-
Adversary Simulation
Our best in class red team can deliver a holistic cyber attack simulation to provide a true evaluation of your organisation’s cyber resilience.
-
Application
SecurityLeverage the team behind the industry-leading Web Application and Mobile Hacker’s Handbook series.
-
Penetration
TestingMDSec’s penetration testing team is trusted by companies from the world’s leading technology firms to global financial institutions.
-
Response
Our certified team work with customers at all stages of the Incident Response lifecycle through our range of proactive and reactive services.
The Mobile Application Hacker’s Handbook, Live Edition
Mobile Application Hacker’s Handbook Live Training
MDSec are recognised experts in mobile application security. Our latest edition of the Mobile Application Hacker’s Handbook [Wiley, 2015] spans 816 pages, and we run numerous global training courses on mobile security for development teams, and professional testers alike. This course follows chapters 1-9 of the Mobile Application Hacker’s Handbook, with a strong focus on practical attacks. Over the two-day training course delivered by the lead author of the book (Dominic Chell), delegates will learn the tricks and techniques to hack mobile applications on the iOS and Android platforms.
The course is an all-new novice to advanced level class that walks through the iOS and Android sections of the Mobile Application Hacker’s Handbook. It provides the most comprehensive and cutting edge guide to mobile application security, including coverage of both iOS and Android.
Delegates will gain a theoretical and practical understanding of:
- How to quickly and efficiently pinpoint and exploit vulnerabilities in iOS and Android apps;
- How to decompile, reverse and patch iOS and Android apps;
- How to hack WebViews, client-side databases and the keychain;
- Instrument application runtimes using Frida, CydiaSubstrate, Cycript and Substrate tweaks;
- Exploitation of IPC mechanisms including content providers, URL handlers, broadcasts and intents;
- Practical exploitation of poorly implemented cryptography;
- Real-world techniques used to defeat real apps on iOS and Android;
- Knowledge of defensive and remedial advice.
Daily Class Outline:
Day 1:
The course begins with a brief introduction to mobile application security and the OWASP Mobile Top Ten, following chapter 1 of the book. When delegates are comfortable with general mobile application security practices, we delve in to the security of the iOS platform, including an overview of the platform security features, jailbreaking and approaches to mobile application security assessment. The following modules then review chapters 2, 3 and 4 of the book where common insecurities are covered, including but not limited to:
- Reverse engineering and patching binaries;
- Insecure file storage;
- Keychain attacks;
- Insecure transport security;
- Instrumenting the iOS runtime;
- Injection attacks;
- How to exploit IPC handlers;
- How to defeat security controls like jailbreak detection.
Day 2:
Day two of the course picks up at chapter 6, discussing the various attack surfaces for the Android platform and how to approach an app assessment. We then walk through the details of the techniques from chapter 7 and 8 that can be used to attack Android applications, including the following topics:
- Reverse engineering and decompiling Android apps;
- Insecure file storage;
- Insecure transport security;
- Instrumentation of the Dalvik runtime with Frida and Substrate;
- Exploitation of insecure IPC endpoints;
- Tap jacking.
