Started in 2010, Nullcon is an international security conference held annually. In this conference, experts from various domains in information security gather together to give talks and training on next generation defensive and offensive security technologies. For the current year, the conference was held at 'Holiday inn', one of the best resorts in Goa from 28th Feb. - 4th Mar.
Exploitation of android applications is one of the most popular fields in information security nowadays. My colleague and I had been signed up by my group EVM for the 'extreme android exploitation lab' training at Nullcon. This training was planned as a two-day event on 1st and 2nd March 2017.Nullcon 2017 was going to be the first ever hacker conference I would attend, so I was pretty excited before reaching there. We had reached the venue on time and after completing the required formalities we were directed to the training hall. Approximately 40 information security professionals from various reputed companies like Qualcomm, Mercedes-Benz, HSBC Bank, etc. were attending the training. All of them were having various degrees of experience in different domains of security. Some of them had spent 8 - 9 years in this field while some others were relatively new to this field like us. However, when it came to android exploitation, the crowd as a whole was relatively less experienced and they were eager to enhance their android exploitation skills through this training.
The trainers for this session were Anant Shrivastava and Anto Joseph. Anant Shrivastava is an information security professional with 7+ years of corporate experience with expertise in Mobile, application and Linux Security. He had previously trained professionals at various conferences like BlackHat USA - 15, BlackHat Europe - 15, RuxCon 2015 and much more. Anto Joseph is currently a Security Engineer for Citrix with 4+ years of expertise in Mobile, Systems, and The Web. Despite having so many accolades, they were quite down to earth and very helpful. No matter how silly a question, they would patiently answer it and would not move ahead with the training unless and until each of the participants was able to do whatever practical exploits and challenges were present in the training.
The training in itself was quite illuminating. Being a novice in the field of android exploitation, I was concerned if I would be able to get the concepts or not but to my surprise, the training began from basics itself. It began with as basic a concept as what an android application code consists of and progressed on to as advanced concepts as analysis and fuzzing of applications. We were provided with Android Tamer which is a Linux distribution specifically designed for android exploitation. We were instructed on using the features of Android Tamer for exploitation and among the many new things we learned were techniques on bypassing root detection using tools like Xposed framework, automated static and dynamic analysis of mobile application using tools like MobSF, injecting malicious code into the application at runtime, Certificate Pining, etc. Though there were little tidbits of theoretical knowledge strewn across the training, the training in itself was practical oriented. We were provided with demo applications and challenges after each concept was discussed so that we could have hands-on experience in utilizing them to exploit android applications.
The training was followed by a CTF where the concepts we learned across those 2 days were put into use. Contrary to the challenge applications during the training which related to a particular aspect, the CTF application was a complete package where we had to apply all our skills just like testing any android application in the wild where we have limited or no information available. The trainers were present all throughout the time and guided anyone who faltered at any step during the exploitation. The CTF tested everything we learned during the training and gave me a sense of satisfaction that I had learned android exploitation to a certain degree after I completed it.
The experience at Nullcon 2017 was quite an eye opener where we met many security professionals belonging to different domains as well as learned many new techniques for exploitation of applications. I express my sincere gratitude to my group EVM for providing me the opportunity to attend this world-class hacking conference. The Conference not only helped me learn new stuff but also kindled my desire to become a knowledgeable information security analyst. Everyone should try to attend Nullcon whenever such an opportunity presents itself. All in all, attending Nullcon 2017 was a great experience and it reaffirmed my belief that when it comes to the field of information security, there is a lot we have to learn and apply that knowledge to secure our environment.
Authored By - Krishna Chandra Panda
TCS Enterprise Security and Risk Management
Rate this article: