Mobile Application Hacking Training
With an ever-increasing amount of mobile apps, strong focus on their usability and them being accessible to everybody, mobile applications are an interesting target. Hacking mobile apps is a great way to a first step to gain access to the critical information and hacking the back-end. For developers and pentesters it is critical to know where common security flaws lie and how to prevent these to support your organization to minimize the risk of security breaches and to reduce costs by implementing security features early on. This course is given by Secura mobile application security experts.
This training is suitable for:
- Mobile application developers;
- Mobile application testers;
- Software engineers;
- Technical staff involved in security management.
Required skills & expertise
Technical background and expertise is required for this course as the training will describe in depth technical concepts and requires execution of various scripts. Programming experience is not required, thought useful. Experience with the Linux command line is a plus.
The Mobile Security training course consists of two days. The first day is focused on Android and the second day on iOS. We start from a theoretical perspective with practical exercises in each afternoon, so you go home with a toolbox and practical experience.
Day 1 Morning : Android Theory
After the introduction the theory around Android applications is discussed in two sections: Android architecture and Security Features.
- Android architecture
In these sections you will learn the concepts and internals of the Android operating system and the issues with the current fragmentation in the Android ecosystem. Next is an explanation of how Android application are are actually created and distributed.
- Android Security Features
Here you learn how the available security features of the Operating System tie into application security. We start out with a technical background of these security features and how they evolve between different Android versions. Later, you learn how you can reverse engineer the source code from a deployed apk file and circumvent these security features.
Day 1 Afternoon : Android practical experience
During the afternoon we will do 4 different practical exercises, which will give you a basic toolbox setup to perform Android application testing and practical experience in how to assess security by showcasing common attacks and flaws. The afternoon is split up onto 4 practical exercises, namely:
- Tooling and setup
In this section you get your toolbox in place for Android mobile application security assessments by jointly installing and correctly configuring tooling like adb, jadx and Burp Suite.
- MitM attacks for Android apps
Performing Man-in-the Middle-attacks (MiTM attacks) is an effective way to gain unauthorized access to information. Within this practical example you will learn to setup a MitM attack and how to successfully execute this attack.
- Modify Android application
During the practical exercise you learn to various methods to alter the Android application you are investigating, thereby being able to escalate privileges, or access proprietary information.
- Find broken crypto
Correct implementation of cryptography is critical for security, however this is not as straight forward. Within this practical exercise you learn various methods to identify incorrectly designed/implemented cryptography.
Day 2 Morning : iOS theory
In the morning we start with explaining the theory behind iOS as the architecture and security features vary from Android, hence also requiring you to use a slightly different approach when assessing the mobile application security.
- iOS architecture
In this section you will learn the concepts of the iOS operating system and how this differs from an Android environment. We will touch upon why this environment is so restricted and how Apple tries to make it difficult for hackers and researchers to get into the system. Also, you will learn about difficulties performing tests with or without jailbroken iOS devices.
- iOS Security Features
Here you learn how the available security features of the Operating System tie into application security. We start out with a technical background of these security features and how they evolve between different iOS versions. Later, you learn how you can perform runtime modification of iOS application code and how to extract information from the file system.
Day 2 Afternoon : iOS practical experience
During the afternoon we will do 3 different practical exercises. We continue to build up your toolbox to perform iOS application testing and we gain practical by performing a few attacks. Because iOS can only be run on physical devices, and not in emulator, we train in the following manner:
- Tooling and setup
In this section you get your toolbox in place for iOS application security assessments by jointly installing and correctly configuring tooling like cydea substrate.
- iOS filesystem analysis
In order to perform successful attacks on iOS, it is critical to understand the files
- iOS application manipulation demo
In this demo you will see how an attacker can perform runtime modification of a running application. To for example circumvent access controls.
Day 2: Wrap up session
Lastly to close the afternoon with a recap on the information learned and we will showcase several sources where you can continue to develop your skills as a mobile application hacker.
- Gain knowledge of the Android and iOS architecture setup
- Gain knowledge of security concepts and methods for protecting mobile applications
- Create a basic toolbox to perform actual security testing of dummy mobile applications
- Being able to perform basic mobile application security testing after the course
- Learn to perform several mobile application attacks like MitM and modifying application data
- Learn to identify security weaknesses in cryptography
- Learn to perform filesystem analysis
- Get access to multiple sources to develop your skills further
- Date: 25/26 October 2018