SEARCH
TOOLBOX
LANGUAGES
Spring Training 2018 - Xtreme MobileApp Exploitation

Spring Training 2018 - Xtreme MobileApp Exploitation

From BruCON 2018

Jump to: navigation, search

Xtreme MobileApp Exploitation

Xtreme MobileApp Exploitation training is a 3 days fast paced training in which attendees will get to work on real world vulnerable applications with no - source code and learn to finding high severity bugs.

Course Description

The course focuses on using advanced tools and techniques that works on real world applications. Security Sensitive applications today employee obfuscation and de-compiler protections to prevent security analysis . We look at how we can bypass these protections by understanding the obfuscation logic. Its also important to know how to analyse the companion apps which gets installed in Android Wear Devices / Apple Watch . These applications are different from a regular IOS/ Android application , but can have serious vulnerabilities.

We also dive into malware analysis in Android / IOS , with off the shelf tools , attendees will uncover the malware techniques used to hide their presence, self protection and persistence . We cover advanced topics like fuzzing , hooking native and java code , root and tamper detection bypasses .The training ends with a CTF that would put the skills from the training to test.

Course contents

Android :

  • Setting up your Pentest Env
  • Rooting Android Device
  • Using Emulator for Pentesting
  • Android Debug Bridge
  • Understand Android Application Components.
  • Understand Android Wear Applications
  • How to Decompile android application.
  • How to make sense of obfuscated code
  • De-obduscation using off the shelf tools
  • How Dalvik / ART Works
  • Traffic interception of android applications
  • How to handle SSL protections (cert validation, SSL Pinning)
  • How to intercept non HTTP Traffic
  • Vulnerability Hunting in Application Components
  • Defeating Root detection.
  • HTML5 Application analysis
  • Static analysis of application
  • Manual and Automated dynamic analysis
  • Application hooking and dynamic instrumentation with writing your own module
  • Hands on Frida Framework
  • Hands on Xposed Framework
  • Fuzzing Android (core and applications)
  • CTF challenge to be solved based on learnings during class. (expected to write a code or use proper tools)

IOS :

  • Setting up your Pentest Env
  • Using Simulator for Pen-testing
  • Preparing iOS device for Pentesting
  • Jailbreaking - Internals
  • Understanding IOS Application Components
  • Understanding Apple Watch Applications
  • Understanding Xcode
  • Objective C basics
  • Swift Basics
  • Decompilation / Static Analysis using Hopper
  • How to make sense of obfuscated code
  • Patching IPA's for bypassing security checks
  • Starting with Dynamic Analysis
  • Vulnerability Hunting in IOS App and Apple Watch Apps
  • Using Cycript for Runtime Manipulation
  • Traffic Manipulation / SSL pinning and Bypasses
  • Manual and Automated Analysis
  • Fuzzing IOS
  • Hands on Frida Framework
  • Hands on cycript
  • Using Needle for iOS app Assesments
  • CTF challenge to be solved based on learnings during class. (expected to write a code or use proper tools)

Target audience

Developers , Security Enthusiasts , Penetration testers

Requirements

Students should :

  • Coming soon...

Hardware/software Requirements

Unless specified otherwise, students are required to bring the following :

  • Coming Soon...

Trainer Biography

Anto Joseph.jpg

Anto Joseph is a Security Engineer at Intel. He has 5 years of corporate experience in developing and advocating security in Mobile and Web Platforms. Machine Learning is one of his key areas of Interest. He is very passionate about exploring new ideas in these areas and has been a presenter and trainer at various security conferences including BH USA/EU, DEFCON, BruCon, Phdays, HackInParis, HITB Amsterdam, NullCon, GroundZero, c0c0n and more.He is an active contributor to many open-source projects and some of his work is available at https://github.com/antojoseph.



300px-twitter-icon.jpg @antojosep007

Links :

Wed. 18 - 20 April 2018 (09:00 - 17:00) (3-day) - Novotel Ghent Centrum

Register.jpg

Back to Training Overview