Mobile Application Hacking - Master Class

Trainer Name: Sneha Rajguru
Title: Mobile Application Hacking - Master Class
Duration: 2 Days
Dates: 27^th - 28^th Feb 2019

Course Abstract:

Mobile Application Hacking is a hands-on class designed to teach participants with techniques and tools for Android mobile application penetration testing. The class covers a wealth of techniques to identify, analyze and exploit vulnerabilities in the mobile apps. The class also covers inbuilt security schemes in Android platforms and teaches how to bypass those security models on the Android platforms.

The class is equipped with labs that contain intentionally crafted real-world vulnerable Android apps by the author and enables participants to learn the art of finding and exploiting flaws in mobile applications. The class also has a CTF in the end which gives the participants the opportunity to test their skills which they will learn in the class.

Note: This is a major upgrade of the previous class by the author “Mobile App Attack” which was delivered around the world at conferences such as OWASP AppSec USA, DeepSec, DEFCON, NullCon and BSides LV. 

Training Outline: 

This training will mainly focus on the following :

• Arm basics and Android native code.
• Reverse engineer Dex code for security analysis.
• Rooting of the device and also various techniques to detect Root.
• Runtime analysis of the apps by active debugging.

Modifying parts of the code, where any part can be specified as some functions, classes and to perform this check or to identify the modification, we will learn how to find and calculate the checksum of the code. Our objective in this section will be to learn, Reverse Engineering an application, get its executable binaries, modify these binaries accordingly, resign the application.

Runtime modification of code. Objective is to learn how the programs/codes can be changed or modified at runtime. We will learn how to perform introspection or overriding the default behaviour of the methods during runtime and then we will learn how to identify if the methods have been changed).

Hooking an application and learn to perform program/code modification.

By the end of training, based on the course content CTF challenges written by the trainer will be launched, where the attendees will use their skills learnt in the workshop to solve the CTF challenges. The training will begin with a quick understanding on the architecture, file system, permissions and security model of the Android platform.

Course Content:

Android Hacking

• Getting Started with Android
• Android Architecture and Components
• Android Application and File System
• The State of Android Security
• Setting up the Android Hacking Lab
• Reverse Engineering Android Applications
• Static Analysis and Dynamic Analysis techniques
• Root Detection and SSL Pinning Bypass
• Identifying and Exploiting Common Flaws in Android Apps
• Source Code Analysis
• Analysis of common obfuscation techniques
• A deep dive into some of the recent Android vulnerabilities
• Hands-on CTF Challenge!

Upon Completion of this training, attendees will know

• Security features of Android
• To reverse engineer Android apps,
• To find vulnerabilities from the apps,
• To bypass SSLPinning checks,
• To bypass root detection checks
• To perform runtime analysis of apps
• To debug apps,

Attendees will be provide with :

• Training Material / Slide Decks,
• Mobile Application Hacking Lab Manual,
• Practice apps,
• Lab VM

Pre-requisites for the attendees:

• Laptop with 20+ GB free hard disk space 4+ GB RAM
• Windows 7/8 , Ubuntu 12.x + (64 bit Operating System),
• Android SDK , Genymotion installed.
• Intel / AMD Hardware Virtualization enabled Operating System
• Administrative access on your laptop with external USB allowed

Trainers Bio:

Sneha works as Staff Security Engineer at BYTON GmbH. Her interests lies in web, mobile application security and fuzzing. She has discovered various security flaws within various open source applications such as PDFLite, Jobberbase, Lucidchart and more. She has spoken and provided trainings at various conferences such as DEFCON, BSides LV, BSidesVienna, OWASP AppSec USA, DeepSec, DefCamp, FUDCon, and Nullcon. Sneha is passionate about promoting and encouraging Women in Security and has founded an initiative called WINJA-CTF through which she hosts women-only CTFs and Workshops at conferences and other events. Sneha is also active in the local security community and hosts local security meetups in Pune. She leads the Pune chapter of null community.