3-Day Training | 16-18 Nov

[HITB CYBERWEEK] MASTERING MOBILE HACKING

  • Davy Douhine Founder,
    RandoriSec
  • Guillaume Lopes Senior Penetration Tester,
    RandoriSec
Duration 3 days
Capacity 15 pax
Difficulty beginner

$4,299.00 $3,299.00

Register Now

Overview

Class mode: VIRTUAL LIVE STREAM 


DATE: 16 – 18 November 2020

TIME: 09:00 to 17:00 GST / GMT+4

 

In this training, veteran pentesters Guillaume Lopes and Davy Douhine will share many techniques, tips and tricks to deliver to pentesters, bug bounty researchers, app makers or anyone curious a 100% hands-on 3 days mobile training.

 

Goal is to introduce tools (Adb, Apktool, Jadx, Cycript, Frida, Objection, Hopper, etc.) and techniques to help trainees work faster and in a more efficient way in the mobile (Android and iOS) ecosystem. This is the exact training that you would have liked to have before wasting your precious time trying and failing while trying to assess the security of mobile applications.

  • A VM will be provided to the attendees with the pre-installed tools to cover most of the labs.
  • A Corellium access (iOS virtualisation) will be provided.

 

Key Learning Objectives

  • Introduce the OWASP MSTG (Mobile Security Testing Guide) and the MASVS (Mobile Application Security Verification Standard)
  • Learn Android and iOS security basics
  • Know how to build an Android and iOS pentest toolset
  • Learn how to review the codebase of a mobile application (aka static analysis)
  • Run the mobile application on a rooted device (to check data security issues)
  • Inspect the app via instrumentation and manipulate the runtime (aka runtime analysis)
  • Man in The Middle all the network communications (aka inspect the traffic)

Who Should Attend

* Anyone who want to learn how to assess mobile applications with some prior knowledge on web security
* Intermediate to experienced Pentesters, Bug Hunters, Security Researchers, Security Experts and Security Managers/Architect

 

What Students Say About This Training

“I attended a 3 days mobile hacking online course from RandoriSec, and learned new things about IOS and Android mobile apps security.

Thank you Davy Douhine and Guillaume Lopes for your support and the wonderful contents. It was nice of them to provide all attendees with a private one hour session to answer our questions and to support us with the labs.

Time to practice what I learned” – Mohamed Gazzaz, Head of Cyber Security

 

Prerequisite Knowledge

* Network and Linux basics

 

Hardware / Software Requirements

A laptop with:
* 8GB of RAM at least, ideally 16GB
* 50Gb of free space (to install a VM based on Kali that we’ll provide)
* Administrative privileges on your laptop + a way to deactivate anti-virus, HIPS and firewall
* VMWare Player (ideally VMWare Workstation)
* A PDF reader
* A jailbroken iDevice (iPhone/iPad/iPod) running at least iOS10 for the iOS labs (a Corellium virtual device will be provided to do the labs but a physical device will allow to do a few additional labs).

 

Agenda

Expand All

Day 1: iOS Basics

* Security features and iOS architecture
* Techniques: Steps and requirements
* Set-up a testing environment
* Tools
* Jailbreaks: History and types
* Targeted apps
* iOS virtualization with Corellium

Day 1: iOS Static Analysis

* Code checks
* Needle and MobSF

Day 1: Android Basics

* Android Ecosystem
* Sandboxing
* Android Components
* APK Architecture
* Android Manifest

Day 1: Android Static Analysis

* Decompilation / Disassembling
* Hardcoding secrets
* Code Tampering
* Tools

Day 2: iOS Dynamic Analysis

* Caching
* Logs
* Backups
* Plist
* SQLite
* Hooking with Cycript
* Hooking with Frida
* Objection

Day 2: Android Dynamic Analysis

* Emulator or physical device
* Access Control
* LogCat
* Root-Emulator Detection
* Debugging

Day 2: Android Data Storage

* Databases
* Shared Preferences
* Internal Storage
* External Storage

Day 3: iOS Dynamic Analysis

* Analyze without a jailbreak

Day 3: iOS Network Security

* MiTM all the traffic
* Rvictl, Wireshark and Burpsuite

Day 3: iOS Bonus (Totally not spyware / CVE-2018-4233)

* Metasploit

Day 3: Android Network Security

* How to intercept traffic using BurpSuite
* Certificate Pinning: How it is implemented? How to defeat it?

Day 3: Android Hooking

* Introduction of Frida
* Frida Scripting
* Hooking Native Code

Sign Up For an Account

to track your favorites

Sign Up

Want a Training Not Seen Here?

Write to Us

Contact Us