On This Page

The Mobile Application Hacker's Handbook: Live Edition

MDSec | July 22-23 & July 24-25



Overview

SYLLABUS

Day 1:

The course begins with a brief introduction to mobile application security and the OWASP mobile top ten, following chapter 1 of the book. When delegates are comfortable with general mobile application security practices, we delve in to the security of the iOS platform, including an overview of the platform security features, jailbreaking and approaches to app security assessment. The following modules then review chapters 2, 3 and 4 of the book where common insecurities are covered, including but not limited too:

  • Reverse engineering and patching binaries,
  • Insecure file storage,
  • Keychain attacks,
  • Insecure transport security,
  • Instrumenting the iOS runtime,
  • Injection attacks,
  • How to exploit IPC handlers,
  • How to defeat security controls like jailbreak detection,
  • Instrumentation on non-jailbroken devices.


Day 2:

Day two of the course picks up at chapter 6, discussing the various attack surfaces for the Android platform and how to approach an app assessment. We then walk through the details the techniques that from chapter 7 and 8 that can be used to attack Android applications, including the following topics:

  • Reverse engineering and decompiling Android apps,
  • Insecure file storage,
  • Insecure transport security,
  • Instrumentation of the Dalvik runtime with Frida and Substrate,
  • Exploitation of insecure IPC endpoints,
  • Tap jacking.


Find out more about the book at http://www.mobileapphacker.com/

Who Should Take this Course

This course covers a wide range of topics and is suitable for novices, right through to those looking to fine tune their knowledge of the advanced topics. The course is typically taken by penetration testers, software developers and those looking to gain a better understanding of mobile security. Programming is useful but not required to complete the course.

Student Requirements

  • A basic knowledge of programming and mobile security concepts is useful but not essential.
  • Administrative access to a laptop with the ability to install a few tools, and disable personal firewalls or virus scanners should they get in the way of the lab exercises. Laptop with the capability to connect to wireless and wired networks. We recommend at least 8GB of RAM with at least 16GB of disk space free.
  • Students require a player to run VirtualBox images.

What Students Should Bring

A laptop as per the student requirements section.

What Students Will Be Provided With

- The training material in electronic format
- A mobile hacking virtual machine, packed with all the tools to perform an assessment
- Downloadable copies of the labs that they can take away and work on in the future
- After course e-mail support

Trainers

Dominic Chell is a director and co-founder of MDSec as well as lead author for the Mobile Application HackerĀ¹s Handbook. Dominic has delivered security consultancy and training on mobile security to leading global organisations in the financial, government and retail sectors for the past 12 years.