DeepSec 2025 Training: The Mobile Playbook – A Guide to iOS and Android App Security (hybrid – in person or online) – Sven Schleier

Sanna/ August 6, 2025/ Training/ 0 comments

This intensive two-day course equips you with practical skills for identifying and exploiting vulnerabilities in mobile apps across both Android and iOS. You’ll analyze a mix of real-world apps and custom training apps using tools like Frida, Burp Suite, jadx and other open-source tools.

By the end of the training, you’ll know how to:

  • intercept and analyze any type of network traffic in mobile apps, even when SSL pinning is used,
  • bypass protection mechanisms such as root/jailbreak detection,
  • decompile APKs and perform manual source code reviews,
  • reverse engineer Swift-based iOS applications and
  • apply a thorough methodology based on the OWASP Mobile Application Security Testing Guide (MASTG).

The labs cover static and dynamic analysis, reverse engineering, and Software Composition Analysis (SCA), all through hands-on exercises.

No need to bring your own devices — each participant gets access to a cloud-based, rooted Android and jail broken iOS environment via Corellium.

Whether you are a beginner wanting to learn mobile app testing from scratch, an experienced penetration tester or developer wanting to improve your mobile application security knowledge and skills, or someone looking to have some fun, this training will help you achieve your goals.

Detailed outline

Day 1 – Android

We begin with an overview of the Android platform and its security architecture, then move into a full day of hands-on labs covering:

  • Setting up an Android testing environment with Corellium
  • Using Android Debug Bridge (adb) effectively during app pentests
  • Intercepting network traffic from apps built with frameworks like Flutter
  • Analyzing network traffic, including non-HTTP protocols, with Burp Suite and Wireshark
  • Reverse engineering a Kotlin app and exploiting a real-world deep link vulnerability through manual code review
  • Scanning APKs for hardcoded secrets
  • Getting started with Frida for dynamic instrumentation
  • Analyzing Android app storage options (app-specific, shared storage, etc.)
  • Using dynamic instrumentation with Frida to:
  • Bypass root detection mechanisms
  • Bypass Frida detection mechanisms
  • Attacking a real world app and overcome it’s protection mechanisms.

Day 2 – iOS

On the second day, we shift to iOS app security, again focusing on hands-on labs:

  • Static analysis of Swift code to identify vulnerabilities and eliminate false positives
  • Software Composition Analysis (SCA) for iOS: scanning third-party libraries and mitigation strategies
  • Setting up the iOS testing environment with Corellium
  • Intercepting network traffic in iOS apps
  • Bypassing different implementations of SSL pinning using Frida
  • Frida crash course for dynamic instrumentation on iOS Apps
  • Analyzing iOS app storage mechanisms
  • Testing methodology using jailed (non-jailbroken) devices via Frida gadget injection
  • Testing watchOS apps and understanding platform limitations
  • Using Frida to bypass runtime protections:
  • Anti-Jailbreaking mechanisms
  • Frida’s detection logic

We’ll wrap up the final day with a Capture the Flag (CTF), where you can apply your new skills and win a prize!

Upon completing the course, participants will:

  • have a deeper understanding of mobile app security testing,
  • know how to identify and exploit vulnerabilities,
  • be able to recommend effective mitigation strategies to development teams, and
  • follow a structured testing methodology based on the OWASP Mobile Application Security Testing Guide (MASTG).

What students should bring

To follow all exercises and participate fully, students should have:

  • A laptop (Windows or macOS) with at least 16 GB of RAM and 50 GB of free disk space
  • Full administrative access to the system (e.g., ability to disable VPN or antivirus if needed)
  • Virtualization software (e.g., VMware, VirtualBox, or UTM); a pre-configured virtual machine will be provided for both x86 and ARM architectures (including M1–M4 MacBooks), with all required tools preinstalled.
  • Optional but recommended: A tablet for viewing the lab slides during hands-on sessions.

An iOS or Android device is not required. Each participant will receive access to a cloud-based Corellium instance, including a jailbroken iOS device and a rooted Android device, for use throughout the training.

What students will receive

  • PDF slide decks and lab instructions for both Android and iOS.
  • All vulnerable training apps, provided as APK and IPA files.
  • A Dockerfile containing the APIs with which the apps communicated.
  • Detailed write-ups for all labs, which you can review at your own pace after the course.
  • Access to a dedicated Slack channel for pre-course preparation, in-class support, and post-course Q&A.
  • A certificate of completion.

What prerequisites should students have before attending this training?

This course is designed for beginner to intermediate participants. Students should have:

  • A basic understanding of mobile apps
  • Basic experience using the Linux command line

We asked Sven a few more questions about his talk.

Please tell us the top 5 facts about your training.

  1. Focus: The course teaches penetration testing of Android and iOS apps using the OWASP Mobile Application Security Testing Guide (MASTG). The OWASP MASTG is an open-source documentation project that summarises techniques for penetration testing and reverse engineering of mobile apps.
  2. Hands-on Experience: We will go through many labs and scenarios with customized apps, but also real-world apps that we will reverse engineer and analyse. Many of the labs can be done offline at your own pace after the training. All labs will have detailed instructions that you can follow to complete them.
  3. iOS and Android devices provided: Each Student will receive emulated devices via Corellium, eliminating the need for personal devices during the training. You will have a jailbroken iOS device and a rooted Android device during the 2 days training.
  4. Key Topics: Learn a holistic and consistent methodology for testing the security of mobile apps, including reverse engineering, dynamic instrumentation with Frida, intercepting network traffic and bypassing security mechanisms in mobile apps.
  5. Completion Benefits: Participants receive detailed course materials, a certificate, and continued support via Slack.

The only thing you need to attend the training is a laptop (no Android or iOS device is needed) and to be curious to figure out how to attack mobile apps.

 

How did you come up with it? Was there something like an initial spark that set your mind on creating this training?

I was executing many penetration tests against mobile apps during my time in Singapore, where I lived for almost 10 years. During this time I was fortunate to test a very diverse set of Android and iOS apps created by start-ups, banks and many other industries. They all had one thing in common, they were all very progressive and sometimes difficult to test which challenged me and my colleagues to come up with new ideas for testing mobile apps and documenting our methodologies in our internal knowledge base.

During this time, my colleagues and I realized that there was no centralized documentation publicly available, but many fragmented bits and pieces on how to assess iOS and Android apps.

Because of this, I was part of the initial team that was taking over the OWASP Mobile Application Security Testing Guide (MASTG) and created the OWASP Mobile Application Security Verification Standard (MASVS) project in 2016. In a great community effort over the years, we were able to achieve OWASP Flagship status and both projects are now the foundation of Google’s App Defense Alliance (ADA) to ensure safety in the Google Play Store and are also referenced in various standards, like NIST in the US and mobile payment standards in the EU and have become the industry standard for mobile security.

For the training many vulnerable mobile apps were created as part of my research and because of the vast amount of content and knowledge I gained, I experimented with pro-bono training for the security community in Singapore. One thing led to the other, and I delivered my first training at OWASP AppSec US 2018 in San Jose. Over the years I made many iterations over the content and delivered this training in various countries around the globe and are looking forward to doing it in a hybrid setup for DeepSec in November this year.

Why do you think this is an important topic?

Web application penetration testing has matured over the years, and a common methodology has been adopted by the wider community. Whereas according to our experience, we learnt that mobile penetration testing was often mistaken to be similar to Web penetration testing skills. However, the threat landscape, test methodology and exploitation techniques are different.

To name a few, there are additional hardware features such as biometric authentication (Face ID) and the usage of Deeplinks that may introduce a gaping hole in your application. Moreover, security controls like Jailbreak detection or SSL Pinning that can complicate your usual security testing approach.

Also, some known vulnerabilities from the web app pen testing world are only partly or not applicable to mobile apps. If a mobile app doesn’t have a WebView, then a JavaScript payload of a Cross-Site-Scripting will never be rendered and executed. Also, Cross-Site Request Forgery (CSRF) is something that cannot easily be exploited in a mobile app.

As mobile technology is evolving, mobile security is taking its shape, there will be a lot of missed opportunity and inaccurate evaluation if the usual web penetration testing approach were taken. A lot of things can be mapped from Web App to Mobile App testing, but you need to understand the differences to test it the right way and also understand the risk tied to the vulnerabilities, so you can communicate the potential impact accordingly to the teams and customers.

Is there something you want everybody to know – some good advice for our readers maybe?

We introduced last year the Mobile Application Security Weakness Enumeration (MASWE), which is a list of common security and privacy weaknesses in mobile applications. It is intended to be used as a reference for developers, security researchers, and security professionals. It acts as the bridge between the MASVS and the MASTG.

For its definition we draw inspiration from the Common Weakness Enumeration (CWE), which is a community-developed list of common software security weaknesses. The MASWE is intended to be a complementary list to the CWE, focusing specifically on security weaknesses in mobile applications.

A weakness is a security or privacy issue that can be introduced into a mobile application. Weaknesses are categorized by the MASVS categories and controls. For example, a weakness related to the “Insertion of Sensitive Data into Logs” is categorized under the MASVS-STORAGE-2 control. Each weakness has tests that outline the technical steps that one can execute and also demo apps that can be used to verify the tests on your own device.

Otherwise, if you are about to start in mobile app penetration testing, get your hands dirty. The approach that you are applying for attacking other technologies is also applicable for mobile apps. Which means:
Build an App (understand it)
Attack it (break it)

This is how you usually learn it the best and you are also getting used to the developer toolchain which also helps during analysis of mobile apps. Also rely on our tests that we defined in the Mobile AppSec Testing Guide, that will ensure consistency in your testing. As with everything in life, practice is key!

If you are a pure breaker, download one of the many vulnerable apps that are already available. A summary can be found here:
https://mas.owasp.org/crackmes/
https://mas.owasp.org/MASTG/apps/

Another way is to just go for one of the various bug bounty programs out there. Many times it’s also applicable for mobile apps.

 

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your training in particular?

Mobile Apps are omnipresent nowadays and many start-ups and even big enterprises follow the “mobile first” approach and we have a zoo of various frameworks and programming languages out there to produce mobile apps. This creates a lot of complexity through various code bases, not only for the developers, but also for the security researchers and testers. That’s why some companies are now embedding more WebViews in a mobile app and don’t code native UI elements anymore and instead get the look and feel of a mobile app via CSS. This might lead to more web and JavaScript related vulnerabilities in such apps.

Another important area to watch is how mobile app testing is evolving. With Apple Silicon bringing ARM64 architecture to macOS, the same architecture used in iPhones and iPads, it’s now possible to install and run iOS apps—including .ipa files and even App Store apps—directly on macOS.

This shift opens the door to more realistic testing environments without requiring a physical iOS device. Some researchers are already taking advantage of this setup, and it’s likely that macOS-based testing could become increasingly common in the years ahead. However, while promising, it won’t completely replace testing on real devices—especially when it comes to features that rely on specific hardware, jailbroken environments, or real-world conditions.

Still, Apple Silicon represents a foundational shift that could redefine how developers and security researchers approach iOS app testing.

Another trend we are expecting is a stronger focus on privacy-related vulnerabilities. We have seen that the public has been more educated about privacy. Android and Apple are gradually granularizing the permissions of applications and Apple’s pro-privacy policy to advertisement tracking. These are great wins but changes on the operating systems are usually slow and monumental. We expect that data collection will continue to happen, as it’s also part of the business model for many app creators and companies, and we have seen third-party SDK or libraries to collect data without the knowledge of developers and users. It will be no surprise to see a demand in identifying app components that may violate personal privacy, and this has also now become it’s own category in the OWAPS MASVS (see https://mas.owasp.org/MASVS/12-MASVS-PRIVACY/).

 

Sven is a co-founder of Bai7 GmbH in Austria, which is specialized in trainings and advisory. He has expertise in cloud security, offensive security engagements (Penetration Testing) and Application Security, notably in guiding software development teams across Mobile and Web Applications throughout the Software Development Life Cycle (SDLC) to integrate robust security measures in from the start.

Besides his day job, Sven is involved with the Open Worldwide Application Security Project (OWASP) since 2016. As a co-project leader and author, he has significantly contributed to the OWASP Mobile Application Security Testing Guide (MASTG) and the OWASP Mobile Application Security Verification Standard (MASVS).

 

 

Share this Post

Leave a Comment

Your email address will not be published. Required fields are marked *

*
*

This site uses Akismet to reduce spam. Learn how your comment data is processed.