This full-fledged hands-on workshop will get the attendees familiar with the
various Android as well as iOS application analysis techniques and bypassing
the existing security models in both the
platforms. The main objective of this workshop is to provide a proper guide on
how the mobile
applications can be attacked and provide an overview of how some of the most
important security
checks for the applications are applied and get an in-depth understanding of
these security checks.
The workshop will also include a CTF challenge designed by the trainer in the end where the attendees will use their skills learnt during the workshop to solve this challenge.
This workshop will mainly focus on the following :
1. Reverse engineer Dex code for security analysis.
2. Jailbreaking/Rooting of the device and also various techniques to detect
Jailbreak/Root.
3. Runtime analysis of the apps by active debugging.
4. Modifying parts of the code, where any part can be specified as some
functions, classes and
to perform this check or to identify the modification, we will learn how to
find and calculate
the checksum of the code. Our objective in this section will be to learn,
Reverse Engineering
an application, get its executable binaries , modify these binaries
accordingly, resign the
application.
5. Runtime modification of code. Objective is to learn how the programs/codes
can be changed
or modified at runtime. we will learn how to perform introspection or
overriding the default
behavior of the methods during runtime and then we will learn how to identify
if the
methods have been changed). For iOS we can make use of tool Cycript, snoop-it
etc.
6. Hooking an application and learn to perform program/code modification.
7. By the end of workshop, based on the course content CTF challenges written
by the trainer will be launched, where the attendees will use their skills
learnt in the workshop to solve the CTF challenges.
The workshop will begin with a quick understanding on the architecture, file
system,permissions and security model of both iOS and Android platform.
NOTE:
1. The tools and techniques used in the workshop are all open source and no
special proprietary
tools need to be purchased by the attendees for analysis post the training.
Some of the tools
taught in the training will be helpful in analysis and automating test cases
for security testing
of the mobile apps:
✔ Drozer
✔ Introspy
✔ Apktool
✔ Dex2jar
✔ Cycript
✔ JD-Gui
✔ SSL Trust killer