Spring Training 2016 - Mobile Application Exploitation (iOS and Android)
From BruCON 2016
Contents
Mobile Application Exploitation (iOS and Android)
Course Description
This will be a completely hands on training on exploiting mobile applications for the iOS and Android platform. The training will be based on exploiting Damn Vulnerable iOS app and other vulnerable apps which are written by the trainer in order to make people understand the different kinds of vulnerabilities in mobile applications.
This course will also discuss how a developer can secure their applications using secure coding and obfuscation techniques. After the workshop, the students will be able to successfully penetration test and secure mobile applications. All the students will get a PDF presentation with all the slides, vulnerable apps used for training, sample source code and all the necessary tools used to pentest mobile applications.
The training will also include a CTF challenge in the end where the attendees will use their skills learnt in the training to solve the CTF challenges.
Course contents
- Module 1 - Getting Started with iOS Pentesting
- iOS security model
- App Signing, Sandboxing and Provisioning
- Setting up XCode
- Changes in iOS 8
- Exploring the iOS filesystem
- Intro to Objective-C and Swift
- Setting up the pentesting environment
- Jailbreaking your device
- Cydia, Mobile Substrate
- Getting started with Damn Vulnerable iOS app
- Binary analysis
- Finding shared libraries
- Checking for PIE, ARC
- Decrypting IPA files
- Self signing IPA files
- Android Exploitation
- Android Security Architecture
- Permission Model Flaws
- API level vulnerabilities
- Rooting for Pentesters Lab
- Android ART and DVM Insecurities
- iOS security model
- Module 2 Android App for Security professionals
- Reverse Engineering for Android Apps
- Smali Labs for Android
- Dex Analysis and Obfuscation
- Android App Hooking
- Module 3 - Application Specific vulnerabilities
- Attack Surfaces for Android applications
- Exploiting Side Channel Data Leakage
- Exploiting and identifying vulnerable IPCs
- Exploiting Backup and Debuggable apps
- Exploiting Exported Components
- Dynamic Analysis for Android Apps
- Analysing Proguard, DexGuard and other Obfuscation Techniques
- Module 4 - Fuzzing for Android
- Platform setup for Android fuzzing
- Identifying vulnerable endpoints
- Fuzzing Android components
- Crash to Exploit
- Module 5 - ARM for Android Exploitation
- Getting familiar with Android ARM
- Exploit Mitigation and Protections
- Heap Manipulation
- ROP Labs for Android
- Writing your own reliable exploit
- Race Condition vulnerabilities
- Hardware Exploitation Techniques
Target audience
This course is for penetration testers, mobile developers or anyone keen to learn mobile application security
Hardware/software Requirements
- Laptop with Genymotion installed.
- 20+ GB free hard disk space
- 3+ GB RAM
- A jailbroken iPhone/iPad/iPod for iOS testing. Please get in touch with us if you are having issues arranging it.
Trainer Biography
Prateek Gianchandani, an OWASP member and contributor has been working in the infosec industry for about 5 years. During his five years, he has performed a number of penetration tests on mobile and web applications and even developed a lot of applications for the App Store. His core focus area is iOS application pentesting and exploitation. He is also the author of the open source vulnerable application named Damn Vulnerable iOS app. He has presented and trained at Conferences like Defcon, Blackhat USA, Brucon, Hack in paris, Phdays etc.
Links :
Mon. 20 - 22 April 2016 (09:00 - 17:00) (3-day)