The Mobile App Security Boot Camp is a 2-day training course covering both Android and iOS App security. As a new course for 2014, we provide the most comprehensive and cutting edge guide to mobile App security that is currently available, including in depth coverage of iOS 7! The course is provided as a partnership between MDSec and MWR InfoSecurity, pioneers in mobile security.
Pre-requisite of Training Class:
1) Student.
A basic knowledge of programming and mobile security concepts.
2) Hardware.
All delegates will be provided with a suitable iOS device to perform the labs, it is not necessary to bring your own.
Administrative access to the laptop and the ability to install a few tools, and disable personal firewalls or virus scanners should they get in the way of the lab exercises.
We strongly recommend a personal laptop – if your corporate laptop build is too restrictive this may affect your ability to participate in the course fully.
A laptop with the capability to connect to wireless and wired networks. 3) Software.
Students require a player to run VMWare images.
Daily Class Outline:
Day 1: iOS App Hacking
The course syllabus provides an overview of iOS security features, jailbreaking and approaches to App security assessment. After an introduction to the subject, we delve in to common insecurities, including but not limited too:
Insecure file storage
Keychain attacks
Insecure transport security
Run-time attacks
Cycript
Injection attacks
IPC handlers
Man-in-the-middle attacks
Defeating jailbreak and other defensive detection and prevention routines
Attendees will gain theoretical and practical experience of:
How to quickly and efficiently pinpoint and exploit vulnerabilities in iOS Apps
How to hack UIWebviews, IPC handlers, client-side SQL databases, the
keychain and the App runtime
Real-world, 2014 techniques used to defeat real Apps on iOS7!
- Knowledge of defensive and remedial advice
Day 2: Android App Hacking
Day two of the course will provide an introduction to the attack surface exposed by Android devices and their applications. The Android attack surface will be analysed to demonstrate how its weaknesses can be exploited from various vectors, such as from installed malicious software (malware), local attackers in a Man-in-The-Middle (MiTM) scenario and from attackers with local physical access (e.g. stolen device). Attendees will actively analyse applications, identify vulnerabilities within them and write their own exploits to compromise the application and/or device.
Attendees will gain hands on experience assessing and exploiting Android device and application vulnerabilities. The course will also teach how to defend against the latest Android platform and application threats. The experienced consultants delivering the course will guide attendees through an assessment of a range of applications; all of which are based on real world examples, following a structured methodology.
Course outline
Theory
Introduction to the Android security model
Black box assessment approach
Reverse engineering applications
Introduction to Android malware
Android Man-in-the-Middle
Stolen device reviews
Analysis/Assessment/Attack and Defence
IPC end points
JavaScript Bridges
Mobile Substrate
File permission attacks
Tap jacking
Android Sandbox