DATE: 24-26 May 2021
TIME: 09:00 to 17:00 CEST/GMT+2
|24 May||Monday||0900-17:00 CEST/GMT+2||8 Hours|
|25 May||Tuesday||0900-17:00 CEST/GMT+2||8 Hours|
|26 May||Wednesday||0900-17:00 CEST/GMT+2||8 Hours|
(Course timing not suitable? Let us know!)
Get bonus pre-configured training VM with class labs and tools for your own practice, plus an exclusive group invitation to post-training consultation for 12 months with trainer!
Advanced Android & iOS Hands-on Exploitation by Attify is a practical lab-focused training class that teaches you the tools and tactics to identify and exploit vulnerabilities in modern Android and iOS applications. Students get to learn a step-by-step proven approach of how to dissect, analyze, and exploit mobile applications. This class is a 2021 version of a class that we teach many times a year since 2013. We keep the contents updated by creating relevant labs of vulnerabilities that we see in the wild or are common occurrence in our engagements.
The class is split in two sections: Android and iOS. And for both the sections, we start with the underlying foundations and gradually build a firm and solid understanding of the platform that we are working with. We use an approach of learning-by-doing i.e. all the concepts are accompanied by a demonstration or a lab to understand two things: a) what happens on the surface and b) what happens behind the scenes. Throughout the class, the instructor helps you see a scenario from different perspectives, thus enabling you to develop skills such as pattern-recognition and intuitiveness with which you could discover vulnerabilities faster and better.
During the 3 days, you’ll work with various tools and techniques to reverse, analyze and exploit applications of all different types. Some topics that you’ll learn include: Tracing data flow, Transit Data Analysis, Assessing Data Handling, IPC component vulnerabilities, Webviews , Exploiting Deep Links, Backdooring and Binary Reversing, Native component analysis, Dynamic instrumentation, Debugging etc. For the targets, you will use both real-world and custom-built vulnerable apps.
In the last few hours of the class, we will cover: Future Direction and Research possibilities to show you how you could use this knowledge and skillset in different ways. Apart from it being a standalone technical training class, students often use the momentum that they gain with the class to accelerate their careers.
Either you are looking to get your hands dirty for the very first time or you want to sharpen your mobile pentesting skills, this class is well-suited for both.
Students will receive the following:
- A downloadable pre-configured training virtual machine with class labs and tools. Additional labs for later practice are also included.
- Invite to an exclusive discussion group w/ 12-month access to ask queries and participate in discussions post-training with others who have taken the training, and the course instructor/author.
- 1000+ training slides
- Lab details, workbook, references etc.
Key Learning Objectives
- Understand the intricacies of Android and iOS applications
- Reverse engineer and analyze apps and binaries
- Analyze and capture data storage: on device, temporary, in transit
- Use a combination of static and dynamic analysis to find vulnerabilities
- Perform dynamic instrumentation and write scripts to reveal keys and other secrets
- Learn working with tools such as Apktool, ADB, Ghidra, Frida, Objection etc.
- Develop a “hacker” mindset
Who Should Attend
- Android and iOS application security enthusiasts
- Security researchers, Pentesters and Red Teamers
- Bug Bounty hunters
- Mobile app developers wanting to see what’s on the other side
- Mobile app testers who want to build better test cases
Hardware / Software Requirements
- VMWare, VirtualBox
- Minimum 6 GB RAM
- 40 GB Free Disk space
- Genymotion/Rooted Android device
- Jailbroken iOS device (10+)
- Additional setup instructions will be provided prior to the class
• Android: In/Out
• Platform Security
• Runtime and Virtualization
• Inside an APK
• ADB, AM, PM
• Reverse Engineering
• Code Patching
• Data Handling
• Activity, Services, Intents, and Broadcasts
• Understanding Entry points
• Tracing data flow
• URI: Identification and Exploitation
• Content Providers
• Deep Links
• Frida Fu
• Native analysis
• Platform-specific issues
• iOS In/Out
• Inside an IPA
• Code Signing, Entitlements and Profiles
• Objective-C and Swift basics
• Reversing and Patching iOS binaries
• Data Handling issues
• Debugging and Runtime Manipulation
• Analyzing iOS Network
• Webview: types and issues
• iOS Frida Fu
• Case Studies
• Structuring a mobile pentest/research
• Future Direction and Research possibilities