This video helps you plan your approach to test Android applications. There are many ways to go about android pentesting. Here you take up a three phase approach: static analysis (SAST), dynamic application security testing (DAST), and platform interaction.
- [Instructor] Now that we have established the differences between web and Android application testing, let us analyze the different domains of Android application security. Primarily, there are three domains of Android application security. First is code security. Under code security, we check the quality of the code of the application file. We check if there are hard coded IP addresses, credentials, weak cryptographic libraries, insecure certificates, or any other vulnerability associated with poor coding practices in the code of the Android application. Second is communication security. Under communication security, we check how the application interacts with the server. Here, we test for vulnerabilities in the authentication, authorization, session management, and other dynamic parameters used in the interaction between the application and the server. This portion is basically similar to what we do using bug sweep for web applications. The third, and the last is platform interaction testing. Under this, we check how the application interacts with the Android device. Here we check for leakages in sensitive information like usernames, passwords or any other confidential data that the application does to the Android device or any other application installed on that Android device. In the coming sessions, we will be covering each of these domains in greater detail.
- Web vs. Android security
- Domains of Android security
- Code-level security
- Static application testing with MobSF
- Dynamic application testing with Burp Suite
- Platform interaction testing