Mobile Security Assessment Training

Trainer Name:Anto Joseph & Prateek Gianchandani
Title: Mobile Security Assessment Training
Duration: 3 Days
Date: 13th - 15th Oct, 2016

Objective

Mobile Brings Office to your pocket. Club the access to enterprise properties with personal data, financial information communication & contact details. It makes a great financial sense for Hackers, Cyber-criminals, Scammers, Malware-Authors, State Agencies to target Mobile Devices.

As and Individual or an Organization You cant afford to neglect the importance of Mobile Security.

This course of "Mobile Security Assessment Training" is by the Top Notch Security Researchers, who are globally recognized for their research and community contribution inf the field of "Mobile Security" for tools like Damn Vulnerable iOS app and other vulnerable apps which makes learning more comprehensive.

Its a completely hands-on course for exploitation of mobile applications on iOS and Android platform for first hand practical understanding. This course also gives app developer an excellent leverage to secure their applications, practice secure coding and data protection techniques.

Participants can immediately apply, verify and sharpen their skills acquired in the training by playing the CTF simulating the real life challenges of Mobile Security.

Take back the learnings, tools and techniques along with you, neatly packaged in our course-ware which also includes vulnerable apps & sample source code.

Course outline

Part 1 - Android Exploitation

Module 1

• Why Android
• Intro to Android
• Android Security Architecture
• Android application structure
• Signing Android applications
• ADB – Non Root
• Rooting Android devices
• ADB - Rooted
• Understanding Android file system
• Permission Model Flaws

Module 2

• Understanding Android Components
• Introducing Android Emulator
• Introducing Android AVD

Module 3

• Proxying Android Traffic
• Reverse Engineering for Android Apps
• Smali Labs for Android
• Dex Analysis and Obfuscation
• Android App Hooking

Module 4

• Attack Surfaces for Android applications
• Exploiting Local Storage
• Exploiting Weak Cryptography
• Exploiting Side Channel Data Leakage
• Root Detection and Bypass
• Exploiting Weak Authorization mechanism
• Identifying and Exploiting flawed Broadcast Receivers
• Identifying and Exploiting flawed Intents
• Identifying and Exploiting Vulnerable Activity Components
• Exploiting Backup and Debuggable apps
• Dynamic Analysis for Android Apps
• Analysing Proguard, DexGuard and other Obfuscation Techniques

Module 5

• Exploitation using Drozer
• Automated source code analysis
• Exploiting Android embedded applications

Part 2 - iOS Exploitation

Module 1 : Getting Started with iOS Pentesting

• iOS security model
• App Signing, Sandboxing and Provisioning
• Setting up XCode
• Changes in iOS 8
• Exploring the iOS filesystem
• Intro to Objective-C and Swift
• Setting up the pentesting environment
• Jailbreaking your device
• Cydia, Mobile Substrate
• Getting started with Damn Vulnerable iOS app
• Binary analysis
• Finding shared libraries
• Checking for PIE, ARC
• Decrypting ipa files
• Self signing IPA files

Module 2 : Static and Dynamic Analysis of iOS Apps

• Static Analysis of iOS applications
• Dumping class information
• Insecure local data storage
• Dumping Keychain
• Finding url schemes
• Dynamic Analysis of iOS applications
• Cycript basics
• Advanced Runtime Manipulation using Cycript
• Method Swizzling
• GDB basic usage
• Modifying ARM registers

Module 3 : Exploiting iOS Applications

• Exploiting iOS applications
• Broken Cryptography
• Side channel data leakage
• Sensitive information disclosure
• Exploiting URL schemes
• Client side injection
• Bypassing jailbreak, piracy checks
• Inspecting Network traffic
• Traffic interception over HTTP, HTTPs
• Manipulating network traffic
• Bypassing SSL pinning

Module 4 : Reversing iOS Appss

• Introduction to Hopper
• Disassembling methods
• Modifying assembly instructions
• Patching App Binary
• Logify

Module 5 : Securing iOS Apps

• Securing iOS applications
• Where to look for vulnerabilities in code?
• Code obfuscation techniques
• Piracy/Jailbreak checks
• iMAS, Encrypted Core Data

What to bring?

• A jailbroken iPhone/iPad/iPod for iOS testing is must for hands-on.
• Laptop with
1. Genymotion installed.
2. 20+ GB free hard disk space
3. 4+ GB RAM
4. Windows 7/8 , Ubuntu 12.x + (64 bit Operating System), MacOSX (Maverick or later)
5. Intel / AMD Hardware Virtualization enabled Operating System
6. Administrative access on your laptop with external USB allowed

Who Should Attend?

• Penetration testers,
• Mobile Developers
• Anyone keen to learn mobile application security

About the Trainer

Prateek Gianchandani, an OWASP member and contributor has been working in the infosec industry for about 5 years. During his five years, he has performed a number of penetration tests on mobile and web applications and even developed a lot of applications for the App Store. His core focus area is iOS application pentesting and exploitation. He is also the author of the open source vulnerable application named Damn Vulnerable iOS app. He has presented and trained at Conferences like Defcon, Blackhat USA, Brucon, Hack in paris, Phdays etc.

Anto Joseph is a Security Engineer for Citrix with 4 + years of expertise in Mobile , Systems and Web . He is a strong supporter of Free & Open Information Security Education. His area of interest includes Web,Mobile and Systems. He is currently researching on Android and IOT Security. His research has been accepted into various security conferences like c0c0n 2015 , XorConf 2015 , GroundZero 2015, Hack in Paris 2016, Hack in the Box Amsterdam etc and has good expertise in Practical Security. His code /works could be find @ https://github.com/antojoseph