DeepSec 2021 Training: Mobile Security Testing Guide Hands-On – Sven Schleier
LIVE ONLINE TRAINING
[Note: This training will be completely remote. This allows you to better plan your workshop commitments when booking tickets. You can also by a ticket for just attending this training (without access to the conference). In that case please write an e-mail to firstname.lastname@example.org]
Mobile apps are omnipresent in our lives and we are using more and more apps to support us, ranging from simple to complex daily tasks. Even though modern mobile operating systems like iOS and Android offer great functionalities to secure data storage and communication, these have to be used correctly in order to be effective. Data storage, inter-app communication, proper usage of cryptographic APIs and secure network communication are only some aspects that require careful consideration.
The OWASP Mobile Security Testing Guide (MSTG) is a comprehensive manual for testing the security of mobile apps. It describes processes and techniques for verifying the requirements listed in the Mobile Application Security Verification Standard (MASVS), and provides a baseline for complete and consistent security tests.
We base the proposed training on the MSTG and will teach you how to analyse Android and iOS apps for security vulnerabilities by going through the different phases of testing, including dynamic testing, static analysis and reverse engineering. Sven will share his experience and many small tips and tricks to attack mobile apps that he collected throughout his career and bug hunting adventures.
The following list contains the key areas of the training and its exercises:
- iOS and Android security fundamentals
- Preparing a testing environment for iOS and Android with Corellium
- Crash-course into Frida and Dynamic Instrumentation
- Investigating Local Data Storage
- Intercepting HTTP and non-HTTP communication
- Anti-Tampering and Anti-Reversing
- Teaching a method for conducting consistent mobile app security testing
If you just entered the domain of mobile app penetration testing, or have only experience in Web App Testing and would like to make the switch to mobile, this session is a perfect starting point for you. There are some more advanced topics that will also be of interest for more experienced testers.
The course comprises many labs developed by the instructor and the course is roughly 50% hands on and 50% lecture.
At the end of each day, we will play a small CTF to investigate different apps with the newly learned skills and you will have the chance to win a price!
After successful completion of this course, students will have a better understanding of how to test for vulnerabilities in mobile apps, how to mitigate them, and how to execute tests consistently.
Sven is the Technical Director of F-Secure Singapore and has hands-on experience in attacking and defending web and mobile apps for the last 10+ years. He became specialised in Application Security and has supported and guided software development projects for Mobile and Web Applications during the whole SDLC.
Besides his day job Sven is since 2016 one of the core project leaders and authors of the OWASP Mobile Security Testing Guide (MSTG) and OWASP Mobile Application Security Verification Standard (MASVS) and has created the OWASP Mobile Hacking Playground. Sven is giving talks and workshops about Mobile Security worldwide to different audiences, ranging from developers to students and penetration testers.