Why should you attend?
- Gain knowledge of the Android and iOS architecture setup
- Gain knowledge of security concepts and methods for protecting mobile applications
- Create a basic toolbox to perform actual security testing of dummy mobile applications
- Being able to perform basic mobile application security testing after the course
- Learn to perform several mobile application attacks like MitM and modifying application data
- Learn to identify security weaknesses in cryptography
- Learn to perform filesystem analysis
- Get access to multiple sources to develop your skills further
This is a very interactive training course with lots of exercises and demonstrations to support effective learning.
Intended Audience
This training is suitable for:
- Mobile application developers
- Pentesters
- Mobile application testers
- Software engineers
- Technical staff involved in security management
Required Skills & Expertise
Technical background and expertise is required for this course as the training will describe in depth technical concepts and requires execution of various scripts. Programming experience is not required, though useful. Experience with the Linux command line is a plus.
Program
The Mobile Security training course consists of two days. The first day is focused on Android and the second day on iOS. We start from a theoretical perspective with practical exercises in each afternoon, so you go home with a toolbox and practical experience.
Day 1 - Android
General Mobile Security (MASVS Framework)
- Key Areas according to OWASP MASVS
- General information about MASVS and its levels
- Architecture and Design (V1)
- Data Storage and Privacy (V2)
- Cryptography (V3)
- Authentication and Authorization (V4)
- Network Communication (V5)
- Interaction with the mobile platform(V6)
- Code quality and exploit mitigation (V7)
- Anti-Tampering and anti-reversing (R)
- Mobile application taxonomy
Android platform internals
- General information & Platform architecture
- Java applications vs Android applications
- Dalvik / Android runtime
- Users, permissions, file structure
- Security features in Android
- What is new in the Android security features
- Application components
Methods and tooling
- Physical device vs Emulator
- Emulator configuration
- Tooling & Test setup
- Automated tools
Workshop: Secura InsecureShop
- Reconnaissance and APK analysis
- How to identify Security Vulnerabilities?
- Root detection bypass
- Analyzing network traffic and crypto implementation
- Reverse Engineering to circumvent Certificate Pinning
- Testing application components (Content Providers, Activities, etc.)
How to perform a mobile Android application assessment?
- Guidelines and best practices to perform a security assessment.
Day 2 - iOS
iOS platform internals
- Platform architecture
- Application runtime
- Users, permissions, file structure
- Application folder structure
- Application fundamentals
- Inter-app communication (IPC)
- New security features in iOS
Security features and flaws
- Apple iOS security features
- Secure Boot
- Secure enclave
- Touch ID
- Face ID
- File data protection
- Apple iOS security flaws
- Jailbreaking
Application Fundamentals
- App development & languages
- iPA format
- iOS privilege model
- Security Consideration
Methods and tooling
- Simulator
- Tooling
- Test setup
Demo: iOS file system analysis
- Demonstration of how to analyse the file system with concrete examples
Demo: iOS application testing
- Cover the security testing of a vulnerable iOS application
Interested?
If you are interested in hosting this interactive and tailored workshop at your company, please let us know via the contact form, by telephone +31 (0)88 888 31 00 or email info@secura.com.