Extreme Mobile Application Exploitation

Presented at BSidesLV 2017, July 25, 2017, 2 p.m. (235 minutes)

This full-fledged hands-on workshop will get the attendees familiar with the various Android as well as iOS application analysis techniques and bypassing the existing security models in both the platforms. The main objective of this workshop is to provide a proper guide on how the mobile applications can be attacked and provide an overview of how some of the most important security checks for the applications are applied and get an in-depth understanding of these security checks. The workshop will also include a CTF challenge designed by the trainer in the end where the attendees will use their skills learnt during the workshop to solve this challenge. This workshop will mainly focus on the following : 1. Reverse engineer Dex code for security analysis. 2. Jailbreaking/Rooting of the device and also various techniques to detect Jailbreak/Root. 3. Runtime analysis of the apps by active debugging. 4. Modifying parts of the code, where any part can be specified as some functions, classes and to perform this check or to identify the modification, we will learn how to find and calculate the checksum of the code. Our objective in this section will be to learn, Reverse Engineering an application, get its executable binaries , modify these binaries accordingly, resign the application. 5. Runtime modification of code. Objective is to learn how the programs/codes can be changed or modified at runtime. we will learn how to perform introspection or overriding the default behavior of the methods during runtime and then we will learn how to identify if the methods have been changed). For iOS we can make use of tool Cycript, snoop-it etc. 6. Hooking an application and learn to perform program/code modification. 7. By the end of workshop, based on the course content CTF challenges written by the trainer will be launched, where the attendees will use their skills learnt in the workshop to solve the CTF challenges. The workshop will begin with a quick understanding on the architecture, file system,permissions and security model of both iOS and Android platform. NOTE: 1. The tools and techniques used in the workshop are all open source and no special proprietary tools need to be purchased by the attendees for analysis post the training. Some of the tools taught in the training will be helpful in analysis and automating test cases for security testing of the mobile apps: ✔ Drozer ✔ Introspy ✔ Apktool ✔ Dex2jar ✔ Cycript ✔ JD-Gui ✔ SSL Trust killer


  • Sneha Rajguru - Payatu Software Labs LLP - Payatu Software Labs LLP


Similar Presentations: