The Mobile Application Hacker’s Handbook: Live Edition

Presented By: Razvan Sima, MDSec

The course begins with a brief introduction to mobile application security and the OWASP mobile top ten, following chapter 1 of the book. When delegates are comfortable with general mobile application security practices, we delve in to the security of the iOS platform, including an overview of the platform security features, jailbreaking and approaches to app security assessment. Day two of the course picks up at chapter 6, discussing the various attack surfaces for the Android platform and how to approach an app assessment. We then walk through the details of techniques from chapter 7 and 8 that can be used to attack Android applications.

The 2 day course will take place on the 10th & 11th September 2019 in London.
The price is £1,300 (inc VAT). Book your place in our shop now.

Learning Objectives

During the course beginner and intermediate security researchers will learn basic skills as an introduction to mobile security assessments. Advanced topics will also be covered during the 2-day course including reverse engineering and runtime instrumentation. Key learning objectives can be summarised as follows:

  • The security protections on iOS and Android devices
  • How iOS and Android devices are jailbroken or rooted
  • How to quickly and efficiently pinpoint and exploit vulnerabilities in iOS and Android apps
  • How to decompile, reverse and patch iOS and Android apps
  • How to hack WebView’s, client-side databases and the keychain
  • Instrument application runtimes using Frida
  • How to intercept network traffic and bypass certificate pinning
  • Exploitation of IPC mechanisms including content providers, URL handlers, application extensions, broadcasts, activities and intents
  • Practical exploitation of poorly implemented cryptography
  • Bypass security controls such as root or jailbreak detection
  • Real-world techniques used to defeat real apps on iOS and Android
  • Knowledge of defensive and remedial advice

Course Outline

Day 1 – iOS:

  • Reverse engineering and patching binaries,
  • Insecure file storage,
  • Keychain attacks,
  • Insecure transport security,
  • Instrumenting the iOS runtime,
  • Injection attacks,
  • How to exploit IPC handlers,
  • How to defeat security controls like jailbreak detection,
  • Instrumentation on non-jailbroken devices.

Day 2 – Android:

  • Reverse engineering and decompiling Android apps,
  • Insecure file storage,
  • Insecure transport security,
  • Instrumentation of the Dalvik and ART runtime with Frida,
  • Exploitation of insecure IPC endpoints,
  • App jacking.

Target Audience

This course is ideally suited for penetration testers or developers wanting to gain a foothold in to penetration testing mobile devices and mobile apps.

Student Requirements

A basic knowledge of programming and mobile security concepts is useful but not essential.

What to Bring

  • Administrative access to a laptop with the ability to install a few tools, and disable personal firewalls or virus scanners should they get in the way of the lab exercises.
  • Laptop with the capability to connect to wireless and wired networks.
  • We recommend at least 8GB of RAM with at least 16GB of disk space free.

Software Requirements

Students require a player to run VirtualBox images. Instructions will be provided well ahead on how to setup the VM software and download the VM image.

Students will be provided with

  • The training material in electronic format
  • A mobile hacking virtual machine, packed with all the tools to perform an assessment
  • Downloadable copies of the labs that they can take away and work on in the future
  • After course e-mail support

About the Trainer

Lead Instructor – Razvan Sima

Razvan is head of mobile service line at MDSec and has been with the company for over 4 years. The MDSec team have provided training at conferences, security organisations and clients for the past 14 years. Our experienced team are renowned experts in the field of application security, backed by our leading publications the Mobile Application Hacker’s Handbook and the Web Application Hacker’s Handbook. Our penetration testing team have been responsible for thousands of assessments delivered to financial, government and retail organisations across the globe; let us share our experience with you.

Book your 44CON 2019 training course now!