Mobile Offensive (Android) Part 2

00:00

the everyone is Canada Hill Master Instructor Ovary Cy Berry. In this video, we're gonna talk about mobile security. So just a quick pre assessment question here. David's performing a security assessment of an android phone. He knows that the preferred tool to use in this situation is I d b. Is that true or false?

00:19

All right, so we know that's false, right? If you watch the last video now, if you got that wrong, be sure to pause this video. Go back to the last video because we did talk about that. I d. B is for IOS devices and not for android devices.

00:31

So with our android testing, what kind of things do we need to set up? Well, we need ah, windows laptop, And with that windows leapt up. We need to have a local admin privileges which in most cases if we're setting this up as a pen tester will already have that in place.

00:45

If we're going to be using a rooted android device, if we're gonna be taking like an android phone and using that, then we're gonna need a USB cable or some other type of connecting cable to connect you to the laptop. However, if we're going to be using some type of emulator than we don't need to worry about the cake,

01:02

we of course we're gonna need Android Studio, which is gonna be the development environment. So that way we can reverse our code and take a look at things. And then, of course, I mentioned the rooted injury device and then we need a diva. So not Beyonce, but a different kind of diva. We need the damage secure, vulnerable app, which, as we've talked about these are

01:19

deliberately vulnerable applications that we contest against

01:23

to practice our skills without attacking someone else's device.

01:29

So we talked about rooting android devices. There's many, many tools out there to do so. Some of the most popular ones, they're probably gonna be wonder share in Kingo ondas I mentioned before all the tools that I mentioned I'm gonna list out links in the resource of section of the course. So just look for the document labeled as Module seven

01:49

mobile security that's gonna have all of these listed out for you.

01:52

You can go explore them. I recommend you do everything inside of a virtual environment. So if that's out of the scope of what you know right now, I just keep practicing your skills and learning more on. You'll be able to set that up. There's many, many videos out there that can walk you through how to get that type of stuff set up. And then, as I mentioned emulator. So Jenny Motion is a popular one.

02:10

Give your mind with, like, Jenny Motion. There's actually a

02:14

cost involved with that. So Mr Looking for free stuff, just make sure you take a look out there to find that. But Jenny Motion is gonna be a paid type of emulator for you to use.

02:23

And as for, is testing the actual Anders. What devices goes epic? A studio is an important one toe have for static analysis. So that's a reverse engineering tool. So we can basically break down. Andrew adapts and then rebuild them if we want to. You on that allows us to actually see what the AP does. So just think static analysis there.

02:43

And then we've got drugged her, which is another tool we can use, especially a security auditing

02:46

framework. So think dynamic analysis there, so it allows us to find vulnerabilities and then also do what's called validate them s. So that's kind of differentiating factor between, like a vulnerability scan versus a penetration test is we're verifying or validating

03:05

these vulnerabilities that they can actually be exploited.

03:08

So I know that little last part there was kind of outside the scope of this fundamental course, but just understand that that's the whole purpose of doing this. Using this type of tool and doing this type of dynamic analysis with a tool like grocer is so that way we could find vulnerabilities and then also exploit them to validate those vulnerabilities

03:28

on that particular organization's network or devices.

03:32

So just a quick post assessment question here, as I mentioned, this is gonna be very for a short video. So today shows the junior pen tester she's got a very tough decision to make. She doesn't really want to use her own android phone to practice for mobile pen testing skills, which she shouldn't right. We talked about that, that you may actually end up breaking your phone so we don't want to do that. So what's another option that she could use?