Mobile Application Hacking Training
Hacking mobile apps is a great way to a first step to gain access to the critical information and hacking the back-end.
On 25 and 26 October 2018, we organized the mobile application hacking training for developers and pentesters to teach them how to identify security flaws in iOS & Android apps and to reduce costs by implementing security features early on. The training was very well received by the participants and scored an average of 8,7 in feedback.
Good to practice the basic of application hacking, how to defend & attack and to learn more about the infrastructure of android and iOS
Is this to short notice for you? Sign up for our periodical newsletter and we will keep you up-to-date on upcoming events so you don't have to miss any interesting workshop or training course you would like to attend.
Program Mobile Application Hacking Training Android & iOS
Day 1 Morning : Android Theory
After the introduction the theory around Android applications is discussed in two sections: Android architecture and Security Features.
- Android architecture
In these sections you will learn the concepts and internals of the Android operating system and the issues with the current fragmentation in the Android ecosystem. Next is an explanation of how Android application are are actually created and distributed.
- Android Security Features
Here you learn how the available security features of the Operating System tie into application security. We start out with a technical background of these security features and how they evolve between different Android versions. Later, you learn how you can reverse engineer the source code from a deployed apk file and circumvent these security features.
Day 1 Afternoon : Android practical experience
During the afternoon we will do 4 different practical exercises, which will give you a basic toolbox setup to perform Android application testing and practical experience in how to assess security by showcasing common attacks and flaws. The afternoon is split up onto 4 practical exercises, namely:
- Tooling and setup
In this section you get your toolbox in place for Android mobile application security assessments by jointly installing and correctly configuring tooling like adb, jadx and Burp Suite.
- MitM attacks for Android apps
Performing Man-in-the Middle-attacks (MiTM attacks) is an effective way to gain unauthorized access to information. Within this practical example you will learn to setup a MitM attack and how to successfully execute this attack.
- Modify Android application
During the practical exercise you learn to various methods to alter the Android application you are investigating, thereby being able to escalate privileges, or access proprietary information.
- Find broken crypto
Correct implementation of cryptography is critical for security, however this is not as straight forward. Within this practical exercise you learn various methods to identify incorrectly designed/implemented cryptography.
Day 2 Morning : iOS theory
In the morning we start with explaining the theory behind iOS as the architecture and security features vary from Android, hence also requiring you to use a slightly different approach when assessing the mobile application security.
- iOS architecture
In this section you will learn the concepts of the iOS operating system and how this differs from an Android environment. We will touch upon why this environment is so restricted and how Apple tries to make it difficult for hackers and researchers to get into the system. Also, you will learn about difficulties performing tests with or without jailbroken iOS devices.
- iOS Security Features
Here you learn how the available security features of the Operating System tie into application security. We start out with a technical background of these security features and how they evolve between different iOS versions. Later, you learn how you can perform runtime modification of iOS application code and how to extract information from the file system.
Day 2 Afternoon : iOS practical experience
During the afternoon we will do 3 different practical exercises. We continue to build up your toolbox to perform iOS application testing and we gain practical by performing a few attacks. Because iOS can only be run on physical devices, and not in emulator, we train in the following manner:
- Tooling and setup
In this section you get your toolbox in place for iOS application security assessments by jointly installing and correctly configuring tooling like cydea substrate.
- iOS filesystem analysis
In order to perform successful attacks on iOS, it is critical to understand the files
- iOS application manipulation demo
In this demo you will see how an attacker can perform runtime modification of a running application. To for example circumvent access controls.
Day 2: Wrap up session
Lastly to close the afternoon with a recap on the information learned and we will showcase several sources where you can continue to develop your skills as a mobile application hacker.
Required skills & expertise
Technical background and expertise is required for this course as the training will describe in depth technical concepts and requires execution of various scripts. Programming experience is not required, though useful. Experience with the Linux command line is a plus.
This training is suitable for:
- Mobile application developers;
- Mobile application testers;
- Software engineers;
- Technical staff involved in security management.
- Gain knowledge of the Android and iOS architecture setup
- Gain knowledge of security concepts and methods for protecting mobile applications
- Create a basic toolbox to perform actual security testing of dummy mobile applications
- Being able to perform basic mobile application security testing after the course
- Learn to perform several mobile application attacks like MitM and modifying application data
- Learn to identify security weaknesses in cryptography
- Learn to perform filesystem analysis
- Get access to multiple sources to develop your skills further
Unfortunately, the registration for this open class training is closed. Check our agenda for more interactive training courses and hands-on hacking workshops that are open to join. If you would like to enquire about the possibility of hosting an interactive tailor-made threat modeling session in your company, please let us know via the contact form, by telephone + 31 40 23 77 990 or email firstname.lastname@example.org. Want to be the first to know more about our upcoming training courses and workshops? Sign up here!