sempf/gist:e3645da8abeae04bd8cdae6390353750

## gistfile1.txt
What I'm talking about

	• Intro
	• Mobile Top 10
	• Set up a test Gmail account
	• Connect it to Facebook, Twitter, Linkedin if you can.

Local test environment
	• Genymotion
		○ Required VirtualBox
		○ Turn off Azure
	• Burp Config
		○ Set up the 8090 proxy listener
	• Network Config
		○ Trust the certificate
		○ Set up the proxy in the network settings
	• Viewing network traffic
		○ Filtering in Burp
		○ Ins and outs of API calls
		○ Sometimes Burp doesn't show them!
		○ Try ZAP, fiddler
	• Testing the services
		○ SoapUI
	• Dev setup
		○ Android Studio
		○ ADB
	• Log in with ADB
		○ Adb devices
		○ Already connected if virtual
		○ Adb shell
		○ This is basically a shell
	• File system
		○ It's just a linux box
		○ You probably know where more interesting things are in here than me, frankly
	• Where things are
		○ In /data/data you'll find all the apps
		○ That's a good place to start
	• Downloading stuff
		○ You can copy it to the host
		○ Adb pull
		○ Get a copy before and after logging into app
	• Get the APK
		○ That APK downloader I found

PC Test environment
	• Using the Qark to scan
		○ Linux only
	• Using Virtuous Ten to code analysis
		○ How to get a project installed.
		○ It's just a ZIP file
		○ You can just open it up
		○ Manifest is a GREAT place to look
	• What I test for (spreadsheet)

Device test environment (airdroid)
	• Rooting
		○ You can look this up
		○ But there are root ROMs for most phones
		○ Fastboot is a key command
	• Other than that, all the same stuff applies
		○ Run the app
		○ Get the data files
		○ Watch the network traffic
		○ Get the APK
		○ Decompile it
	• Device specific stuff
		○ Bluetooth
		○ Camera
		○ GPS
		○ All better on the metal
	• There are some nice tools
		○ Local Proxy
		○ File Manager
		○ Nethunter
		○ APK extractor
	• Speaking of tools
		○ I'm writing a tool to check for vulnerable libraries
		○ Like retire.js, which I love a bunch
		○ Feel free to help out
		○ It's on github
	• That's about it
	What I'm talking about

	• Intro
	• Mobile Top 10
	• Set up a test Gmail account
	• Connect it to Facebook, Twitter, Linkedin if you can.

	Local test environment
	• Genymotion
	○ Required VirtualBox
	○ Turn off Azure
	• Burp Config
	○ Set up the 8090 proxy listener
	• Network Config
	○ Trust the certificate
	○ Set up the proxy in the network settings
	• Viewing network traffic
	○ Filtering in Burp
	○ Ins and outs of API calls
	○ Sometimes Burp doesn't show them!
	○ Try ZAP, fiddler
	• Testing the services
	○ SoapUI
	• Dev setup
	○ Android Studio
	○ ADB
	• Log in with ADB
	○ Adb devices
	○ Already connected if virtual
	○ Adb shell
	○ This is basically a shell
	• File system
	○ It's just a linux box
	○ You probably know where more interesting things are in here than me, frankly
	• Where things are
	○ In /data/data you'll find all the apps
	○ That's a good place to start
	• Downloading stuff
	○ You can copy it to the host
	○ Adb pull
	○ Get a copy before and after logging into app
	• Get the APK
	○ That APK downloader I found

	PC Test environment
	• Using the Qark to scan
	○ Linux only
	• Using Virtuous Ten to code analysis
	○ How to get a project installed.
	○ It's just a ZIP file
	○ You can just open it up
	○ Manifest is a GREAT place to look
	• What I test for (spreadsheet)

	Device test environment (airdroid)
	• Rooting
	○ You can look this up
	○ But there are root ROMs for most phones
	○ Fastboot is a key command
	• Other than that, all the same stuff applies
	○ Run the app
	○ Get the data files
	○ Watch the network traffic
	○ Get the APK
	○ Decompile it
	• Device specific stuff
	○ Bluetooth
	○ Camera
	○ GPS
	○ All better on the metal
	• There are some nice tools
	○ Local Proxy
	○ File Manager
	○ Nethunter
	○ APK extractor
	• Speaking of tools
	○ I'm writing a tool to check for vulnerable libraries
	○ Like retire.js, which I love a bunch
	○ Feel free to help out
	○ It's on github
	• That's about it