Hacking Android and IoT apps by example
This course is the culmination of years of experience gained via practical penetration testing of mobile applications as well as countless hours spent in research. We have structured this course around the OWASP Mobile Security Testing Guide (MSTG) and relevant items of the OWASP Mobile Application Security Verification Standard (MASVS), so this course covers and goes beyond the OWASP Mobile Top Ten. This course provides participants with actionable skills that can be applied immediately from day 1.
Please note our courses are 100% hands-on, we do not lecture students with boring bullet points and theories, instead we give you practical challenges and help you solve them, teaching you how to troubleshoot common issues and get the most out of this training. As we try to keep both new and advanced students happy, the course is very comprehensive and we have not met any student able to complete all challenges during the class, therefore training continues after the course through our frequently updated training portal, for which you keep lifetime access, as well as unlimited email support.
Each day starts with a brief introduction to the mobile platform for that day and then continues with a look at static analysis, moves on to dynamic checks finishing off with a nice CTF session to test the skills gained.
Day 1: Focused specifically on Android: We start with understanding applications and then deep dive into static and dynamic analysis of the applications at hand. This day is packed with hands on exercises and CTF-style challenges.
Part 0 – Android Security Crash Course
– The state of Android Security
– Android security architecture and its components – Android apps and the filesystem
– Android app signing, sandboxing and provisioning – Recommended lab setup tips
Part 1 – Static Analysis with Runtime Checks
– Tools and techniques to retrieve/decompile/reverse and review APKs
– Identification of the attack surface of Android apps and general information gathering
– Identification of common vulnerability patterns in Android apps: + Hardcoded secrets
+ Logic bugs
+ Access control flaws
+ Cool injection attacks and more – The art of repackaging:
+ Tips to get around not having root + Manipulating the Android Manifest + Defeating SSL/TLS pinning
+ Defeating root detection
+ Dealing with apps in foreign languages and more