Presented at
BSidesLV 2017,
July 25, 2017, 2 p.m.
(235 minutes).
This full-fledged hands-on workshop will get the attendees familiar with the various Android as well as iOS application analysis techniques and bypassing the existing security models in both the
platforms. The main objective of this workshop is to provide a proper guide on how the mobile
applications can be attacked and provide an overview of how some of the most important security
checks for the applications are applied and get an in-depth understanding of these security checks.
The workshop will also include a CTF challenge designed by the trainer in the end where the attendees will use their skills learnt during the workshop to solve this challenge.
This workshop will mainly focus on the following :
1. Reverse engineer Dex code for security analysis.
2. Jailbreaking/Rooting of the device and also various techniques to detect Jailbreak/Root.
3. Runtime analysis of the apps by active debugging.
4. Modifying parts of the code, where any part can be specified as some functions, classes and
to perform this check or to identify the modification, we will learn how to find and calculate
the checksum of the code. Our objective in this section will be to learn, Reverse Engineering
an application, get its executable binaries , modify these binaries accordingly, resign the
application.
5. Runtime modification of code. Objective is to learn how the programs/codes can be changed
or modified at runtime. we will learn how to perform introspection or overriding the default
behavior of the methods during runtime and then we will learn how to identify if the
methods have been changed). For iOS we can make use of tool Cycript, snoop-it etc.
6. Hooking an application and learn to perform program/code modification.
7. By the end of workshop, based on the course content CTF challenges written by the trainer will be launched, where the attendees will use their skills learnt in the workshop to solve the CTF challenges.
The workshop will begin with a quick understanding on the architecture, file system,permissions and security model of both iOS and Android platform.
NOTE:
1. The tools and techniques used in the workshop are all open source and no special proprietary
tools need to be purchased by the attendees for analysis post the training. Some of the tools
taught in the training will be helpful in analysis and automating test cases for security testing
of the mobile apps:
✔ Drozer
✔ Introspy
✔ Apktool
✔ Dex2jar
✔ Cycript
✔ JD-Gui
✔ SSL Trust killer
Presenters:
-
Sneha Rajguru
- Payatu Software Labs LLP - Payatu Software Labs LLP
India
Links:
Similar Presentations: