PEN viva questions

Experiment 1 : To install configure Android studio and Implement simple Android studio and
Implement simple Android APK.
What is Android?

 Androidis a software package and Linux based operating system for mobile devices such as
tablet computers and smartphones.
 It is developed by Google and is mainly used to write the android code even though other
languages can be used.
 There are many code names of android such as Lollipop, KitKat, Jellybean ,etc.
What is Android Studio, advantage and who are the users of android studio?

 Android Studio is the official Integrated Development Environment (IDE) for Android app
development.
Advantages:

 A flexible Gradle-based build system.

 A fast and feature-rich emulator.
 A unified environment where you can develop for all Android devices.
 Live Edit to update composable in emulators and physical devices in real time.
 Android studio is used by professional developers, industry experts, students, etc.
Describe in detail about Android APK.

 APK stands for Android Package (sometimes Android Package Kit or Android Application
Package).
 An APK file is the file format used to install the applications on the android operating system.
 A program in android is first compiled, and then all its parts are packaged into one single file
to make it an APK file.
Different types of mobile applications platforms
Native Apps:
 Native apps are built specifically for a particular mobile operating system (e.g., Android or
iOS)
 Using platform-specific programming languages (Java/Kotlin for Android, Swift/Objective-C
for iOS).
 Because developers build a native app for use on a particular device and its OS, it has the
ability to use device-specific hardware and software.
Web Apps:
 Web apps are accessed through a mobile browser and are essentially websites optimized for
mobile devices.
 They are developed using web technologies such as HTML, CSS, and JavaScript and are not
installed on the device.
 Web apps are cross-platform and can run on any device with a compatible web browser.
Hybrid Apps:
 Hybrid apps combine elements of both native and web apps. They are built using web
technologies (HTML, CSS, JavaScript) and wrapped in a native container.
 Hybrid apps can be deployed across multiple platforms with minimal code changes, making
them cost-effective and efficient for development.
  They have access to device features through plugins and APIs provided by frameworks like
Apache Cordova or Ionic.
Introduction of Android, features of Android
Introduction

 Android is a mobile operating system developed by Google,

 based on the Linux kernel and
 designed primarily for touchscreen mobile devices
 such as smartphones and tablets.
 It is the most widely used mobile operating system globally.
Features:

 Open Source
 User Interface Customization
 Multitasking
 Notification System

Android Application Architecture.

Android's architecture is based on the Linux 2.x and 3.x kernels and acts as the
hardware abstraction layer.
It consists of:

 Applications
 Application Framework
 Android Runtime
 Platform Libraries
 Linux Kernel
It can be represented as five different layers, as shown in the following architecture
diagram:
 Applications –

 Applications is the top layer of android architecture.

 The pre-installed applications like home, contacts, camera, gallery etc and third-party
applications downloaded from the play store like chat applications, games etc. will be
installed on this layer only.
Application framework –

 Application Framework provides several important classes which are used to create an
Android application.
Application runtime –

 It contains components like core libraries and the Dalvik virtual machine (DVM).
 It provides the base for the application framework and powers our application with the
help of the core libraries.
 Dalvik Virtual Machine (DVM) is a register-based virtual machine and specially designed
and optimized for android to ensure that a device can run multiple instances efficiently.
Platform libraries –

 The Platform Libraries includes various C/C++ core libraries and Java based libraries.
 such as Media, Graphics, Surface Manager, OpenGL etc.
 to provide a support for android development.
Linux Kernel –

 Linux Kernel is heart of the android architecture.

 It manages all the available drivers such as display drivers, camera drivers, Bluetooth
drivers, audio drivers, memory drivers, etc. which are required during the runtime.
Android Development Tools
The android developer tools let you create interactive and powerful application for android platform.
The tools can be generally categorized into two types.
SDK tools:
1. Android: This tool lets you manage AVDs, projects, and the installed components of the SDK.
2. Ddms: This tool lets you debug Android applications.
3. Draw 9-Patch: This tool allows you to easily create a NinePatch graphic using a WYSIWYG
editor.
4. Emulator: These tools let you test your applications without using a physical device
5. Mksdcard: Helps you create a disk image (external sdcard storage) that you can use with the
emulator.
6. Proguard: Shrinks, optimizes, and obfuscates your code by removing unused code.
7. sqlite3: Lets you access the SQLite data files created and used by Android applications.
8. traceview: Provides a graphical viewer for execution logs saved by your application.
Platform tools:

 Android Debug bridge (ADB): ADB is a versatile command-line tool that allows developers
to communicate with an Android device or emulator connected to a computer.
 Android Interface definition language (AIDL): AIDL is a language used to define remote
interface contracts in Android applications, particularly when implementing interprocess
communication (IPC) between different Android components.
 Aapt: aapt is a command-line tool used to package and manipulate Android application
resources (such as icons, layouts, strings, etc.) within the APK (Android Package) file.
 dexdump: dexdump is a command-line tool that allows developers to inspect the contents of
Android DEX (Dalvik Executable) files.
 Dex: The dex tool is used to convert Java bytecode (.class files) into the DEX format.

Q. Application Packages (APK):

 An APK (Android Package) file is the package file format used by the Android operating
system for distributing and installing applications.
 It contains all the necessary files and resources required to run the application on an Android
device, including compiled code (in DEX format), resources, assets, manifest file, and
certificates.
Q. Application Sandboxing and Signing:

 Application sandboxing refers to the practice of isolating an application from other

applications and the underlying operating system to enhance security and stability.
 Each Android application runs in its own sandboxed environment, with limited access to
system resources and other applications' data.
 On Android, application signing is the first step to placing an application in its
Application Sandbox.
 The signed application certificate defines which user ID is associated with which
application; different applications run under different user IDs
 Application signing ensures that one application cannot access any other application
except through well-defined IPC.

Q. Build Process:
  The Android build process involves compiling the source code, packaging resources, and
generating the final APK file for the application.
 It typically includes tasks such as compiling Java/Kotlin source code into bytecode,
processing resources, running lint checks and signing the APK.
Q. Rooting:

 Rooting refers to the process of gaining root access or administrative privileges on an Android
device, allowing users to modify system files, install custom ROMs, and access restricted
features.
 Rooting can void the device warranty, expose it to security risks, and potentially cause
stability issues.
Q. Application Manifest File:

 The AndroidManifest.xml file is a crucial component of an Android application that provides

essential information about the app to the Android system.
 It contains metadata such as the application's package name, version, permissions required,
activities, services, receivers, and intent filters.
Q. Android Application Lifecycle and Application Class

 The Android application lifecycle refers to the sequence of states that an Android application
goes through during its lifetime, from creation to destruction.
 The lifecycle includes states such as onCreate(), onStart(), onResume(), onPause(), onStop(),
and onDestroy(), which correspond to different stages of the app's execution.
 The Application class is a base class in Android that represents the global application state
and is used to maintain application-wide resources, initialize components, and handle
lifecycle events.
1. Foreground process: A foreground process is a process with which the user is currently
interacting and using it.
2. Visible process: The user does not directly interact with this process, as the activity
corresponds to this process would be covered partially by another activity and the process
will be in the onPause() lifecycle state.
3. Service Process: A process is said to be a service process if it is in running state and
neither a foreground process and a visible process.
4. Background process: A background state in which the onStop() lifecycle method of
android is called by the system.
Q. Architecture of IOS Operating System

 IOS is a Mobile Operating System that was developed by Apple Inc. for iPhones, iPads, and
other Apple mobile devices.
CORE OS Layer:
All the IOS technologies are built under the lowest level layer i.e. Core OS layer.
These technologies include:

 Core Bluetooth Framework

 External Accessories Framework
 Accelerate Framework
 Security Services Framework
 Local Authorization Framework
CORE SERVICES Layer:
It helps the iOS operating system to cure itself and provide better functionality. It is the 2nd lowest
layer in the Architecture. Below are some important frameworks present in this layer:

 Address Book Framework- The Address Book Framework provides access to the contact
details of the user.
 Cloud Kit Framework- This framework provides a medium for moving data between your app
and iCloud.
 Core Data Framework- This is the technology that is used for managing the data model of a
Model View Controller app.
 Core Foundation Framework- This framework provides data management and service features
for iOS applications.
MEDIA Layer:
It enable all graphics video, and audio technology of the system. This is the second layer in the
architecture. The different frameworks of MEDIA layers are:

 ULKit Graphics- This framework provides support for designing images and animating the
view content.
 Core Graphics Framework- This framework support 2D vector and image-based rendering
and it is a native drawing engine for iOS.
 Core Animation- This framework helps in optimizing the animation experience of the apps in
iOS.
 Media Player Framework- This framework provides support for playing the playlist and
enables the user to use their iTunes library.

COCOA TOUCH:
COCOA Touch is also known as the application layer which acts as an interface for the user to work
with the iOS Operating system. It provides the following frameworks :

 EvenKit Framework- This framework shows a standard system interface using view
controllers for viewing and changing events.
 GameKit Framework- This framework provides support for users to share their game-related
data online using a Game Center.
 MapKit Framework- This framework gives a scrollable map that one can include in your user
interface of the app.
 PushKit Framework- This framework provides registration support.

Building android applications

Q. Android Activity: Creating activities

 An activity is a single, focused screen that users can interact with in an Android application.
 To create an activity, you need to extend the Activity class or its subclasses
(AppCompatActivity, for example) and override lifecycle methods such as onCreate() to set
up the activity's user interface and initialize resources.
 Activities are typically defined in the AndroidManifest.xml file using <activity> tags,
specifying attributes such as the activity's name, label, and launch mode.

Q. Filters
Intent filters are used to specify the types of intents that an activity, service, or broadcast receiver can
respond to.
Q. Displaying notifications.

 Notifications are used to alert users about events or information, such as new messages,
updates, or reminders.
 You can create and display notifications using the NotificationManager class.
Q. Broadcast User Interface

 Broadcast receivers are components that listen for and respond to broadcast messages from
other applications or the system.
 You can create broadcast receivers by extending the ‘BroadcastReceiver’ class and registering
them in the AndroidManifest.xml file or dynamically in code.
Q. Android UI Design
Android provides various UI components and layouts for designing user interfaces, including views,
layouts, and fragments.

Q. Views
‘Views’ typically refers to a user interface component or widget that is used to interact with the user.
Views are the building blocks of an Android app's UI, and they can include elements such as buttons,
text fields, images, and more.
Q. Layouts
Layouts define the arrangement and positioning of views.
Q. Fragments
Fragments are reusable UI components that represent a portion of a user interface or behavior. They
are often used to create flexible and modular UI designs that can adapt to different screen sizes and
orientations.
Q. Adapters
Adapters are used to bind data to views, such as populating a list or grid with data from a data source.
Q. Linking Activities Using intents.

 Intents are used to communicate between different components of an Android application,

such as activities, services, and broadcast receivers.
 They can be used to start activities, pass data between activities, and trigger system actions.
Q. Creating Intent Receivers
Creating Intent Receivers in Android involves implementing broadcast receivers, which are
components that listen for and respond to broadcast messages sent by other applications or the system.
1. Create a Broadcast Receiver Class:
 Start by creating a new Java class that extends the BroadcastReceiver class.
 Override the onReceive() method, which is called when the broadcast receiver receives an
intent.
 Inside the onReceive() method, implement the logic to handle the received intent.
2. Declare the Broadcast Receiver in the AndroidManifest.xml File:
 Register the broadcast receiver in the AndroidManifest.xml file using a <receiver> tag.
 Specify the name of the broadcast receiver class and the intent filter for the types of intents it
should receive.
3. Send Broadcast Intents from Other Components:
 To send a broadcast intent from another component, such as an activity or service, create an
intent object and specify the action to be performed.
 Use the sendBroadcast() method to send the intent.

4. Testing the Broadcast Receiver:

 Once you have implemented the broadcast receiver and declared it in the
AndroidManifest.xml file, you can test it by sending broadcast intents from other components
in your application or from external applications.
Q. Content Providers and Database Connectivity
Content providers are components that manage access to a shared set of data, such as contacts,
calendar events, or media files. They provide a standard interface for querying, inserting, updating,
and deleting data.
 1. Create a Database Helper Class: Start by creating a class that extends SQLiteOpenHelper.
This class will handle database creation and version management.
2. Perform Database Operations: Use the SQLiteDatabase class to perform database operations
such as inserting, querying, updating, and deleting data.
3. Create a Content Provider: Next, create a class that extends ContentProvider. This class will
define the interface for accessing the data in your database.
4. Declare Content Provider in AndroidManifest.xml: Register your content provider in the
AndroidManifest.xml file using a <provider> tag.
5. Access Data using Content Resolver:To access data from your content provider in other parts
of your application, use the ContentResolver class.Use methods such as query(), insert(),
update(), delete(), etc., to interact with the content provider.

Basics of Mobile Application Security

Q. Android permission model

 Android uses a permission-based security model to control access to sensitive device

resources and user data.
 Applications must request permissions at runtime or declare them in the AndroidManifest.xml
file to access features such as camera, location, contacts, storage, etc.

Q. key challenges in mobile application security

 Fragmentation of the Android ecosystem, leading to inconsistencies in security updates and

patching across devices and versions.
 Lack of secure coding practices and awareness among developers, resulting in vulnerabilities
such as insecure data storage, improper session management, and input validation issues.
 Rapid development cycles and pressure to release features quickly, often leading to
inadequate security testing and oversight.
 The proliferation of mobile malware and phishing attacks targeting users through malicious
apps, SMS, or social engineering techniques.
Q. Impact of mobile application security

 Poor mobile application security can have serious consequences, including:

 Data breaches and unauthorized access to sensitive information, leading to financial loss,
identity theft, and reputation damage.
 Compromised user privacy and trust, resulting in loss of user confidence and potential legal
and regulatory consequences.

Q. Android vulnerabilities
It refers to weaknesses or flaws in the Android operating system or applications that can be exploited
by attackers to compromise device security
Common Android vulnerabilities include:

 Remote code execution vulnerabilities.

  Privilege escalation vulnerabilities.
 Information disclosure vulnerabilities.
 Insecure data storage and transmission.
Q. The need for mobile application penetration testing

 Mobile application penetration testing is essential for identifying and addressing security
weaknesses and vulnerabilities in mobile applications.
 It involves simulating real-world attacks and exploitation techniques to uncover potential
security flaws and assess the overall security posture of the application.
Q. The mobile application penetration testing methodology.
It follows a systematic methodology to identify and exploit security vulnerabilities in mobile
applications. Different phases in mobile application penetration testing methodology are:

 Pre-engagement activities (scoping, reconnaissance) - Scope Definition: Define the scope of

the penetration test, Reconnaissance: Gather information about the target application, its
architecture, functionalities.
 Threat modeling and risk assessment- Threat Modeling: Analyze the application's
architecture, data flows, trust boundaries, and potential threats to identify potential attack
vectors and prioritize testing efforts, Risk Assessment: Assess the impact and likelihood of
identified threats and vulnerabilities to determine their risk level and prioritize remediation
efforts.
 Vulnerability scanning and analysis- Static Analysis: Analyze the application's source code,
configuration files, and binaries to identify potential security weaknesses, Dynamic Analysis:
Execute the application in a controlled environment and perform runtime analysis.
 Exploitation of identified vulnerabilities- Manual Testing: Manually verify and exploit
identified vulnerabilities, Automated Exploitation: Use automated tools and scripts to exploit
common vulnerabilities, such as SQL injection, XSS, insecure authentication, and insecure
data storage.
 Post-exploitation activities (reporting, remediation guidance)- Reporting: Document all
identified vulnerabilities, Remediation Guidance: Provide actionable remediation guidance
and recommendations to address identified vulnerabilities, Re-testing: Verify the effectiveness
of remediation efforts by re-testing it.
Q. The OWASP mobile security project and risks.
1. The OWASP Mobile Security Project provides resources, tools, and guidance for securing
mobile applications and assessing mobile application security risks.
2. It identifies common mobile security risks and vulnerabilities, such as insecure data storage,
lack of binary protections, insecure communication, and inadequate authentication and
authorization mechanisms.
The OWASP projects:

 OWASP Mobile Top 10 Risks

Common Risks Addressed by OWASP Mobile Security Project:

 Insecure Data Storage

 Insecure Communication
 Insecure Authentication
 Insufficient Cryptography
Building test environments and Mobile Pentesting tools

Q. Android security tools:

1. APKAnalyser - APKAnalyser is a tool used for analyzing and dissecting Android application
packages (APKs).
It allows security researchers and developers to inspect the contents of an APK, including
resources, assets, classes.dex file, manifest file, and other components.
2. The drozer tool - Drozer is an Android security testing framework that provides
comprehensive capabilities for assessing the security of Android applications and devices.
Drozer also provides a command-line interface (CLI) and scripting capabilities for automated
testing and exploitation.
3. APKTool - APKTool is a reverse engineering tool used for decompiling and recompiling
Android application packages (APKs). APKTool is commonly used for analyzing and
understanding the inner workings of Android applications, identifying vulnerabilities.
4. The dex2jar API - dex2jar is a tool used for converting Android DEX (Dalvik Executable)
files to JAR (Java Archive) format. dex2jar is often used in conjunction with JDGUI or other
Java decompilers to reverse engineer Android applications
5. JDGUI - JDGUI (Java Decompiler GUI) is a graphical user interface for decompiling Java
bytecode into source code. JDGUI provides features such as syntax highlighting, code
navigation, and class hierarchy visualization.
Q. Reversing the application.

 Reversing the application refers to the process of analyzing and understanding the inner
workings of an Android application, including its source code, functionality, and security
mechanisms.
 This process involves using tools like APKAnalyser, APKTool, dex2jar, JDGUI, and manual
analysis techniques to decompile, inspect, and understand the application's behavior.

Q. Mobile app penetration testing environment setup.

Steps:

 Choose an Operating System: Select a suitable operating system for penetration testing, such
as Kali Linux, Parrot Security OS, or Ubuntu.
 Install Virtualization Software: Install virtualization software like Oracle VirtualBox or
VMware to create virtual machines for testing.
 Set Up Android Emulator: Install an Android emulator like Android Emulator, Genymotion,
or BlueStacks for simulating Android devices.
 Configure iOS Simulator: If testing iOS apps, install Xcode on macOS to access the iOS
simulator.
 Install Penetration Testing Tools: Install tools like Drozer, Frida, APKTool, and Burp Suite for
analyzing and testing mobile apps.
 Configure Network Proxy: Set up a network proxy for intercepting and analyzing network
traffic from mobile devices or emulators.
 Network Configuration: Configure mobile devices or emulators to use the proxy server for
network communication.
  Documentation and Reporting: Develop templates and guidelines for documenting findings
and preparing penetration testing reports.

Q. Monkeyrunner

 Monkeyrunner is a tool provided by the Android SDK for automated testing and interaction
with Android devices and emulators.
 It allows testers to write scripts in Python to automate user interface interactions, such as
tapping, swiping, and entering text, for testing purposes.
Q. Genymotion

 Genymotion is a popular Android emulator used by developers and testers for app
development and testing purposes.
 It provides a fast and efficient emulation environment with support for various Android
versions, device configurations, and features, such as GPS simulation, camera emulation, and
network simulation.
 Genymotion offers advanced features for testing and debugging Android applications, making
it a valuable tool for mobile app penetration testing.

Building Attack Paths – Threat Modeling an Application

Q. Assets – An asset is something that we are trying to protect. It can be property, information,
or even people

Q. Threats - A threat is something that can harm an asset that we are trying to protect. In mobile
device security, a threat is a possible danger that might exploit a vulnerability to
compromise and cause potential harm to the device. Types of threats - intentional, accidental

Q. Threat agents - Identify threat agents or actors who may exploit vulnerabilities to carry out attacks
against the application, such as hackers, insiders, competitors, or malicious users.
Threat agents will be able to perform the following actions: Access, Misuse, Disclose, Modify, Deny
access.

Q. Vulnerabilities - A security weakness within the system that might allow attackers to exploit it and
break the security of the device is called a vulnerability.

Q. Risk - The intersection between assets (A), threats (T), and vulnerabilities (V) is risk. , including
risk along with the probability (P) of occurrence of the threats might result in more value added to the
business: Risk = A x Tx Vx P.
Q. Approach to threat models.
In general, there are three approaches to a threat model:
• Software-centric: A risk mitigation focusing on software: Evaluates the application being modelled,
Determines the risk, Identifies controls to mitigate
• Asset-centric: Focusing on assets, this approach: Identifies assets to be protected, Classifies assets
based on data sensitivity and value potential, Determines an “acceptable risk” level
• Attacker-centric: Puts the user into the mindset of an attacker, Determines what is most at risk,
Needs to understand the concept of hacking, Must have the skill set of a hacker.

Q. Threat modeling methodologies

1. STRIDE- The STRIDE threat classification method was developed by Microsoft in January 2002.
STRIDE stands for S – spoofing, T – tampering, R – repudiation, I - information disclosure, D - denial
of service, E - elevation of privilege.
To meet the security principles of CIA (short for confidentiality, integrity, and availability), Microsoft
introduced STRIDE, which massively uses DFDs that are graphically represented with a standard set
of symbols. The DFD includes data flows, stores, and processes, and it also includes trust boundaries.
2.PASTA - PASTA (short for process for attack simulation and threat analysis) is a seven step method
introduced by Marco and Tony. It begins with the business definition followed by the technical
definition, decomposing the app, threat analysis, vulnerability detection, attack enumeration, and
finally, risk and business impact analysis.
3.Trike - Trike is a methodology based on risk management and is used to build threat models. Trike
comes with XLS and a standalone-based tool.
Q. Using STRIDE to classify threats.
1. Spoofing - Property Violated: Authentication - Illegal access and then use of another user’s
authentication information, such as username and password.
2. Tampering – Integrity - The malicious modification of data.
3. Repudiation - Accountability (Audit) - Associated with users who deny performing an action
without other parties having any way to prove otherwise
4. Information Disclosure – Confidentiality - Exposure of information to individuals who are not
authorized to access it
5. Denial of Service (DoS) – Availability - Attacks that deny service to valid users
6. Elevation of Privilege – Authorization - Privileged access gained by an unprivileged user, who then
has sufficient access to compromise or destroy the entire system

Q. Building attack plans and attack trees

Attack Plans:
  An attack plan outlines the steps an attacker would take to achieve a specific objective within
a system.
 Attack plans typically include various stages, such as reconnaissance, exploitation, privilege
escalation, and data exfiltration.
 Each stage of the attack plan involves specific actions and techniques that attackers might use
to compromise the target system.
Creating an attack tree involves the following steps:
Step 1: Identify the Goal - Start by identifying the specific goal an attacker could have.
Step 2: Define the Root Node - Create the root node of the attack tree, representing the identified goal.
Step 3: Identify Attack Paths- Identify different attack paths an attacker could follow to reach the goal.
Step 4: Subdivide Attack Paths- For each attack path, further subdivide it into smaller attack trees or
sub-attack trees. These sub-attack trees represent individual elements, actions
Step 5: Add Attack Techniques and Vulnerabilities- For each node in the attack tree, add specific
attack techniques, strategies, or vulnerabilities that an attacker could utilize or exploit.
Step 6: Assess and Analyse- Analyse the attack tree to assess the likelihood and impact of each attack
path. This analysis allows you to prioritize risks, identify critical vulnerabilities, and plan appropriate
countermeasures.

Q. Threat model outcomes:

 Identified Threats: The threat modeling process uncovers potential threats and vulnerabilities
within the system.
 Vulnerability Prioritization: Threat modeling helps prioritize vulnerabilities based on their
severity and likelihood of exploitation.
 Risk Assessment: By analyzing identified threats and vulnerabilities, threat modeling
facilitates risk assessment.
 Security Controls: Threat modeling suggests appropriate security controls and
countermeasures to mitigate identified threats.
Q. Risk assessment.