Android pentesting is like most jobs in Mobile Pentesting that you need to know some basics and have certain skills before you can begin to get deep into the field.
A good starting point for building up the necessary skill set is checking out the Open Web Application Security Project (OWASP) Top Ten lists. OWASP publishes a list of the Top Ten Web Application Vulnerabilities and the Mobile Top Ten. Becoming familiar with the vulnerabilities included in these lists is a great way to start getting into Android Pentesting.
Many automated tools exist for Android and web app penetration testing and knowledge of how to run them and process their output is important for a pentester. However, at some point it will be necessary to look at the source code of some application on the target machine.
The ability to read, if not write Java and Objective-C is helpful for a Mobile penetration tester evaluating Android mobile devices. Unlike black-hat hacking where the primary goal is finding a way into the target, the primary goal of penetration testing is helping your client fill the gaps in their security. Hackers only have to find one vulnerability in a system, pentesters need to find as many as possible, so a lot of time is spent performing the same old basic tests before moving on to the “cool stuff.
In order to get started, an aspiring android pentester needs to make some decisions about the testing environment (whether to use emulators or real devices as targets) and set up a pentesting machine with the right tools for the job.
Android Pentesting Tools for pentesters , many tools have been developed to aid in the hacking process. At a minimum, an emulator is necessary in order to gain familiarity with a variety of target platforms, but other tools have also been developed to automate common steps. In general, a Linux orMac computer is a better choice than a Windows one for mobile pentesting, as Unix-based systems have better support for the available tools.
4 Burp suite
5 Android Debug Bridge (ADB)
6 Drozer Security Framework
7 Santoku Operating System
8 Genymotion Emulator
After setting up a toolkit and getting some experience in mobile pentesting, the final step in the process is preparing a resume for a Android pentesting position.
Any previous work experience, CTF-related experience and pentesting projects should be included in your resume when applying for a position as Android pentester.
Android penetration testing requires both knowledge of web application vulnerabilities and mobile-specific vulnerabilities, tools and techniques. A variety of training courses and certifications are available to start the aspiring android penetration tester off, but in the end, practice is essential to mastery. By starting with web-application penetration testing and branching out to android specific vulnerabilities, a student can build up the background knowledge necessary to land a position as a android penetration tester.