/C++ and basic development skills.
  • Basic Linux knowledge, able to carry out basic commands.

System Requirements

Course specifics will be distributed 2 weeks prior to the course however, the following will be helpful:

  • A Windows or Linux device with root/administrator rights.
  • Android Studio and AVD
  • Docker

Whilst most of the course will be taught using AVD virtual machines, students are encouraged to bring a physical Android phone to gain experience working with real devices.