AppSec Europe 2014 has ended
Welcome to the full schedule of the OWASP AppSec Research EU 2014 conference days
Back To Schedule
Tuesday, June 24 • 14:00 - 18:00
Training room 2 - The Mobile App Security Boot Camp

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

The Mobile App Security Boot Camp is a 2-day training course covering both Android and iOS App security. As a new course for 2014, we provide the most comprehensive and cutting edge guide to mobile App security that is currently available, including in depth coverage of iOS 7! The course is provided as a partnership between MDSec and MWR InfoSecurity, pioneers in mobile security.

Pre-requisite of Training Class:

1) Student.

A basic knowledge of programming and mobile security concepts.

2) Hardware.

All delegates will be provided with a suitable iOS device to perform the labs, it is not necessary to bring your own.

Administrative access to the laptop and the ability to install a few tools, and disable personal firewalls or virus scanners should they get in the way of the lab exercises.

We strongly recommend a personal laptop – if your corporate laptop build is too restrictive this may affect your ability to participate in the course fully.

A laptop with the capability to connect to wireless and wired networks. 3) Software.
Students require a player to run VMWare images.
Daily Class Outline:

Day 1: iOS App Hacking

The course syllabus provides an overview of iOS security features, jailbreaking and approaches to App security assessment. After an introduction to the subject, we delve in to common insecurities, including but not limited too:

  • Insecure file storage

  • Keychain attacks

  • Insecure transport security

  • Run-time attacks

  • Cycript

  • Injection attacks

  • IPC handlers

  • Man-in-the-middle attacks

  • Defeating jailbreak and other defensive detection and prevention routines

    Attendees will gain theoretical and practical experience of:

  • How to quickly and efficiently pinpoint and exploit vulnerabilities in iOS Apps

  • How to hack UIWebviews, IPC handlers, client-side SQL databases, the

    keychain and the App runtime

  • Real-world, 2014 techniques used to defeat real Apps on iOS7!

  • Knowledge of defensive and remedial advice

Day 2: Android App Hacking

Day two of the course will provide an introduction to the attack surface exposed by Android devices and their applications. The Android attack surface will be analysed to demonstrate how its weaknesses can be exploited from various vectors, such as from installed malicious software (malware), local attackers in a Man-in-The-Middle (MiTM) scenario and from attackers with local physical access (e.g. stolen device). Attendees will actively analyse applications, identify vulnerabilities within them and write their own exploits to compromise the application and/or device.

Attendees will gain hands on experience assessing and exploiting Android device and application vulnerabilities. The course will also teach how to defend against the latest Android platform and application threats. The experienced consultants delivering the course will guide attendees through an assessment of a range of applications; all of which are based on real world examples, following a structured methodology.

Course outline

  • Theory

  • Introduction to the Android security model

  • Black box assessment approach

  • Reverse engineering applications

  • Introduction to Android malware

  • Android Man-in-the-Middle

  • Stolen device reviews

  • Analysis/Assessment/Attack and Defence

  • IPC end points

  • JavaScript Bridges

  • Mobile Substrate

  • File permission attacks

  • Tap jacking

  • Android Sandbox 


Dominic Chell

Director, MDSec
Dominic (@domchell) is a director at MDSec where he works within the ActiveBreach team and is responsible for conducting intelligence-led attack simulations under the CBEST, STAR and TIBER frameworks. Dominic is a published author and active researcher, frequently releasing tools... Read More →

Robert Miller

MWR InfoSecurity
Robert has worked for MWR Infosecurity since 2011, with a strong focus on Android device and application security. He co-runs MWR's Android Secure Development training course, and works with major application developers and device manufacturers in producing security critical products... Read More →

Tuesday June 24, 2014 14:00 - 18:00 BST