Android Security: Attack Vectors, Defense Strategies & Best Practices for 2025

2025-04-14 07:32:19 - xone

1. Android Development Tools

Configuration environment, development tools, test machine or virtual machine, adb

2. Practice app security

2.2 Check the app's certificate and signature

Unzip the apk file

Output certificate content 
keytool -printcert -file META-INF/CERT.RSA

View the signature file content 
cat META-INF/CERT.SF

View the certificate 
openssl pkcs7 -inform DER -in META-INF/CERT.RSA -noout -print_certs -text

2.3 Signing Android apps

	
Generate keystore 
keytool -genkey -alias demo.keystore -keyalg RSA -validity 40000 -keystore demo.keystore

Re-sign the APK 
jarsigner -verbose -sigalg MD5withRSA -digestalg SHA1 -keystore demo.keystore -signedjar demo_signed.apk

2.4 Verify the app signature

Verify the APK signature 
jarsigner -verify -verbose demo_signed.apk

Androidmanifest.xml file
adb interacts with Activity (drozer can also be used)
adb pull and push, file management

3. Android Security Assessment Tools

Integrated environment: Santoku (based on Ubuntu, integrating some mobile security tools)

drozer

Start drozer agent 
adb forward tcp:31415 tcp:31415 
drozer console connect run 
app.package.list run 
app.package.list -f app namerun 
app.package.info -a package 
namerun 
app.activity.info -a package 
namerun app.provider.info -a package namerun app.service.info -a package 
namerun app.broadcast.info -a package 
namerun app.package.attacksurface package 
namerun app.activity.start --action *** --category *** --component ***

Writing the drozer module

4. Exploiting vulnerabilities in the app

logcat
Network traffic: tcpdump
Use drozer to attack exported components
Perform a man-in-the-middle attack on the app (Burpsuite or other MITM tools

5. Protect the app

Components, no need to export
Custom permissions
content provider path
Defending against SQL injection
Verify the app's signature (anti-tampering)
Anti-reverse engineering (detection of installers, simulators, debug flags)
Proguard removes logs and/or does obfuscation
DexGuard for advanced obfuscation

6. Reverse app

	
java To dex 
javac -source 1.6 -target 1.6 Example.java

#dx path: D:\AndroidSDK\build-tools\22.0.1\lib\dx.jar 
dx --dex --output=Example.dex Example.class

dex file format 
dex file parsing: 
#dexdump path: D:\AndroidSDK\build-tools\22.0.1\dexdump 
dexdump Example.dex 
dx --dex --verbose-dump --dump-to=outfile.txt Example.class

dex To smali 
baksmali.jar Example.dex -o out

smali To dex 
smali.jar out -o out.dex

dex2java 
dex2jar Example.dex 
jd-gui

NDK so library 
objdump -D ×××.so 
gdbserver+gdb

7. Cybersecurity

Verify the SSL self-signed certificate (be careful not to use the wrong code on the web)
Using the StrongTrustmanager from the onionkit library
SSL pinning – limiting the scope of trusted SSL

8. Exploitation and analysis of vulnerabilities in native code

Overflow and root vulnerabilities, omitted
Automatic fuzzing testing of Android native code:
Radamsafuzzer
busybox

9. Encryption and using device management policies during development

Using the Cryptography Library
Generate symmetric encryption keys
Protecting SharedPreferences data
Password-based encryption
Encrypting the database with SQLCipher
Android Keystore provider
Using device management strategies when developing