Loading…
This event has ended. View the official site or create your own event → Check it out
This event has ended. Create your own
Welcome to the full schedule of the OWASP AppSec Research EU 2014 conference days
View analytic
Tuesday, June 24 • 09:00 - 13:00
Training room 2 - The Mobile App Security Boot Camp

Sign up or log in to save this to your schedule and see who's attending!

The Mobile App Security Boot Camp is a 2-day training course covering both Android and iOS App security. As a new course for 2014, we provide the most comprehensive and cutting edge guide to mobile App security that is currently available, including in depth coverage of iOS 7! The course is provided as a partnership between MDSec and MWR InfoSecurity, pioneers in mobile security.

Pre-requisite of Training Class:

1) Student.

A basic knowledge of programming and mobile security concepts.

2) Hardware.

All delegates will be provided with a suitable iOS device to perform the labs, it is not necessary to bring your own.

Administrative access to the laptop and the ability to install a few tools, and disable personal firewalls or virus scanners should they get in the way of the lab exercises.

We strongly recommend a personal laptop – if your corporate laptop build is too restrictive this may affect your ability to participate in the course fully.

A laptop with the capability to connect to wireless and wired networks. 3) Software.
Students require a player to run VMWare images.
Daily Class Outline:

Day 1: iOS App Hacking

The course syllabus provides an overview of iOS security features, jailbreaking and approaches to App security assessment. After an introduction to the subject, we delve in to common insecurities, including but not limited too:



  • Insecure file storage



  • Keychain attacks



  • Insecure transport security



  • Run-time attacks



  • Cycript



  • Injection attacks



  • IPC handlers



  • Man-in-the-middle attacks



  • Defeating jailbreak and other defensive detection and prevention routines

    Attendees will gain theoretical and practical experience of:





  • How to quickly and efficiently pinpoint and exploit vulnerabilities in iOS Apps



  • How to hack UIWebviews, IPC handlers, client-side SQL databases, the

    keychain and the App runtime



  • Real-world, 2014 techniques used to defeat real Apps on iOS7!


  • Knowledge of defensive and remedial advice



Day 2: Android App Hacking

Day two of the course will provide an introduction to the attack surface exposed by Android devices and their applications. The Android attack surface will be analysed to demonstrate how its weaknesses can be exploited from various vectors, such as from installed malicious software (malware), local attackers in a Man-in-The-Middle (MiTM) scenario and from attackers with local physical access (e.g. stolen device). Attendees will actively analyse applications, identify vulnerabilities within them and write their own exploits to compromise the application and/or device.

Attendees will gain hands on experience assessing and exploiting Android device and application vulnerabilities. The course will also teach how to defend against the latest Android platform and application threats. The experienced consultants delivering the course will guide attendees through an assessment of a range of applications; all of which are based on real world examples, following a structured methodology.

Course outline



  • Theory



  • Introduction to the Android security model



  • Black box assessment approach



  • Reverse engineering applications



  • Introduction to Android malware



  • Android Man-in-the-Middle



  • Stolen device reviews



  • Analysis/Assessment/Attack and Defence



  • IPC end points



  • JavaScript Bridges



  • Mobile Substrate



  • File permission attacks



  • Tap jacking



  • Android Sandbox 



Speakers
avatar for Dominic Chell

Dominic Chell

Director, MDSec
Dominic is a director of MDSec and a recognised expert in mobile security, having authored whitepapers, tools and presentations in this area. Dominic has delivered security consultancy and training on mobile security to leading global organisations in the financial, government and retail sectors for the past 9 years. Additionally, Dominic aided in the development of and is listed as a subject matter expert for, a secure iOS development... Read More →
RM

Robert Miller

MWR InfoSecurity
Robert has worked for MWR Infosecurity since 2011, with a strong focus on Android device and application security. He co-runs MWR's Android Secure Development training course, and works with major application developers and device manufacturers in producing security critical products and services. | | Robert has presented in both private corporate and public events in everything from teaching members of the public how to stay safe from... Read More →


Tuesday June 24, 2014 09:00 - 13:00
LAB112

Attendees (1)