Hacking iOS and IoT apps by example
This course is the culmination of years of experience gained via practical penetration testing of mobile applications as well as countless hours spent in research. We have structured this course around the OWASP Mobile Security Testing Guide (MSTG) and relevant items of the OWASP Mobile Application Security Verification Standard (MASVS), so this course covers and goes beyond the OWASP Mobile Top Ten. This course provides participants with actionable skills that can be applied immediately from day 1.
Please note our courses are 100% hands-on, we do not lecture students with boring bullet points and theories, instead we give you practical challenges and help you solve them, teaching you how to troubleshoot common issues and get the most out of this training. As we try to keep both new and advanced students happy, the course is very comprehensive and we have not met any student able to complete all challenges during the class, therefore training continues after the course through our frequently updated training portal, for which you keep lifetime access, as well as unlimited email support.
Each day starts with a brief introduction to the mobile platform for that day and then continues with a look at static analysis, moves on to dynamic checks finishing off with a nice CTF session to test the skills gained.
Day 2: Focused on iOS: We start with understanding iOS Architecture and various security precautions in place. We then focus on static and dynamic analysis of the applications at hand. The day is filled with hands on exercises ending with a CTF for more practical fun.
Part 2 – Dynamic Analysis
– Monitoring data: caching, logs, app files, insecure file storage, iOS keychain, etc.
– Crypto flaws
– The art of MitM: Intercepting Network Communications
– Defeating certificate pinning and jailbreak detection at runtime – The art of Instrumentation: Introduction to Frida, Objection
– App behaviour monitoring at runtime
– Modifying app behaviour at runtime
Part 3 – Test your Skills
– CTF time, including finding IoT vulnerabilities through app analysis