Learning Pentesting for Android Devices: A Practical Guide to Learning Penetration Testing for Android Devices and Applications

Android is the most popular phone operating system in the world, measured by unit volume. Probably also by total revenue. Apple gets more profit per handset, but sells fewer. Developers of Android applications should be aware of how to protect against intrusion. The first chapter is just a run through of the layout of the operating system. A version of linux optimised for mobile platforms.It might help if you already have developed for a virtual machine environment. Since each application runtime instance runs within its own VM. But the point of divergence from laptop or desktop VMs is that here the VM framework is used for performance and not security. In large part, the rest of the book flows from this observation.Eclipse is the development platform used. Good, because it is free and heavily tested and maintained. Turns out, it has an option, that makes an Android Virtual Machine Device Manager. This runs an Android virtual device. So you develop and test on a desktop with emulation. The text takes you through how all this can be done, with simple examples. Of these, take careful note of the Burp proxy. It can sniff [analyse] the network traffic. This is an important way to find vulnerabilities in an application. An entire chapter goes into other ways to do traffic analysis. Passive and active. The latter is a little harder maybe. But it lets you debug by stepping through the stages of a given network interaction between an app and its server.Another very useful tool is for reverse engineering an existing Android app. If you have coded in java, you may be aware of programs to do likewise for java bytecode. Conceptually, it's the same idea for Android.

I’m still going through this book. I’ve picked up "Chapter 3: Reversing and Auditing Android Apps” to begin with and found totally comprehensive and filled with relevant information. This chapter briefly touches up on how to reverse engineer a Android application’s APK and quickly address the bigger security holes. This book targets both of the most popular operating systems: Windows and Unix based. Quick introduction to useful tools is really helpful for reference purpose. I’m looking forward to reading other chapters too. I would definitely keep this book as quick reference on Android security audits. The only reason I'm rating it 3 star just because I've not finished it yet. So far so good !

This is a great book for those who would like to explore and experiment about android application and platform security. Authors have designed the book very well beginning with basics of android security architecture and going deeper into the nuances of the platform security. The tools that are explained here really helps the testers for auditing and perform reverse engineering the android applications and also helps in understanding different kinds of android vulnerabilities and attacks.

Good start for a Android security noviceI would consider myself new to Android apps security aspects. However I've found this book easy to follow. As the step by step approach to a penetration testing process is easy to follow.At the end of the book, there's a sample of a pentest report, that's considered a helpful document.

I really love this book! "Learning Pentesting for Android Devices" is a book for all curious guys that want to understand how things are working inside their Android device. The goal of the book is to explore which vulnerability and issues could be present in an Android application and how to prevent and to reveal them. This is just an interesting argument, but what is really more interesting is the way to reach this goal: becoming for a couple of hours an "hacker" and jump on the dark side of the development! Yes, because decompiling, reverse engineering, exploiting and attacking will be really more clear to you after reading this book!The book starts with a couple of chapters about Android howtos: what is an Android app, how it is generated and which tools should be used to achieve the goal. After that, Aditya brings you on the reverse path: in chapter 3, starting from an app, he brings you to the source code! There is a very clear description about which tools could be used, how to use them and which limits you could experiencing during this adventure. In chapter 4, the classical network attacks are explored: network traffic analysis, proxy interception, man in the middle and so on.More or less after an half of the book, Aditya starts with a very not so common description of Android vulnerability and attacks (from the device point of view!). This is really uncommon and very very interesting for understanding how the Android phone you have in pocket is made. A specific chapter is dedicated to SQLite, one of the most common SQL database deployed in several millions of devices and to the WebView, one of the most common Android widget.In the end, even if this book is for every developer with a basic knowledge about Android programming, I must suggest it to everyone has intention to start and develop an Android app. Your app will be surely more secure in the end and there will be no risk about finding the source code of your app in internet!

I got the book delivered to me a week back, and have gone through all the chapters as well. The book really serves the one purpose for which it has been written for - To give an introduction to the various security aspects in Android, such as finding vulnerabilities in Applications, auditing them, reverse engineering, forensics and so on.The ARM Exploitation chapter was quite tough to understand, but after 2-3 reads, everything made perfect sense to me. I wish the book was a bit longer, but still it's fine as everything is to the point. Do not expect to find much theoretical topics in the book, as it is completely hands-on. Even some of the latest vulnerabilities such as the Webview exploitation and XAS was given in how-to manner in the book, which was easy to follow.Overall a nice Android Security book, and must to be have by anyone interested into Android Security.

Cuando compré este libro lo hice en parte impulsado por la fecha de su publicación e índice de contenidos. Siendo un trabajo tan reciente (la fecha de publicación es marzo del 2014), pensé que sería un buen trabajo para pentesters de tecnología Android actual. Me equivoqué; el trabajo es realmente básico, poco detallado, cada capítulo es una guía muy por encima de las principales herramientas y técnicas para hacer pentesting de Android. Nada que no se pueda encontrar en Internet, en largos y completos artículos o vídeos. Francamente, haber pagado por este libro me produce una sensación de horrenda frustración.No lo recomiendo a nadie, indistintamente del nivel de conocimientos que éste tenga en seguridad Android.