$1,000

Mobile Security Testing Guide Hands-On - iOS Edition

Event Information

Share this event

Date and Time

Location

Location

National Convention Centre Canberra

31 Constitution Avenue

Canberra, ACT 2601

Australia

View Map

Refund Policy

Refund Policy

Contact the organiser to request a refund.

Eventbrite's fee is nonrefundable.

Event description
This course teaches you how to analyse an iOS app for security vulnerabilities, by going through the different phases of testing

About this Event

This course teaches you how to analyse an iOS app for security vulnerabilities, by going through the different phases of testing, including dynamic testing, static analysis and reverse engineering. The instructors will share their experiences and many small tips and tricks to attack mobile apps.

At the beginning of the course we start by giving an overview of the iOS Platform and it’s Security Architecture (Hardware Security, Code Signing, Sandbox, Secure Boot, Security Enclave etc.). After explaining what an IPA container is and the iOS file system structure we start creating an iOS testing environment and make a deep dive into various topics and techniques, including:

  • Analyzing iOS applications that use non-HTTP traffic
  • Frida crash course to kick-start with dynamic instrumentation for iOS apps
  • Bypassing SSL Pinning with SSL Kill Switch and Objection
  • Evaluate different implementations of Touch ID / Face ID and ways to bypass them
  • Testing methodology without a jailbroken device by repackaging an IPA with the Frida Gadget
  • Testing stateless authentication mechanisms such as JWT in an iOS Application
  • Using Frida for Runtime Instrumentation of iOS Apps to bypass

- Anti-Jailbreaking mechanisms

- Frida detection mechanism

- and other client side security controls

At the end of the course, small groups will be created and time will be given to investigate an app with the newly learned skills. Every team is then encouraged to make a short presentation about the analysed vulnerability.

After successful completion of this course, students will have a better understanding of how to test for vulnerabilities in iOS apps, how to mitigate them and how to execute tests consistently. The course is based on the OWASP Mobile Security Testing Guide (MSTG) and the OWASP Mobile AppSec Verification Standard (MASVS) and is conducted by one of the authors himself. The OWASP MSTG is a comprehensive and open source guide about mobile security testing for both iOS and Android.

The following prerequisites need to be fulfilled by the participants in order to be able to follow all exercises:

  • MacBook (is needed for the iOS exercises), with at least 8 GB Ram, 20GB of free disk space and working Wi-Fi
  • Full administrative access, in case of any issues with the environment
  • iOS device (jailbroken) with at least iOS 11 to follow all exercises

Instructor Bio:

Sven Schleier, LinkedIn: https://www.linkedin.com/in/sven-schleier-98259194/

Blurb: Sven made several stops at big consultant companies and small boutique firms in Germany and Singapore and became specialised in Application Security and has supported and guided software development projects for Mobile and Web Applications during the whole SDLC. Besides his day job Sven is one of the core project leaders and authors of the OWASP Mobile Security Testing Guide and OWASP Mobile Application Security Verification Standard and has created the OWASP Mobile Hacking Playground. Sven is giving talks and workshops about Mobile and Web Application Security worldwide to different audiences, ranging from developers to students and penetration testers.

Share with friends

Date and Time

Location

National Convention Centre Canberra

31 Constitution Avenue

Canberra, ACT 2601

Australia

View Map

Refund Policy

Contact the organiser to request a refund.

Eventbrite's fee is nonrefundable.

Save This Event

Event Saved