Practical Mobile Exploitation [AUH2024]

USD $3,299.00

Duration

3 days

Delivery Method

in-person

Level

all levels

Seats Available

20

Duration

3 days

Delivery Method

in-person

Level

all levels

ATTEND IN-PERSON: Onsite at Abu Dhabi

DATE: 25-27 Nov 2024

TIME: 09:00 to 17:00 GST/GMT+4

Date Day Time Duration
25 Nov Monday 09:00 to 17:00 GST/GMT+4 8 Hours
26 Nov Tuesday 09:00 to 17:00 GST/GMT+4 8 Hours
27 Nov Wednesday 09:00 to 17:00 GST/GMT+4 8 Hours
After running sold-out training at multiple conferences over the last few years, we are back with an updated version of our course which now covers ARM64, iOS & Android Internals, and detailed Mobile apps and operating system security. The class starts with a basic introduction to the ARM instruction set and calling conventions followed by some reverse engineering exercises. We then learn how to craft simple exploits for the ARM64 environment.

The training will be based on exploiting Damn Vulnerable iOS app, Android-InsecureBankv2, InsecurePass and a wide range of real-world application vulnerabilities in order to give in-depth knowledge about the different kinds of vulnerabilities in Mobile applications. After the workshop, the students can successfully audit and secure applications running on iOS/Android operating systems, as well as get a better understanding of their Internals. Students will learn how to use Frida, a dynamic instrumentation framework, for doing vulnerability research.

Slides, Custom scripts, Videos, VM and detailed documentation on the labs will be provided to the students for practice after the class. Corellium access will be provided to students during the training course. Students will be provided access to a Slack channel where the trainers will help prep them for the class, and the students can retain access to it for the foreseeable future.

Slides, videos, and detailed documentation on the labs will be provided to the students for practice after the class. Corellium access will be provided to students during the training course.

 

What will the students get:
  • Videos for some vulnerabilities shared in the class
  • Huge list of good reads and articles for learning mobile application security
  • Source code for vulnerable applications
  • Source code for Exploit PoCs’ that can be used for Bug Bounties
  • Custom VM for hands-on pentesting after the class
  • Students will be provided with access to Corellium for iOS hands-on for the duration of the course
  • Students will be provided access to cloud instances for the duration of the course
  • Slack access for the class and after for regular mobile security discussions

Why You Should Take This Course

This is a completely hands-on course designed for beginners and intermediate students. Instead of just slides, attendees will get a chance to exploit all of the vulnerabilities taught by the instructors. The attendees will be provided with Cloud-based Corellium labs for performing the hands-on iOS and Android exercises without the need to carry physical phones. The slack channel is created before the course for the students so that they can be adequately prepped in terms of hardware and software before the class.

Who Should Attend

This course is for penetration testers, mobile developers, or anyone keen to learn mobile application security.

Key Learning Objectives

  • Gain knowledge about the latest ARM64 instruction set.

  • Explore the internals of mobile kernels and learn about various kernel security mitigations.

  • Get an intro to some common bug categories UaF, Heap overflow, etc

  • Understand how jailbreaks and exploits are written

  • Familiarize yourself with recent bugs and their corresponding mitigations, such as TXM, SPTM, PAC, CoreTrust, and PPL.

  • Receive an introduction to common bug categories like UaF (Use-after-Free) and Heap overflow.

  • Understand the process of writing jailbreaks and exploits.

  • Develop the skill of reverse engineering iOS and Android binaries, including both apps and system binaries.

  • Learn how to conduct security audits on iOS and Android apps, identifying potential vulnerabilities.

  • Acquire techniques to bypass anti-debugging and obfuscation methods employed by developers.

  • Be able to read Mobile Kernel Vulnerability Reports and get a better understanding of them.

  • Receive a comprehensive overview of tools such as IDA Pro, Hopper, and Frida, and their practical applications.

  • Gain an introductory understanding of common bug categories found in Android and iOS systems.

  • Continue practicing the auditing of iOS and Android apps for security weaknesses.

  • Expand your knowledge on bypassing exploit mitigations using both manual and automated approaches.

  • Receive detailed guidance on utilizing IDA Pro, Hopper, and Frida for advanced analysis and exploration.
  • Prerequisite Knowledge

    The course covers topics ranging from beginners to advanced topics. Basic Linux skills are the only requirement for the course. The Android and iOS kernel exploitation modules will require some basic exploit development background.

    Hardware / Software Requirements

    Laptop with:
    ● 8+ GB RAM
    ● Students will be provided with access to Linux cloud instances
    ● Students will be provided with access to Corellium for iOS hands-on and as such do not need to carry iOS devices
    ● Administrative access on the system
    Detailed Course Setup instructions and Slack access will be sent a few weeks prior to the class

    Your Instructor

    No data was found