Presented at
AppSec USA 2015,
Sept. 23, 2015, 3:30 p.m.
(90 minutes).
Note: This is a two day course from Tues 2015-09-22 - Wed 2015-09-23
Advanced Android and iOS Hands-on Exploitation is a unique training which covers security and exploitation of the two dominant mobile platforms - Android and iOS. This is a three day action packed class, full of hands-on challenges and CTF labs, for both Android and iOS environment. The entire class will be based on a custom VM which has been prepared exclusively for the training. The training will take the attendees from the ground level upwards to be able to audit any real world applications on the platforms.
Some of the topics that will be covered are Advanced Auditing of iOS and Android Applications, Reverse Engineering, Bypassing Obfuscations, Automating security analysis, Exploiting and patching apps, Advanced ARM Exploitation, API Hooking and a lot more.
The 2-day class is designed in a CTF approach where each of the module is followed by a complete hands-on lab, giving the attendees a chance to apply the knowledge and skills learnt during the class in real life scenario. Students will also be provided with the author signed copy of the book "Learning Pentesting for Android Devices", printed reference materials and handouts to be used during and after the training class, and private scripts written by the trainer for Android and iOS app security analysis.
Since this is a hands-on class, almost most of the content will be hands-on and challenge based. The VM that will be distributed to the students will have a bunch of different real world applications, along with specific custom vulnerable apps made for the training.
The students will be using a lot of different techniques and a few tools as well, to perform mobile exploitation.
Some of the lab exercises include :
[+] Cracking Android Applications by reversing and modifying the smali code
[+] Patching Drozer in order to perform automated exploitation for applications which are not directly vulnerable
[+] Network traffic analysis to identify traffic based vulns in android and iOS apps
[+] Runtime manipulation of Android apps and writing custom API hooks using Cydia Substrate and Dynamic Instrumentation frameworks.
[+] Advanced Cycript usage to bypass security measures in iOS Applications
[+] Dynamic Library Injection in iOS apps
These are just some of the labs that will be hands-on during the 2-day class. Obviously, there are more others as we will start from the ground basics, assuming the attendee hasn't done mobile security before.
Who Should Take This Course?
Security Researchers who want to get started into Mobile Security
Mobile Security Enthusiasts
Penetration Testers
Mobile Developers
What Should Students Bring?
Laptop with Administrative access
Atleast 20 GB of free disk space
4 GB RAM
Genymotion installed and configured with Android v 4.1.1 and 5.0 images
Presenters:
-
Aditya Gupta
- Founder and CEO - Attify
Aditya Gupta (@adi1391) is the founder and principal consultant of Attify, an IoT and mobile penetration testing and training firm, and a leading IoT security expert and evangelist. He has done a lot of in-depth research on mobile application security and IoT device exploitation.
He is also the author of the popular books such as "Learning Pentesting for Android Devices" and upcoming books on IoT Exploitation. He has also discovered serious web application security flaws in websites such as Google, Facebook, PayPal, Apple, Microsoft, Adobe and many more. He has also published a research paper on ARM Exploitation titled "A Short Guide on ARM Exploitation."
In his previous roles, he has worked on mobile security, application security, network penetration testing, developing automated internal tools to prevent fraud, finding and exploiting vulnerabilities and so on. He is also a frequent speaker and trainer at numerous international security conferences including Black Hat, Defcon, Syscan, OWASP AppSec, PhDays, Brucon, Toorcon, Clubhack amongst others, and also provides private and customized training programmes for organizations.
Links:
Similar Presentations: