Hacking iOS and IoT apps by example
This course is the culmination of years of experience gained via practical penetration testing of mobile applications as well as countless hours spent in research. We have structured this course around the OWASP Mobile Security Testing Guide (MSTG) and relevant items of the OWASP Mobile Application Security Verification Standard (MASVS), so this course covers and goes beyond the OWASP Mobile Top Ten. This course provides participants with actionable skills that can be applied immediately from day 1.
Please note our courses are 100% hands-on, we do not lecture students with boring bullet points and theories, instead we give you practical challenges and help you solve them, teaching you how to troubleshoot common issues and get the most out of this training. As we try to keep both new and advanced students happy, the course is very comprehensive and we have not met any student able to complete all challenges during the class, therefore training continues after the course through our frequently updated training portal, for which you keep lifetime access, as well as unlimited email support.
Each day starts with a brief introduction to the mobile platform for that day and then continues with a look at static analysis, moves on to dynamic checks finishing off with a nice CTF session to test the skills gained.
Day 2: Focused on iOS: We start with understanding iOS Architecture and various security precautions in place. We then focus on static and dynamic analysis of the applications at hand. The day is filled with hands on exercises ending with a CTF for more practical fun.
Part 0 – iOS Security Crash Course
– The state of iOS Security
– iOS security architecture and its components – iOS app signing, sandboxing and provisioning – iOS apps and the filesystem
– Recommended lab setup tips
Part 1 – Static Analysis with runtime checks
– Tools and techniques to retrieve/decompile/reverse and review IPAs
– Identification of the attack surface of iOS apps and general information gathering
– Identification of common vulnerability patterns in iOS apps: + Hardcoded secrets
+ Logic bugs
+ Access control flaws
+ URL handlers
+ Cool injection attacks, and more
– Patching and Resigning iOS binaries to alter app behaviour – Tips to test without a jailbreak