Practical Mobile Application Security

This 32-hour course equips participants with the fundamental knowledge and practical skills to assess the security of Android and iOS mobile applications. Participants learn through hands-on labs for each module, featuring unique, custom-developed scenarios and exercises based on real-world vulnerabilities, enabling participants to effectively identify and understand mobile security risks.

Prerequisites: Participants must possess the following technical skills:

• Familiarity with the Linux CLI
• Object-oriented programming fundamentals
• Web application testing experience

The following skills are recommended, although not required for the course:

• ARM/AARCH64 assembly familiarity
• Java, Kotlin, Swift, or Objective-C programming experience
• Experience testing thick-client applications
• Web services (REST, SOAP, JSON) testing experience

After completing this course, participants should understand:

• Comprehensive mobile application testing capability: Participants will leave this course ready to test real-world applications as a hobby and professionally. This includes being able to download applications from a mobile device for analysis and overcoming common security hurdles including jailbreak/root detection, certificate pinning, and local storage encryption.
• Experience with industry standard and modern tooling: Participants will be ready to use Corellium to administer devices, make extensive use of Frida to manipulate mobile applications at runtime, and combine various other tools and techniques to complete mobile application assessments. Participants will also leave with the knowledge and capability to build and use their own test environment to meet their testing needs.
• Static analysis and reverse-engineering techniques: Participants will learn effective workflows and techniques for static analysis and reverse engineering. This course will cover Android APK file and iOS IPA file structures and contents, along with reverse-engineering Dalvik bytecode, Objective-C, and Swift assembly (ARM). These crucial skills will enable participants to assess local data storage mechanisms, inter-process communications, platform usage, and supplement dynamic instrumentation with Frida.
• Inter-Process Communication (IPC) assessment techniques: Participants will gain the ability to effectively analyze and test common IPC mechanisms on both Android and iOS. This involves identifying exposed components (like Activities, Content Providers, or URL Schemes), interfacing with them using specialized tools, and discovering potential vulnerabilities such as data leakage or unauthorized actions through fuzzing and targeted analysis techniques.

PMAS (Practical Mobile Application Security) is a fast-paced technical course designed to provide participants with real world experience assessing mobile applications. The content is prepared for participants to possess a background in security fundamentals, threat modeling, object-oriented programming, and limited assembly (ARM) experience. Participants who are security engineers, application developers, and penetration testers will find this course most beneficial.

In-classroom instructor-led training

Four days

Participants should bring their own laptop computer with the latest browser of choice and the ability to connect to the internet. Participants will receive course materials and access to a testing environment during the course duration.