DeepSec 2019 Training: Mobile Hacking – Davy Douhine and Guillaume Lopes
Guillaume Lopes and Davy Douhine, senior pentesters, will share many techniques, tips and tricks with pentesters, bug bounty researchers or just the curious in a 100% “hands-on” training.
Their goal is to introduce tools(Adb, Apktool, Jadx, Androguard, Cycript, Drozer, Frida, Hopper, Needle, MobSF, etc.) and techniques to help you to work faster and in a more efficient way in the mobile ecosystem. This is exactly the training that you would have liked to have before wasting your precious time trying and failing while testing.
Main topics of the training are based on the fresh OWASP MSTG (Mobile Security Testing Guide):
– Review the codebase of a mobile app (aka static analysis)
– Run the app on a rooted device (to check data security issues)
– Inspect the app via instrumentation and manipulate the runtime (aka runtime analysis)
– MiTM all the network communications (aka inspect the traffic)
A VM will be provided to the attendees with the pre-installed tools to cover most of the labs.
We asked Davy and Guillaume a few more questions about their training.
Please tell us the top 5 facts about your training.
1. It’s an hands-on training! Less talk and more exercises.
2. The goal is to learn techniques that you can apply in real use cases.
3. There is content for 3 days so attendees will have exercises to do later if they want to go deeper
4. We’ll provide a VM set up with essentials tools to assess the security of Android and iOS mobile apps
5. iOS exercises are based on the famous Corellium virtualization solution
How did you come up with it? Was there something like an initial spark that set your mind on creating this talk / course?
We started to introduce mobile hacking training as a chapter of our Advanced Pentesting workshop given at DeepSec last year. Then we’ve made a full training focused on this subject and gave it privately and at Hack In Paris in 2019.
Why do you think this is an important topic?
Mobile Security Testing is a quite recent subject in the very broad security testing field and the increase of the mobile usage will accelerate the need for the security testers but also the makers to shift towards this subject. Mobile risks are slightly different from traditional IT risks and a mobile ecosystem implies a completely different set of tools and techniques to be correctly tested.
Is there something you want everybody to know – some good advice for our readers maybe?
Unfortunately during the last years testers and makers had to struggle to find fresh and usable information. As a result, when dealing with mobile pentests, testers often focus on an extremely narrow spectrum of what could be really tested: they launched BurpSuite or ZAP (hoping that the app they assessed didn’t use certificate pinning) and analyzed the network communications and the distant API. But there’s also hope: one year ago the OWASP foundation disclosed the first official version of the OWASP Mobile Security Testing Guide. Clearly a game changer, this guide, released together with the Mobile AppSec Verification Standard and a checklist, has instantly become a reference by giving -for free- a step by step cookbook to help people check each important corner in mobile apps.
A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your training in particular?
Bad guys evolve and the threats don’t spare mobiles. White hats and developers should also be aware of the right ways to secure apps and assess them: this workshop’s aim is to train attendees to assess iOS and Android application security level on their own.
Davy Douhine (@ddouhine) founder of RandoriSec an infosec company has been working in the information security field since almost fifteen years. He mainly works for financial, banks and defense key accounts doing pentests and holding trainings to help them to improve their security. He enjoys climbing rocks in Fontainebleau or in the Bourgogne vineyards and practices Brazilian jiu-jitsu.
Guillaume Lopes (@Guillaume_Lopes) is a pentester with 10 years of experience in different fields (Active Directory, Windows, Linux, Web applications, Wifi, Android). Currently working as a Senior Penetration Tester at RandoriSec he is also a member of the Checkmarx Application Security Research Team. He likes to play CTF (Hackthebox, Insomni’hack, Nuit du Hack, BSides Lisbon, etc.) and gives a hand to the Tipi’hack team.