HBN Reloaded : Mobile Bootcamp

As mobile phone usage continues to grow at an outstanding rate, this course shows you how you’d go about testing the mobile platforms, and installed applications to ensure they have been developed in a secure manner.

This course will give you insight and practical window into the methods used when attacking mobile platforms. This course is ideal for penetration testers who are new to the mobile area and need to understand how to analyze and audit applications on various mobile platforms using a variety of tools and platforms. Our mobile course uses a mixture of lectures, hands-on-labs, demonstrations and group exercises.

The course runs over two days and is a mixture of talks and hands on mobile application hacking. You’ll tear apart top 10 mobile applications and look for flaws and also exploit them like attackers are currently doing.

Course Topics

Day One

The world as we know it

  • The Mobile Eco Systems
  • Historical Background (Sim toolkits , J2ME and other tech that has died along the way)
  • Common Technology – Similarities and Differences (Web vs. Mobile)
  • HTTP Basics and how they release to mobile applications.
  • IOS Platform Security
  • Android Platform Security
  • RIM and Windows 8 Platform Security

Covering the basics

  • Common protocol (HTTP/HTTPS/XML/JSON/Sockets)

Building your penetration testing platform

  • What OS
  • Hardware and Emulators (The how and when and if)
  • Tools
  • Device Configuration and Lab Prep
  • Interception, breaking into the stream, basic protocol analysis

Mobile Application Analysis

  • Information Gathering (the what the where and the how)
  • Enumerating Server-Side technologies and functionality
  • Storage, configuration and common mistakes (what people leave and where)
  • IOS Security
  • Android Security
  • RIM and Windows 8
  • Security models, and what impact it has on app pen testing

Static Analysis

  • Extracting the application from the device
  • Information disclosure
  • Reviewing permissions and identifying misconfigurations
  • Reverse engineering the application
  • Memory analysis (Checking the unseen)

Runtime Analysis

  • Intents/Activities/Services/Broadcast receivers – what, why and how to exploit
  • iOS and Android substrate (Cyript)

Day Two

Authentication + Authorization

  • Determining how authentication + authorization are performed
  • Single sign-on, SMS and push notifications
  • Reviewing file permissions created at runtime for flaws
  • Dealing with stored credentials

Data validation

  • Local inputs injection
  • Server side injection
  • Inputs from untrusted sources

Session Management

  • How are sessions handled
  • Data storage and encryption of sessions
  • How/what sensitive data is stored on the mobile device and when
  • Transport Layer Security & Information Disclosure
  • Security of log files
  • Cache
  • Broken Crypto, Breaking Assumptions

Student Requirements

Students need to ensure they have the necessary level of skill. No hacking experience is required for this course, but students should have a solid technical grounding and exposure to basic application development and coding.

Students should ideally have some development understanding and the ability to read code.

Who Should Take This Course

This course is ideal for those wanting to learn how attackers are compromising mobile platforms and applications or penetration testers who are new to mobile platform and device penetration testing.

Pricing, Location and Availability

This is a two-day course that can be presented at your premises (in-house) or at local training centres. Prices are available on request.