Mobile Security Testing Guide Hands-On - Android Edition

Event Information

Share this event

Date and Time

Location

Location

National Convention Centre Canberra

31 Constitution Avenue

Canberra, ACT 2601

Australia

View Map

Refund Policy

Refund Policy

Contact the organiser to request a refund.

Eventbrite's fee is nonrefundable.

Event description
This course teaches you how to analyse an Android app for security vulnerabilities, by going through the different phases of testing

About this Event

This course teaches you how to analyse an Android app for security vulnerabilities, by going through the different phases of testing, including dynamic testing, static analysis and reverse engineering. The instructors will share their experiences and many small tips and tricks to attack mobile apps.

At the beginning of the course we start by giving an overview of the Android Platform and it’s Security Architecture. It is no longer mandatory for students to bring their own Android device, instead a cloud-based virtualized Android device will be provided for each student. These are some of the topics that will be covered during the course:

  • Frida crash course to kick-start with dynamic instrumentation on Android apps
  • Function Hooking in a Hybrid app framework (Flutter) to reverse engineer custom Keystore implementation and bypass SSL pinning
  • Identifying and exploiting a real word deeplink vulnerability
  • Application repackaging to defeat Network Security Configuration
  • Usage of dynamic Instrumentation with Frida to

- break end-to-end encryption (Frida/Brida)

- bypass Frida detection mechanisms

- bypass multiple root detection mechanisms

At the end of the day small groups will be created (2-3 students) and time will be given to investigate an app with the newly learned skills. Every team is then encouraged to make a short presentation about the analysed vulnerability.

After successful completion of this course, students will have a better understanding of how to test for vulnerabilities in Android apps, how to mitigate them and how to execute tests consistently. The course is based on the OWASP Mobile Security Testing Guide (MSTG) and is conducted by one of the author himself. The OWASP MSTG is a comprehensive and open source guide about mobile security testing for both iOS and Android.

The following prerequisites need to be fulfilled by the participants in order to be able to follow all exercises:

  • Laptop (Windows/macOS) with at least 8 GB Ram, 20GB of free disk space, working Wi-Fi
  • Full administrative access, in case of any issues with the environment
  • VirtualBox installed

An Android hardware device is not needed by the participants and will also not be provided. The Android hands-on exercises of the training will instead be executed in a cloud-based virtualised environment that allows attendees to access a rooted Android device during the training. One Android instance will be provided for each participant.

Instructor Bio:

Sven Schleier, LinkedIn: https://www.linkedin.com/in/sven-schleier-98259194/

Blurb: Sven made several stops at big consultant companies and small boutique firms in Germany and Singapore and became specialised in Application Security and has supported and guided software development projects for Mobile and Web Applications during the whole SDLC. Besides his day job Sven is one of the core project leaders and authors of the OWASP Mobile Security Testing Guide and OWASP Mobile Application Security Verification Standard and has created the OWASP Mobile Hacking Playground. Sven is giving talks and workshops about Mobile and Web Application Security worldwide to different audiences, ranging from developers to students and penetration testers.

Share with friends

Date and Time

Location

National Convention Centre Canberra

31 Constitution Avenue

Canberra, ACT 2601

Australia

View Map

Refund Policy

Contact the organiser to request a refund.

Eventbrite's fee is nonrefundable.

Save This Event

Event Saved