This tutorial is designed for ethical security professionals training to harden and test apps. It covers material from fundamentals to advanced topics (including conceptual coverage of bypass techniques and kernel-level compromises). Hands-on labs will use intentionally vulnerable APKs and isolated test environments only.
Module 0 — Intro, Legal & Lab Preparation
0.1. Course goals and target audience
0.2. Ethics, legal scope, Rules of Engagement (RoE), required written authorizations (SOW, NDA, signed consent)
0.3. Testing methodology and phases (Reconnaissance → Static Analysis → Dynamic Analysis → Exploitation → Post-exploitation → Reporting)
0.4. Lab and infrastructure: safe lab topologies, VM templates, emulators vs real devices, device farms, network isolation and rollback strategies
0.5. Safety practices to avoid accidental damage (backups, limits, emergency rollback)
Tools & resources: VirtualBox/VMware, Android Emulator, Genymotion, Real devices, Burp Suite, Wireshark, dedicated test network.
Module 1 — Android Fundamentals for Pentesters
1.1. Android architecture: Linux kernel, init, Zygote, ART/Dalvik, Binder IPC
1.2. APK anatomy: AndroidManifest.xml, classes.dex, resources, native libraries (.so), signatures and signing schemes
1.3. Android app sandboxing & permissions model
1.4. Storage types: internal storage, external storage, SharedPreferences, SQLite, ContentProviders
1.5. App components and attack surface: Activities, Services, BroadcastReceivers, ContentProviders, Intents
Tools & resources: aapt/aapt2, Android Studio, adb, documentation.
Module 2 — Reconnaissance & Information Gathering
2.1. Public recon (OSINT): Play Store, APKMirror, GitHub, developer sites, subdomains
2.2. Obtaining APKs: Play Store extraction, sideload, pulling from device (adb)
2.3. Fingerprinting: package name, certificate fingerprint, version codes, permissions list
2.4. Backend enumeration: API endpoints, hostnames, TLS configuration, CORS, endpoints discovered in static analysis
2.5. Detecting certificate pinning and attestation usage (Play Integrity / SafetyNet / Key Attestation)
Tools: MobSF, jadx, apk-downloader, mitmproxy, Burp Suite, sslyze, Shodan.
Module 3 — Static Analysis (Deep)
3.1. Decompilation with jadx / JADX-GUI: reading Java/Kotlin code patterns and control flow
3.2. AndroidManifest review: exported components, intent filters, permission misuse
3.3. Searching strings and secrets: endpoints, API keys, keys, regexes
3.4. Identifying native code (.so): symbols, JNI bridges, suspicious native logic
3.5. Detecting protections and anti-analysis: obfuscation (ProGuard/R8/DexGuard), tamper checks, integrity checks
3.6. Detecting use of attestation, keystore, hardware-backed APIs
Tools: jadx, apktool, dex2jar, strings, Ghidra, radare2, MobSF.
Module 4 — Static Hardening, Patching Concepts & Secure Design
4.1. How to annotate/comment protections found in code (what to flag)
4.2. Identify critical verification points (client vs server) and where checks occur
4.3. Defensive design patterns: server-side validation, minimal client trust, least privilege, shifting critical logic to hardware-backed/native layers
4.4. Mitigations: obfuscation, moving sensitive checks to native/hardware, code signing best practices
Tools & resources: R8/ProGuard, NDK toolchain, secure coding guidelines (OWASP MASVS).
Module 5 — Dynamic Analysis: Setup & Instrumentation
5.1. Device preparation: emulator configuration, real device setup, rooted vs non-rooted tradeoffs (conceptual)
5.2. Instrumentation basics: adb, logcat, tcpdump, strace/ltrace (conceptual)
5.3. Configuring HTTPS proxying (Burp/mitmproxy) and high-level approaches to certificate pinning testing (without step-by-step bypasses)
5.4. Installing and using runtime instrumentation tools for labs (Frida, objection) in controlled environments
5.5. Capturing runtime artifacts: logs, network captures, memory snapshots (legal and ethical handling)
Tools: adb, tcpdump, mitmproxy, Burp Suite, Frida, Objection.
Module 6 — Runtime Instrumentation & Hooking (Conceptual + Lab)
6.1. Frida architecture and concepts: how hooking works, Frida server role, Frida-Gum basics
6.2. Identifying hook targets: Java methods, native functions, network stack points, crypto/pinning functions
6.3. Typical attacker objectives with instrumentation (read secrets, bypass checks, intercept tokens) — high-level only
6.4. Controlled lab: Frida hooking exercises on intentionally vulnerable APKs (how to set goals, expected outcomes, safe artifacts to collect)
6.5. Detection of runtime instrumentation and hardening patterns (anti-Frida, integrity checks, runtime attestation)
Tools: Frida, frida-tracer, Objection, test APKs (DVIA, InsecureBankV2).
Module 7 — Bypass Techniques (High-Level) & Threat Modeling
7.1. Classification of bypasses: userland hooking & patching, native tampering, kernel compromises, network forging
7.2. Why bypasses work: trust model failures, single-point client trust, missing server validation, lack of hardware attestation
7.3. Examples of bypass strategies explained conceptually (Frida hooks, APK patching, forging attestation responses) — no operational steps for real targets
7.4. Kernel-level vs userland tradeoffs: what each enables and why kernel compromises (e.g., KernelSU) are game-changing
7.5. Defense mapping: how to model threats, assign mitigations, and harden design per threat type
Resources: threat models, attack trees, OWASP Mobile Top Ten mapping.
Module 8 — Patching, Rebuilding & Tamper Analysis (Safe Labs)
8.1. APK unpacking and rebuild workflow (apktool + rebuild + sign) — conceptual workflow and risks
8.2. Smali vs source edits: where to inspect and what to change for lab exercises (use only in test APKs)
8.3. Detecting repacking/tamper: signature checks, resource changes, binary diffing
8.4. Binary diffing and version comparison to identify inserted hooks or patches
8.5. Lab: modify and recompile a test APK to demonstrate how tamper detection can be bypassed in a lab (steps for controlled environment only)
Tools: apktool, smali/baksmali, apksigner, bsdiff, bindiff.
Module 9 — Native Code (Advanced)
9.1. Native library overview: JNI bridges, calling conventions, symbol analysis
9.2. Reverse-engineering native functions with Ghidra/IDA/radare2 (conceptual workflows)
9.3. Common native vulnerabilities and mitigations: memory corruption, format strings, improper bounds checks
9.4. Conceptual native hooking techniques and defenses (Frida-Gum, inline hooks — explanation without exploit code)
9.5. Lab: analyze a vulnerable native library in a test APK to find and fix issues (safe reproduction)
Tools: Ghidra, IDA, radare2, objdump, readelf.
Module 10 — Network & API Security
10.1. Intercepting and analyzing API traffic, secure session handling, token lifecycle
10.2. Certificate pinning: detection, defensive strategies, server-side protections (no production bypass steps)
10.3. API vulnerabilities: broken authentication/authorization, insecure token handling, insufficient validation
10.4. OAuth/JWT pitfalls: improper validation, replay, weak algorithms — how to design correctly
10.5. Defensive controls: rate limiting, anomaly detection, device binding and telemetry
Tools: Burp Suite, mitmproxy, Postman, jwt-tool.
Module 11 — Auth, Crypto & Key Management
11.1. Android Keystore and hardware-backed keys (TEE, StrongBox): design patterns and limitations
11.2. Key attestation: flow, nonce usage, chaining and server verification best practices
11.3. Common crypto mistakes: hardcoded keys, poor RNG, insecure key storage
11.4. Secure token management patterns: refresh tokens, revocation, short lifetimes, server checks
Tools & Resources: OpenSSL, keytool, sample server validation scripts (conceptual).
Module 12 — Post-Exploitation, Data Access & Forensics (Ethical)
12.1. What an attacker can access on a compromised/rooted device (data exposures, secrets)
12.2. Persistence vectors on Android and detection strategies (services, receivers, scheduled tasks)
12.3. Exfiltration channels and how to monitor/mitigate them
12.4. Forensic artifacts and evidence collection: what to request from a pentester (memory dumps, /proc snapshots, attestations, device images)
12.5. Lab/Playbook: forensic validation steps to confirm a kernel or userland compromise from provided artifacts
Tools: adb, sqlite3, logcat, Volatility (Android plugins), script templates for evidence verification.
Module 13 — Kernel-Level Threats, KernelSU & Detection (Conceptual + Detection Playbook)
13.1. What kernel compromise means: custom kernels, KernelSU concept, bootloader unlocked implications
13.2. Namespaces, syscall interception, capability manipulation — how attackers hide artifacts (explanation, not operational steps)
13.3. Artifacts and indicators of kernel tampering: odd /proc values, altered /proc/version, mismatched boot properties, unusual capabilities, missing verified boot flags
13.4. Detection playbook: exact artifacts and logs to request from a vendor (what to collect, how to validate, timestamping, hashes)
13.5. Mitigations: Verified Boot, dm-verity, hardware attestation, MDM policies, server-side attestation requirements
Deliverables: Forensic checklist, sample evidence request, indicator mapping.
Module 14 — Automation, CI/CD & Supply-Chain Security
14.1. Secure build pipelines: protecting signing keys, reproducible builds, CI hardening
14.2. Dependency management and third-party risks (libraries, SDKs)
14.3. Automated scanning: static and dynamic scanners, SAST/DAST integration for mobile
14.4. Secure release practices: certificate rotation, vulnerability patching cadence
Tools: MobSF, SonarQube, Snyk, Dependabot.
Module 15 — Mobile App Hardening & Secure Development
15.1. Secure coding patterns for Android developers (input validation, least privilege)
15.2. Defensible design: server vs client responsibilities, minimal trust on client, defense in depth
15.3. Recommended controls: hardware attestation, short token lifetimes, telemetry, fraud detection, layered checks
15.4. Testing & verification checklist for secure releases (pre-release checks, attestation verification, anti-repackaging)
Frameworks: OWASP MASVS, OWASP Mobile Top Ten.
Module 16 — Reporting, Remediation & Compliance
16.1. Writing actionable findings: evidence required, reproducible steps (lab-only PoC), severity and exploitability ratings, remediation guidance
16.2. Deliverables: technical appendix, executive summary, remediation timeline, retest criteria
16.3. Compliance considerations for financial apps (regulatory reporting, audit trails, logging retention)
Templates & Tools: CVSS calculators, PTES/OWASP reporting templates.
Module 17 — Labs, Vulnerable APKs & Continuous Learning
17.1. Safe practice APKs (DVIA, InsecureBankv2, intentionally vulnerable sample apps), sources and safe download practices
17.2. How to build isolated labs: network setup, mock APIs, device image management, CI for lab redeployments
17.3. CTFs, community resources, books and ongoing training recommendations
Resources: DVIA, Android vulnerable projects, HTB/TryHackMe mobile labs, OWASP resources.
Appendices & Deliverables
A. Glossary of technical terms (attestation, TEE, SELinux, namespaces, capabilities, etc.)
B. Forensic evidence request checklist (exact files, logs, formats, timestamping and hashing instructions) — suitable to send to third-party testers
C. Lab manifests and VM images list (references and names of test APKs)
D. Quick reference: emulator vs real device vs cloud device farms — tradeoffs and guidance
Important Operational & Ethical Notes
- All practical, hands-on labs must use intentionally vulnerable APKs and isolated test networks.
- I will not provide operational step-by-step instructions that enable bypasses on real production apps (e.g., commands to install/use KernelSU, or step-by-step forging of Play Integrity tokens). Instead I will provide:
- in-depth conceptual explanations,
- detection and mitigation guides, and
- reproducible lab exercises using safe test APKs.
- You confirmed written authorization; nevertheless, for corporate or customer engagements we recommend you maintain written scope and evidence-handling agreements.