Mobile phone usage continues to grow at an outstanding rate, with mobile applications an increasingly common development target. This course will teach how to go about testing mobile platforms, and installed applications to ensure they have been developed in a secure manner.

Hacking By Numbers Mobile will give you a practical window into the methods used when attacking mobile platforms. This course is ideal for penetration testers/auditors/developers who are new to the mobile area and need to understand how to analyse and audit applications on various mobile platforms using a variety of tools and platforms. This course uses a mixture of lectures, hands-on-labs, demonstrations and group exercises. You’ll tear apart 10 mobile applications looking for flaws and exploiting them.

This is a new course in the Hacking By Numbers series and one we are incredibly excited about.

Course Length: 2 days

Course Syllabus

Day One

The world as we know it

  • The Mobile Eco Systems
  • Historical Background (Sim toolkits and J2ME)
  • Common Technology – Similarities and Differences (Web vs. Mobile)
  • HTTP Basics and how they release to mobile applications.
  • IOS Platform Security
  • Android Platform Security
  • RIM and Windows 8 Platform Security

Covering the basics

  • Common design patterns (MVC)
  • Common protocol (HTTP/HTTPS/XML/JSON/Sockets)
  • Languages – Java/Objective C/Mobile .NET etc.

Building your penetration testing platform

  • What OS
  • Hardware and Emulators (The how and when and if)
  • Tools
  • Device Configuration and Lab Prep
  • Interception, breaking into the stream, basic protocol analysis

Mobile Application Analysis

  • Information Gathering (the what the where and the how)
  • Enumerating Server-Side technologies and functionality (MVC one backend fits all)
  • Storage, configuration and common mistakes (what people leave and where)
  • IOS Security
  • Android Security
  • RIM and Windows 8
  • Security models, and what impact it has on app pentesting

Static Analysis

  • Extracting the application from the device
  • Information disclosure
  • Reverse engineering the application
  • Reviewing permissions and identifying misconfigurations
  • Memory analysis (Checking the unseen)

Day Two

Authentication & Authorization

  • Determining how authentication & authorization are performed
  • Single sign-on, SMS and push notifications
  • Reviewing file permissions created at runtime for flaws
  • Dealing with stored credentials

Data validation

  • Local inputs injection
  • Server side injection
  • Inputs from untrusted sources

Session Management

  • How are sessions handled
  • Data storage and encryption of sessions
  • How/what sensitive data is stored on the mobile device and when

Transport Layer Security & Information Disclosure

  • Security of log files
  • Cache
  • Broken Crypto, Breaking Assumptions

Student Requirements

It should not be your first hacking course, but can be taken back-to-back with Bootcamp or with Combat, depending on your existing level of experience. Although prior participation in an HBN course is not a prerequisite, significant exposure to hacking training, tools and techniques is highly recommended. Students should ideally have some development understanding and the ability to read code. Exposure to basic application development and coding would be preferred. (Not necessarily mobile development)

What to Bring

We will provide a USB drive with all the tools used, course handbook and slides. A week before the course, we will send out an email with detailed instructions on how to download our testing image and get ready for the training.

Attendees will need to bring laptops capable of running a VM image.

About the Trainer

All of SensePost’s Hacking By Numbers trainers are working as penetration testers or developers. What we perform for our clients often makes it into our HBN courses as modules. We love teaching and have been doing so at places like Blackhat for over a decade now. Our courses are hands on, fun to do and also show real-world scenarios that students will encounter.