Mobile Application Hacking Training

Mobile Application Hacking Training

Hacking mobile apps is a great way to a first step to gain access to the critical information and hacking the back-end. Learn how to identify security flaws in iOS & Android apps to reduce costs by implementing security features early on.

Why should you attend?

• Gain knowledge of the Android and iOS architecture setup
• Gain knowledge of security concepts and methods for protecting mobile applications
• Create a basic toolbox to perform actual security testing of dummy mobile applications
• Being able to perform basic mobile application security testing after the course
• Learn to perform several mobile application attacks like MitM and modifying application data
• Learn to identify security weaknesses in cryptography
• Learn to perform filesystem analysis
• Get access to multiple sources to develop your skills further
  

This is a very interactive training course with lots of exercises and demonstrations to support effective learning.

Intended Audience

This training is suitable for:

• Mobile application developers
• Pentesters
• Mobile application testers
• Software engineers
• Technical staff involved in security management

Required Skills & Expertise

Technical background and expertise is required for this course as the training will describe in depth technical concepts and requires execution of various scripts. Programming experience is not required, though useful. Experience with the Linux command line is a plus.

Program

The Mobile Security training course consists of two days. The first day is focused on Android and the second day on iOS. We start from a theoretical perspective with practical exercises in each afternoon, so you go home with a toolbox and practical experience.

Day 1 - Android

General Mobile Security (MASVS Framework)

• Key Areas according to OWASP MASVS
• General information about MASVS and its levels
• Architecture and Design (V1)
• Data Storage and Privacy (V2)
• Cryptography (V3)
• Authentication and Authorization (V4)
• Network Communication (V5)
• Interaction with the mobile platform(V6)
• Code quality and exploit mitigation (V7)
• Anti-Tampering and anti-reversing (R)
• Mobile application taxonomy

Android platform internals

• General information & Platform architecture
• Java applications vs Android applications
• Dalvik / Android runtime
• Users, permissions, file structure
• Security features in Android
• What is new in the Android security features
• Application components

Methods and tooling

• Physical device vs Emulator
• Emulator configuration
• Tooling & Test setup
• Automated tools

Workshop: Secura InsecureShop

• Reconnaissance and APK analysis
• How to identify Security Vulnerabilities?
• Root detection bypass
• Analyzing network traffic and crypto implementation
• Reverse Engineering to circumvent Certificate Pinning
• Testing application components (Content Providers, Activities, etc.)

How to perform a mobile Android application assessment?

• Guidelines and best practices to perform a security assessment.

Day 2 - iOS

iOS platform internals

• Platform architecture
• Application runtime
• Users, permissions, file structure
• Application folder structure
• Application fundamentals
• Inter-app communication (IPC)
• New security features in iOS

Security features and flaws

• Apple iOS security features
• Secure Boot
• Secure enclave
• Touch ID
• Face ID
• File data protection
• Apple iOS security flaws
• Jailbreaking

Application Fundamentals

• App development & languages
• iPA format
• iOS privilege model
• Security Consideration

Methods and tooling

• Simulator
• Tooling
• Test setup

Demo: iOS file system analysis

• Demonstration of how to analyse the file system with concrete examples

Demo: iOS application testing

• Cover the security testing of a vulnerable iOS application