Mobile App Penetration Testing

Eon IT Mobile App Security Assessment is a 5 days hands on course aimed to give you the knowledge, skills and experience to understand the security aspects in Apple iOS, Android, and wearable devices including Apple Watch and Android Wear. This course is carefully designed by Information Security Practitioners and will look in-depth into all aspects of mobile security. It will cover basics and theory and will go all the way up to writing scripts to attack mobile apps. With real world examples security breaches either of the smartphone security framework or by 3rd party applications, we will walk through all the practical dimensions to harden Mobile Apps. The course aim to provide you the practical knowledge to evaluate the security posture of any mobile app, built-in or third party applications. This training focuses on the latest hacking attacks targeted to mobile platform like iOS and Android and covers countermeasures to secure mobile infrastructure. Participants will learn how attackers break into mobile applications to obtain sensitive data information and how to secure them against variety of security threats. The course You’ll learn how to bypass platform encryption, and how to manipulate Android apps to circumvent obfuscation techniques. You’ll leverage automated and manual mobile application analysis tools to identify deficiencies in mobile app network traffic, file system storage, and inter-app communication channels. You’ll safely work with mobile malware samples to understand the data exposure and access threats affecting Android and iOS devices, and you’ll exploit lost or stolen devices to harvest sensitive mobile application data.

Course Outline

Day 1 – Mobile App Security Overview
  • Identifying components of a mobile Operating System (OS)
  • Recognizing application security challenges
  • Exposing the threats faced by mobile devices
  • Attack landscape
  • Anonymity in Mobile Apps for Web usage
  • Active & Passive Reconnaissance
  • Rules of Engagement limitations
  • Intelligence Gathering/ Threat Modeling
  • Importance of Mobile Security & OWASP Top 10 Mobile Risks
  • Introduction to Python coding for PenTesting
Day 2 – PenTesting Android
  • Introduction to Android and its Security Model
  • Android Lab Setup, Setup on Ubuntu Environment
  • Familiarity with Android Development Tools Eclipse IDE & Android Debug Bridge
  • Android Brief Introduction including Booting, Data Structure & Architecture of Android
  • Interacting with Android Devices
  • Certificate impersonation and mobile devices
  • Using NMAP in Mobile Security Assessments
  • By passing wireless authentication/protocols
  • Secure communication protocols
  • Traffic Interception and Analysis of Mobile Apps Traffic
  • Hands on Lab using virtual machine
Day 3 – PenTesting Android Cont.
  • Using Wireshark for sniffing & analyzing packets as MITM
  • Identifying vulnerable Apps to Session Hijacking a.k.a. Sidejacking
  • Penetration test using sidejacking
  • Common Vulnerabilities detection and exploitations
  • Android Malware Analysis using Static & Dynamic Techniques with Droidbox
  • Manipulating HTTPS traffic with various tools & techniques
  • Fuzzing Android Apps by Burp Suite
  • Authentication Attacks
  • TLS impersonation
  • Automated Security Assessment with Drozer
  • Exploiting Android Apps using Metasploit Framework
  • Basic exploit creation using Python for Mobile App PenTesting
  • Hands on Lab using virtual machine
Day 4 – PenTesting iOS
  • Introduction to IOS Security
  • IOS MVC Design and Security Model
  • IOS Weak Server Side controls
  • Insecure Data Storage & Client Side Injection Attacks
  • Setting up IOS Lab for Penetration Testing with Jail Breaking
  • Intercepting Traffic over HTTP, HTTPS and iOS simulator
  • Bypassing SSL Pinning & WebAPI attack demo
  • Cross-site scripting
  • Exploiting SQL injection
  • Android Penetration Testing
  • Hands on Lab using virtual machine
Day 5 – PenTesting iOS Cont.
  • Analyzing iOS Binary & its protection
  • Decrypting Signed/Unsigned iOS Applications
  • Reverse Engineering iOS App Code
  • Apps Analysis using Cycript & Snoop-it
  • iOS Exploitation by Bind TCP & reverse TCP techniques
  • Creating iOS Backdoor
  • iOS Forensics including iPhone hardware & software
  • Basic exploit creation using Python for Mobile App PenTesting
  • Hands on Lab using virtual machine

Attendees will receive

  • Training material: copy of the presenter’s slides
  • Virtual Machines with hands-on exercises and Mobile App Security Assessment tools
  • Hacking toolkit
  • Practice Virtual Machines