This is a new course in the Hacking By Numbers series and one we are incredibly excited about. This course is a mixture of talks and hands on mobile application hacking. You’ll tear apart top 10 mobile applications and look for flaws and also exploit them like attackers are currently doing.
As mobile phone usage continues to grow at an outstanding rate, this course shows you how you’d go about testing the mobile platforms, and installed applications to ensure they have been developed in a secure manner.
Hacking By Numbers Mobile will give you a complete and practical window into the methods used when attacking mobile platforms. This course is ideal for penetration testers who are new to the mobile area and need to understand how to analyse and audit applications on various mobile platforms using a variety of tools and platforms.
The mobile world as we know it
- The Mobile Eco Systems
- Historical Background (Sim toolkits and J2ME)
- Common Technology – Similarities and Differences (Web vs. Mobile)
- HTTP Basics and how they release to mobile applications.
- IOS Platform Security
- Android Platform Security
- RIM and Windows 8 Platform Security
Covering the basics
- Common design patterns (MVC)
- Common protocol (HTTP/HTTPS/XML/JSON/Sockets)
- Languages – Java/Objective C/Mobile .NET etc
Building your penetration testing platform
- What OS
- Hardware and Emulators (The how and when and if)
- Device Configuration and Lab Prep
- Interception, breaking into the stream, basic protocol analysis
Mobile Application Analysis
- Information Gathering (the what the where and the how)
- Enumerating Server-Side technologies and functionality (MVC one backend fits all)
- Storage, configuration and common mistakes (what people leave and where)
- IOS Security
- Android Security
- RIM and Windows 8
- Security models, and what impact it has on app pentesting
- Extracting the application from the device
- Information disclosure
- Reverse engineering the application
- Reviewing permissions and identifying misconfigurations
- Memory analysis (Checking the unseen)
Authentication & Authorization
- Determining how authentication & authorization are performed
- Single sign-on, SMS and push notifications
- Reviewing file permissions created at runtime for flaws
- Dealing with stored credentials
- Local inputs injection
- Server side injection
- Inputs from untrusted sources
- How are sessions handled
- Data storage and encryption of sessions
- How/what sensitive data is stored on the mobile device and when
Transport Layer Security & Information Disclosure
- Security of log files
Broken Crypto, Breaking Assumptions
It should not be your first hacking course, but can be taken back-to-back with Bootcamp or with Combat, depending on your existing level of experience. Although prior participation in an HBN course is not a prerequisite, significant exposure to hacking training, tools and techniques is highly recommended. Students should ideally have some development understanding and the ability to read code.
Exposure to basic application development and coding would be preferred. (Not necessarily mobile development)
WHO SHOULD ATTEND
This course is ideal for penetration testers who are new to the mobile area and need to understand how to analyze and audit applications on various mobile platforms using a variety of tools.
PRICING, LOCATION AND AVAILABILITY
This two-day course includes lunch and is available online, at your premises (in-house) or at local training centres. Courses are limited in number to 20 to allow for individual attention. Prices are available on request.
HBN Mobile Edition is available at the
Black Hat Briefings
in Las Vegas in July 2013 and at 44Con in London in September. Please see our training schedule, or
contact us to book your place.