Trainer

Register Now!
Abhijeth Dugginapeddi

Abhijeth Dugginapeddi

AppSec Dude

Training Details

With mobile application taking over the internet, it is more important than ever for us to write secure mobile Applications. According to US census bureau by 2020 about $600 billion annual e-commerce sales will be directly processed by mobile devices. It is believed that about 25% of the traffic comes from mobile devices. Android Java, Android Kotlin, iOS-Objective C, iOS Swift are few major technologies that consume most of the mobile application market. How secure is it to write apps using these technologies? What are the latest mobile security tools and attack techniques being used?

The current training answers the above mentioned questions. During the training, attendees will learn the latest techniques to assess mobile applications and best practices to build secure mobile apps. With the experience of writing the book Hacking Android and making several online tutorials about Mobile Security, the trainers have designed the course in such a way that the attendees not only learn the most common techniques, but also get a taste of few edge cases.

The trainers will make use of applications that are vulnerable by design for educational purposes. The above mentioned technologies are used in developing Android and iOS applications which simulate an imaginary ‘Securestore’. The trainers will teach how to analyze, debug, pen test and exploit various applications. In addition to the offensive techniques, the attendees will also be taught on the concepts of Security by design while writing mobile applications.

 

Who should take this course?

  • Penetration Testers
  • Red Team Engineers
  • Application Security Engineers
  • Developers (Web & Mobile)
  • Incident Responders

 

Pre-requisites

  • Familiar with how mobile applications work
  • Familiar with APIs
  • Coding experience with either Android or IOS is an advantage

 

Requirements

  • A working laptop capable of running VMWare Player/Workstation/Fusion
  • 8GB RAM required, at a minimum
  • Wireless network card
  • 40GB free Hard Disk space
  • If you’re using a new Macbook or Macbook Pro, please bring your dongle kit
 

Agenda

Android: (Day 1)

  • Profiling the application
  • Debugging Apps
  • Insecure data storage
  • Client Side Injection
  • Authorization Bypass
  • Runtime manipulation using Frida
  • Bypassing root detection/SSL Pinning
  • Bypassing complex root detection implementations (based on real world case studies)
  • Attacking Android applications using Objection
  • Testing applications using non-rooted devices
  • Security testing for REST APIs
  • Analyzing a custom vulnerable app that uses AES 256 for its communications – Breaking end to end encryption (based on real world case studies)
  • Writing Burp Extensions to automatically encrypt/decrypt the traffic
  • Introduction to Brida
  • Kotlin secure coding guidelines

 

iOS: (Day 2)

  • Profiling the application
  • Debugging Apps
  • Insecure data storage
  • Client Side Injection
  • Authorization Bypass
  • Runtime manipulation using Frida
  • Bypassing Jailbreak detection/SSL Pinning
  • Bypassing complex Jailbreak detection implementations (based on a real world case study)
  • Attacking iOS applications using Objection
  • Testing applications using non-jailbroken devices
  • Security testing for REST APIs
  • Analyzing a custom vulnerable app that uses AES 256 for its communications – Breaking end to end encryption (based on a real world case study)
  • Writing Burp Extensions to automatically encryp/decrypt the traffic
  • Introduction to Brida

Secure Coding Practices against common vulnerabilities

Automating mobile application security

Security by Design for mobile applications