Upskilling Training

Mobile Application Security Testing

Mobile application penetration testing (pentest) is the process of testing and examining an application to ensure that mobile apps in such a way that a malicious user tries to attack it. Effective mobile pentest starts with understanding the business purpose of the application and the types of data it processes. Mobile application security testing can be thought of as a pre-production check to ensure that security controls in an application work as expected, while safeguarding against implementation errors.

Participant will be able to evaluate the security weaknesses of mobile applications. Participant will learn manual & automated mobile application testing with a lot of analysis tools to identify deficiencies in mobile application network traffic, file system storage, and inter-application communication channels. Participant will learn how to bypass platform encryption and manipulate apps to circumvent client-side security techniques. Participant will be able to intercept & manipulate mobile device network activity and manipulate the behaviour of mobile applications to bypass security restrictions.

English

Duration 4 Days

Who Should Attend?

    People who want to investigate, detect, evaluate, or secure security vulnerabilities of mobile applications. Especially for:

  • Penetration testers
  • Ethical hackers
  • Auditors who need to build deeper technical skills
  • Software Developers who want to design and develop secure mobile applications.

Course Syllabus

    Mobile Device Architecture and common mobile threats

  • Introduction to Mobile Security

    Android

  • Android Architecture
  • Threats on rooted and non-rooted mobile phones
  • Setting up a Test Environment
  • Mobile Device File System
  • Fingerprinting Mobile Devices
    • Network activity Monitoring

    • Using man-in-the-middle tools against mobile devices
    • Sniffing, modifying, and dropping packets as a man-in-the-middle
  • Reverse Engineering and Static Application Analysis
  • Dynamic Application Analysis
    • Manipulating Application Behaviour

    • Android application manipulation with Apktool.
    • Reading and modifying Dalvik bytecode
    • Adding Android application functionality, from Java to Dalvik bytecode
    • Android application interaction and intent manipulation with Drozer
    • Method hooking with Frida and Objection
  • Best practices and security guidelines for mobile applications.

    iOS

  • iOS Architecture
  • Introduction to iOS Security
  • iOS Application Fundamentals
  • Device Jailbreaking
  • Creating an Application Pentest Platform
  • Reversing iOS Apps
  • Advanced Application Runtime Analysis
    • Manipulating and Analysing iOS Applications

    • Runtime iOS application manipulation with Frida
    • iOS application vulnerability analysis with Needle
    • Tracing iOS application behaviour and API use
    • Extracting secrets with KeychainDumper
    • Method hooking with Frida and Objection
  • Network Traffic Analysis
  • Exploiting iOS Applications
  • IOS Forensics and Data Recovery

Pre-requisites

This is an advanced course. Participants are required to have a basic understanding of networking, mobile operating systems and;

  • Understanding of fundamental information security concepts
  • Basic knowledge of Linux and Windows command line
  • Basic knowledge of one of the programming languages such as Java, C, Objective C, Swift and Assembly Languages.
Advanced