AppSecUSA 2015 has ended
AppSecUSA 2015 - Buy ticket at http://2015.appsecusa.org/buy/
Back To Schedule
Tuesday, September 22 • 11:00am - 12:30pm
Training (2 days): Advanced Android and iOS Hands-on Exploitation

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Note: This is a two day course from Tues 2015-09-22 - Wed 2015-09-23

Advanced Android and iOS Hands-on Exploitation is a unique training which covers security and exploitation of the two dominant mobile platforms - Android and iOS. This is a three day action packed class, full of hands-on challenges and CTF labs, for both Android and iOS environment. The entire class will be based on a custom VM which has been prepared exclusively for the training. The training will take the attendees from the ground level upwards to be able to audit any real world applications on the platforms. 

Some of the topics that will be covered are Advanced Auditing of iOS and Android Applications, Reverse Engineering, Bypassing Obfuscations, Automating security analysis, Exploiting and patching apps, Advanced ARM Exploitation, API Hooking and a lot more. 

The 2-day class is designed in a CTF approach where each of the module is followed by a complete hands-on lab, giving the attendees a chance to apply the knowledge and skills learnt during the class in real life scenario. Students will also be provided with the author signed copy of the book "Learning Pentesting for Android Devices", printed reference materials and handouts to be used during and after the training class, and private scripts written by the trainer for Android and iOS app security analysis.

Since this is a hands-on class, almost most of the content will be hands-on and challenge based. The VM that will be distributed to the students will have a bunch of different real world applications, along with specific custom vulnerable apps made for the training. 

The students will be using a lot of different techniques and a few tools as well, to perform mobile exploitation. 

Some of the lab exercises include : 

[+] Cracking Android Applications by reversing and modifying the smali code
[+] Patching Drozer in order to perform automated exploitation for applications which are not directly vulnerable
[+] Network traffic analysis to identify traffic based vulns in android and iOS apps
[+] Runtime manipulation of Android apps and writing custom API hooks using Cydia Substrate and Dynamic Instrumentation frameworks. 
[+] Advanced Cycript usage to bypass security measures in iOS Applications
[+] Dynamic Library Injection in iOS apps 

These are just some of the labs that will be hands-on during the 2-day class. Obviously, there are more others as we will start from the ground basics, assuming the attendee hasn't done mobile security before.

Who Should Take This Course?
Security Researchers who want to get started into Mobile Security
Mobile Security Enthusiasts
Penetration Testers
Mobile Developers

What Should Students Bring?
Laptop with Administrative access
Atleast 20 GB of free disk space
Genymotion installed and configured with Android v 4.1.1 and 5.0 images

avatar for Aditya Gupta

Aditya Gupta

Founder and CEO, Attify
Aditya Gupta (@adi1391) is the founder and principal consultant of Attify, an IoT and mobile penetration testing and training firm, and a leading IoT security expert and evangelist. He has done a lot of in-depth research on mobile application security and IoT device exploitation... Read More →

Tuesday September 22, 2015 11:00am - 12:30pm PDT
Pacific G