About Kartik Lalan

A Computer Science Graduate, working on Android & Info-Network Security and deeply nested to it. Making it easier for you, I have tried to make very specific & detailed articles so that you can learn it swiftly with grace. Conducted multiple talks & workshops at Null-OWASP-DroidCon-BSides on Secure Mobile App development.

We also provide Corporate Training in Android App development and Best practices in developing Secure Apps

2. Sniffing HTTP/HTTPS Traffic on AVD (Android emulator)

Sometimes it may happen that you might need to use AVD (Android Virtual Device) / emulator to intercept App Traffic. Earlier virtual device were not having WiFi interface, so you you need to rely upon command line to use it for API Interception (Newer ones you can have WiFi so you can use it directly […]

1. Sniffing HTTP/HTTPS Traffic of Android App on Non-Rooted phone.

While performing Android pen-test, you would also need to check what data Android app is sending to back-end server. You might be interested in not just viewing, but manipulating the ongoing communication between mobile app & server or sometimes IoT device. For this you need to have HTTP Proxy running in your laptop, where you […]

5. Reversing & Recompiling .APK to Bypass Root-detection

Rooting Android phones gives any app access of super user upon granting, it becomes risk for other apps installed within that device in terms of violation in CIA triangle. To minimize this risk many Apps comes with Root Detection mechanism, which won’t allow user to run that app on rooted device. On having a rooted […]

4. Reversing & Repatching .APK to pen-testing on Non-Rooted/Rooted phone to bypass OS Security

As seen in previous post about Reverse engineering Android .apk file into Smali code, this article will explain how to 1) Decompile an .apk file – 2) Modify a part of it – 3) Recompile it again to obtain new unsigned .apk file – 4) Sign it & install on any device. In majority apps […]

3. Reverse Engineering Android .apk using ApkTool to get .Smali Files

As we saw in previous article, how can we get ClassDex-Java class files via Apktool. In current post we would see how can we get .smali files from the .apk file. Basically Smali files are easy to understand if person has basic knowledge in assembly level language. Smali files have┬ámnemonic / instruction set similar to […]

2. Reverse Engineering Android .apk using ( ApkTool – D2J – JDGui ) Combination

Previously we saw getting back source code from .apk using Jadx via Reverse engineering. Here we would see same thing but using different tool set, using combination of: 1) ApkTool (Download Link)- This can extract Manifest.xml, resources, certificates, assets, layout, classes.dex or smali source code files from any .apk 2) D2J (Dex2Jar – Download Link) […]

1. Reverse Engineering Android .apk using Jadx

Android applications are packed inside .apk files with all resources, assets, class files, certificates, layout files, config Manifest files etc. Compiling any application source code into .apk files would make Java class files into class-Dex files, which are not human readable form. If we rename this .apk to .zip then we can get resources and […]

Input Validation Failure in Native Library Files causing App Crash via Bufferoverflow – #13 DIVA Solution

By now you might be knowing that Android apk can be made using Java, Kotlin, HTML-Js(cross platform apps) as well as in Native languages using C, C++ etc (reason being they can inherit already available popular libraries in those language plus better performance). When we talk about apps using Native languages compilation using C/C++, such […]

Identifying Hard-coded sensitive values in Native Library Files – #12 DIVA Solution

You might be knowing that Android apk can be made using Java, Kotlin, HTML-Js(cross platform apps) as well as in Native languages using C, C++ etc (reason being they can inherit already available popular libraries in those language plus better performance). When we talk about apps using Native languages compilation using C/C++, such languages could […]

Exploiting Content Provider – #11 DIVA Solution

A content provider manages access to app data (user installed or default system app) securely.┬áContent providers are primarily intended to be used by other (or self app) applications, which access a consistent, standard interface to data. For e.g. App-1 has a SQLite DB and if some data from App-1 is to be shared with App-2, […]