Web Banner
Back to Pre-Conference Training Page

Back to Conference Home Page

Mobile Security Testing Guide Hands-on

Two-Day Interactive (Online) Training - OWASP New Zealand Day 2022

Abstract

How to bypass SSL Pinning on a Flutter app or how to bypass FaceID on a non-jailbroken device? All of this - and more - will be covered in this two-day hands-on course. Students will have time to exploit real-world mobile apps and vulnerabilities in apps created by the trainers themselves.

Course Details

Dates: Tuesday and Wednesday, 5-6 July 2022

Time: 8:45 a.m. to 5:30 p.m. (NZDT)

Instructor: Sven Schleier, Co-Leader, OWASP MSTG Project

Course Fee: NZ $900.00 (plus GST and ticketing fees)

Registration Site: https://events.humanitix.com/owaspnz2022-training

Target Audiences

This course is developed for:

Course Description

Many people that are either protecting or attacking mobile apps, have a background in network and web application security, a quality that is valuable for mobile app security. Nevertheless, not everything can be mapped 1:1 to the mobile world. The impact of vulnerabilities we know from web applications will be different in the context of mobile apps. A reflected Cross-Site Scripting is pretty hard to exploit if there is no webview used in the app. Achieving a man-in-the-middle position between a mobile app and an API has additional hoops to jump through, like bypassing of SSL Pinning or reconfiguring the Network Security Configuration on Android.

At the beginning of the first day, we will cover all of these mobile security basics by going through the OWASP Mobile Security Testing Guide (MSTG) and the OWASP Mobile AppSec Verification Standard (MASVS), which builds the foundation for the course. We will then quickly start with Android, by giving an overview of the Android Platform and its security mechanisms. After spinning up the customized Android instance in the cloud and creating an environment for testing Android apps, we are covering different topics and techniques which will include:

On day two, we’ll focus on iOS and will begin with an overview of the iOS Platform and Security Architecture (Hardware Security, Code Signing, Sandbox, Secure Boot, Security Enclave etc.). After explaining IPA container and the iOS file system structure we start creating an iOS testing environment and deep dive into various topics and techniques, including:

After successful completion of this course, students will have a better understanding of how to test for vulnerabilities in mobile apps, how to mitigate them and how to execute tests consistently. The course is based on the OWASP Mobile Security Testing Guide (MSTG) and is conducted by one of the author himself. The OWASP MSTG is a comprehensive and open-source guide about mobile security testing for both iOS and Android. A physical copy of the latest MSTG release will be provided, which students will be able to keep and take home.

What You’ll Receive

What You’ll Need to Have

The following prerequisites need to be fulfilled by the students in order to be able to follow all exercises and fully participate:

An Android hardware device is not needed by the participants. The Android hands-on exercises of the training will instead be executed in a cloud-based virtualized environment that allows attendees to access a rooted Android device during the training. One Android instance will be provided for each participant.

An iOS device is also not needed, as an iOS emulator will be provided for each student that is hosted in Corellium. This is also a cloud-based environment that allows each student access to a jailbroken device during the training.

Course Topics

Day One: Android

Day Two: iOS

Your Instructor

Sven Schleier

Sven is the Technical Director of F-Secure Singapore and has hands-on experience in attacking and defending web and mobile apps for the last 10+ years. He became specialised in Application Security and has supported and guided software development projects for Mobile and Web Applications during the whole SDLC.

Besides his day job, since 2016, Sven has been one of the core project leaders and authors of the OWASP Mobile Security Testing Guide (MSTG) and OWASP Mobile Application Security Verification Standard (MASVS) and has created the OWASP Mobile Hacking Playground. Sven gives talks and workshops about Mobile Security worldwide to different audiences, ranging from developers to students and penetration testers.