Back to Pre-Conference Training Page

Back to Conference Home Page

Mobile Adversary Exploitation Breakout

Two-Day Interactive (Classroom) Training - OWASP New Zealand Day 2026

Course Details

Dates: Tuesday and Wednesday, 1-2 September 2026

Time: 8:45 a.m. to 5:30 p.m. (NZST)

Training Level: Intermediate

Instructor: Blessen Thomas

Course Fee: NZ $900.00 (plus GST and ticketing fees)

Registration Site: https://events.humanitix.com/owaspnz2026-training

Course Description

Every day we see a bunch of new mobile applications being published on the Store, from games, to utilities, to IoT devices clients and so forth, almost every single aspect of our life can be somehow controlled with “an app” like taking a cab ride or buying groceries. We have smart houses, smart fitness devices, and smart coffee machines…but is it just smart or is it secure as well?

The Mobile Adversary Exploitation Breakout training will enable attendees to master various mobile application penetration testing techniques and exploitation methods. With rise to IoT devices, we have included IoT Smart Watch Wearable (Android Wearable & iWatch) Application Penetration testing methodology and case studies.

The training focuses on practical hands-on exercises on several dedicated vulnerable apps, with the basic theory explained prior to the mind-bending Do-It-Yourself exercises, enabling the attendee to test his acquired skills during the training. Both attack and defending techniques will be taught.

These two days fast paced tightly action-packed brain-melting revamped custom-tailored flag-ship training program will include subjects covered from setting up Android pentest environment, Identifying and exploiting application vulnerabilities in a variety of mobile application architectures, changes in Android 16 Baklava security features, and complementary subjects.

The training will mainly focus on Android applications. However many of the techniques will apply to iOS applications as well.

This training ensures true end-to-end testing by covering comprehensive complementary subjects including Mobile Red Teaming, API and Cloud security, back-end infrastructure, and web server testing. Attendees will also dive into assessing non-native and hybrid architectures—including Kotlin, Flutter, HTML5, React Native, Progressive Web Apps (PWA), and .NET — as well as modern CI/CD pipeline security and embedded application testing.

Learning Outcomes

• Understand Android architecture, the security sandbox, and IPC model
• Perform manual and automated static analysis of APKs
• Intercept, analyse, and manipulate HTTPS traffic via Burp Suite
• Use Frida and objection for runtime instrumentation and bypass techniques
• Exploit common vulnerabilities: insecure storage, exported components, SQL injection, deeplink abuse
• Use MobSF for automated scanning and interpret results critically
• Apply OWASP MASVS as an assessment framework
• Produce findings in a structured pentest report format

What You’ll Receive

• PDF Presentation Materials (more than 400 pages),with all the slides & Whitepapers
• Custom VM modified image containing all new off-the-shelf tools, runtime, target apps, scripts, fuzzing payloads, etc.
• Vulnerable apps for iOS & android, tools, etc.

Student Prerequisites

Students could be familiar with below topics, but it is not mandatory:

• Common security concepts or common web security issues
• Basic knowledge of the Linux OS and network security basics

Student Laptop Hardware/Software Requirements

Working Personal laptop (no Netbooks, no Chromebook, no tablets, no corporate laptops, due to restrictions enabled), with Windows 11 64-bit, MacBook, Debian-based Linux in Host machine installed.

• Minimum 100 GB free Hard disk space and 16 GB RAM preferred
• i5/i7/M1 processor or equivalent,
• Genymotion free version installed (https://www.genymotion.com/#!/ )
• Virtual box latest installed (https://www.virtualbox.org/) including the “VirtualBox Extension Pack”
• Intel / AMD Hardware Virtualization enabled Operating System
  • Android sdk installed
• Laptop with antivirus and firewall disabled.
• Attendees must have administrator privilege
• Virtualization technology enabled in BIOS. In case VT is disabled BIOS password needed.

Windows/Linux Users: Please install the latest version of a standard Type-2 hypervisor (VirtualBox recommended).

Apple Silicon (M1-M4) Users: Due to architecture differences, users must have VMware Fusion or UTM installed for stable ARM emulation.

• USB sticks for the VMs will be provided on site.
• Working USB port and allowed access for transfer of files and Wifi enabled
• No VPN installed.
• System must have: Ability to connect to wireless and wired networks & ability to read PDF files
• Update to the latest display drivers.

Detailed Topic Outline

Day 1 - Foundations, Reverse Engineering, and Static Analysis

Module 1 - Android Architecture and Security model

• Android Security Architecture
• Permission Model
• Attack Surface Overview

Module 2 - Lab Environment and Toolchain Setup

• Android Debug Bridge (adb) fundamentals: shell, push/pull, logcat, port-forward
• Creating a rootable AVD: API level selection, Google APIs vs AOSP
• Installing Frida server on AVD — x86_64 and arm64 methods
• Verifying Burp proxy connectivity through emulator
• Deploying vulnerable apps
• MobSF quick verification — upload APK and confirm output

Module 3 - APK Reverse Engineering and Static Analysis

• APK File Format
• AndroidManifest.xml Audit
• Decompilation to Java and Smali
• Lab 1: Static Analysis
• Lab 2: MobSF Automated Scan

Module 4 - Insecure Data Storage

• Storage Locations and Security Model
• Vulnerability Classes
• Lab 3: Insecure Data Storage Extraction

Day 2 - Dynamic Analysis, Network Interception, and Advanced Exploitation

Module 5 - Network Interception and SSL Pining Bypass

• Setting Up Burp Suite as MitM Proxy
• SSL Pinning - Detection and Bypass
• Lab 4: Burp MitM and SSL Pining Bypass

Module 6 - Runtime Instrumentation - Frida and objection

• Frida Architecture
• Frida Scripting
• objection - Frida-Powered CLI
• Root Detection Bypass
• Lab 5: Runtime Manipulation with Friday and objection

Module 7 - IPC Exploitation: Intents, Components,and Content Providers

• Android IPC Model
• Exported Component Exploitation
• Content Provider Attacks
• WebView Vulnerabilities
• Lab 6: IPC Exploitation with drozer and adb

Module 8 - Mobile Backend Infrastructure,API, Cloud Pentesting (Brief)

• OWASP API Top 10 - Mobile Context
• Practical API Testing Workflow
• Securing the Android and iOS Ecosystem
• Backend Recon
• Cross-Platform and Non-JVM Auditing
• Android Malware Analysis and Forensics
• Pentesting Android Apps in Non-rooted Devices
• Pentesting Backend Webservers
• Mobile Backend cloud Pentesting
• IoT Smart Watch, Wearable Application, and Product Security Penetration Testing
• Embedded Application Pentesting
• Mobile Red Teaming and Offensive Operations
• Lab 7 - Mini-CTF: Vulnerable APK

Wrap Up and Next Steps

• Assessment Framework Checklist
• Reporting Tips
• Resources for Future Learning

Your Instructor

Blessen Thomas - Biography to be provided