Foreword - Learning Pentesting for Android Devices (2014)

Learning Pentesting for Android Devices (2014)

Foreword

Mobile phones are a necessity in our lives and the majority of us have become completely dependent on them in our daily lives.

The majority of mobile phones today are running on the Android OS. The main reason for this is the ever growing community of developers and massive number of applications released for the Android OS.

However, one mustn't make the mistake of thinking that Android is only used in mobile devices. The Android operating system is commonly used in cars, cameras, refrigerators, televisions, game consoles, smart watches, smart glass, and many other gadgets too.

This massive usage is not risk free and the main concern is security. One cannot tell whether the applications that are based on the Android operating system are secure. How can a common user tell if the application they are using is not malicious? Are those applications developed in a way that can be exploited by attackers? This is an important question that must be addressed.

We can describe the general picture and challenge in information security by saying that 99.9 percent secure is 100 percent vulnerable.

Knowledge is power, and we as security researchers and developers must be in a state of constant learning and researching in order to be up to date with recent attack vectors and trends in matter to stay in the arena and in order to try and predict, as much as possible, the future in that field.

This is a never-ending process that relies on valuable resources and materials to make it more efficient.

I first met Aditya at the ClubHack conference back in 2011, where both of us gave presentations about mobile security. Immediately after that, I realized that he is an asset when it comes to dealing with mobile security and practically, when dealing with the assessment of mobile applications.

The book is an easy read and contains valuable information that, in my opinion, every security researcher and developer who chooses to enter the mobile security field must learn and be aware of. For example, the basics of Android, its security model, architecture, permission model, and how the OS operates.

The tools mentioned in the book are the ones that are used by mobile security researchers in the industry and by the mobile security community.

On a personal note, my favorite chapters were the ones that discuss Android forensics, which are described as follows:

· Chapter 5, Android Forensics, as it goes deeper into the Android filesystem and the reader learns how to extract data from the filesystem

· Lesser-known Android attack vectors from Chapter 7, Lesser-known Android Attacks, as the chapter discusses infection vectors, and in particular the WebView component

· Chapter 8, ARM Exploitation that focuses on ARM-based exploitation for the Android platform

Enjoy researching and the educational learning process!

Elad Shapira

Mobile Security Researcher