Monday morning, raring for a week of pwnage and you see you've just been handed a new assessment, awesome. The problem? It's a mobile assessment and you've never done one before. What do you do, approach your team leader and ask for another assessment? He's going to tell you to learn how to do a mobile assessment and do it quickly, there are plenty more to come.
Now you set out on your journey into mobile assessments and you get lucky, the application that needs to be assessed is an Android app. A few Google searches later and you are feeling pretty confident about this, Android assessments are meant to be easy, there are even a few tools out there that "do it all". You download the latest and greatest version, run it and the app gets a clean bill of health. After all, the tool says so, there is no attack surface; no exposed intents and the permissions all check out. You compile your report, hand it off to the client and a week later the client gets owned through the application... Apparently the backend servers were accepting application input without performing any authentication checks. Furthermore, all user input was trusted and no server side validation was being performed. What went wrong? How did you miss these basic mistakes? After-all, you followed all the steps, you ran the best tools and you ticked all the boxes. Unfortunately this approach is wrong, mobile assessments are not always simply about running a tool, a lot of the time they require the same steps used to test web applications, just applied in a different manner. This is where SensePost's Hacking by numbers: Mobile comes to the fore, the course aims to introduce you to mobile training from the ground up.
The course offers hands-on training, introducing techniques for assessing applications on Android, IOS, RIM and Windows 8. Some of the areas covered include:
On your next mobile assessment you'll be able to do both static and dynamic analysis of mobile applications. You will know where to find those credit card numbers stored on the phone and how to intercept traffic between the application and the backend servers.
The course: Hacking by numbers: Mobile