The Mobile Application Hacker’s Handbook – Live Edition

Presented By: Dominic Chell
The course follows chapters 1-9 of the Mobile Application Hacker’s Handbook, with a strong focus on practical attacks. Over the 2-day training course delivered by the lead author of the book, delegates will learn the tricks and techniques to hack mobile applications on the iOS and Android platforms.

Course Syllabus
Learning Objectives

This course is an all-new novice to advanced level class that walks through the iOS and Android sections of the Mobile Application Hacker’s Handbook. We provide the most comprehensive and cutting edge guide to mobile application security, including coverage of both iOS8 and Android Lollipop.

Delegates will gain a theoretical and practical understanding of:

How to quickly and efficiently pinpoint and exploit vulnerabilities in iOS and Android apps,
How to decompile, reverse and patch iOS and Android apps,
How to hack webviews, client-side databases and the keychain,
Instrument application runtimes using Frida, CydiaSubstrate, Cycript and Substrate tweaks,
Exploitation of IPC mechanisms including content providers, URL handlers, broadcasts and intents,
Practical exploitation of poorly implemented cryptography,
Real-world, 2015 techniques used to defeat real apps on iOS8 and Lollipop!
Knowledge of defensive and remedial advice.
Daily Class Outline:

Day 1:

The course begins with a brief introduction to mobile application security and the OWASP mobile top ten, following chapter 1 of the book. When delegates are comfortable with general mobile application security practices, we delve in to the security of the iOS platform, including an overview of the platform security features, jailbreaking and approaches to app security assessment. The following modules then review chapters 2, 3 and 4 of the book where common insecurities are covered, including but not limited too:

Reverse engineering and patching binaries,
Insecure file storage,
Keychain attacks,
Insecure transport security,
Instrumenting the iOS runtime,
Injection attacks,
How to exploit IPC handlers,
How to defeat security controls like jailbreak detection.
Day 2:

Day two of the course picks up at chapter 6, discussing the various attack surfaces for the Android platform and how to approach an app assessment. We then walk through the details the techniques that from chapter 7 and 8 that can be used to attack Android applications, including the following topics:

Reverse engineering and decompiling Android apps,
Insecure file storage,
Insecure transport security,
Instrumentation of the Dalvik runtime with Frida and Substrate,
Exploitation of insecure IPC endpoints,
Tap jacking.
Student Requirements
A basic knowledge of programming and mobile security concepts.
Administrative access to the laptop and the ability to install a few tools, and disable personal firewalls or virus scanners should they get in the way of the lab exercises.
We strongly recommend a personal laptop – if your corporate laptop build is too restrictive this may affect your ability to participate in the course fully.
A laptop with the capability to connect to wireless and wired networks.
The laptop should be of a reasonable specification, we recommend at least 8GB of RAM with at least 16GB of disk space free.
Students require a player to run VirtualBox images.
All delegates will be provided with a suitable iOS device to perform this section of the labs, it is not necessary to bring your own.
About the Trainer
Dominic Chell is a director and co-founder of MDSec as well as lead author for the Mobile Application Hacker’s Handbook. Dominic has delivered security consultancy and training on mobile security to leading global organisations in the financial, government and retail sectors for the past 9 years. He has previously spoken or provided training at industry leading conferences such as BlackHat, HackInTheBox, 44CON and AppSec.