Workshop by David Rook (Security Ninja) at BruCON 2011 in Belgium. You can Download Slide from here.
Required for the Agnitio hands on demos:- A 32bit Windows Operating System (XP or 7 preferably – VM will be fine)
- .NET framework 3.5 installed
- Agnitio v2.0 installed
- Download the Pandemobium Android and iOS source code
- Download the selected vulnerable open source application
In addition to the list above the following things are optional depending on how hands on you want to be:
- Internet connection to download an application from the Android market place
- Eclipse IDE installed
- Android SDK installed
- Android Debug Bridge (adb) installed, this should be installed as part of the SDK install
- An AVD configured with the Android market place app installed (instructions here)
- I think you can also use a rooted Android device if you don’t want to use the emulator
- A quick look at static analysis and the strengths and weaknesses of humans and software
- What is Agnitio and why do I think checklists are a vital component of security code reviews
- Some examples of what can go wrong if you don’t use checklists to find and remove simple flaws
- Demos/hands on: using checklists in Agnitio to review source code, produce reports and metrics
- Demos/hands on: how to customise your Agnitio installation
- A look at mobile (Android and iOS) application security and how analysis is currently done
- Demo/hands on: using the mobile specific rule sets in the Agnitio static analysis module
- Demo/hands on: downloading an app from the marketplace and decompiling it using Agnitio