SYLLABUS MOBILE APPLICATION SECURITY AND PENETRATION TESTING. MASPT at a glance: v1.0 (28/01/2014) 10 highly practical modules

Size: px
Start display at page:

Download "SYLLABUS MOBILE APPLICATION SECURITY AND PENETRATION TESTING. MASPT at a glance: v1.0 (28/01/2014) 10 highly practical modules"

Transcription

1 Must have skills in any penetration tester's arsenal. MASPT at a glance: 10 highly practical modules 4 hours of video material interactive slides 20 Applications to practice with Leads to emapt certification Most practical and up-to-date course on Mobile Application Security and Penetration testing Covers Mobile OSs Security Mechanisms and Implementations Exposes Android and ios vulnerabilities in-depth MOBILE APPLICATION SECURITY AND PENETRATION TESTING SYLLABUS v1.0 (28/01/2014) For Penetration testers, Forensers and Mobile app developers elearnsecurity has been chosen by students in 120 countries in the world and by leading organizations such as:

2 Course description: Mobile Application Security and Penetration Testing (MASPT) is the online training course on Mobile Application Security that gives penetration testers and IT Security professionals the practical skills necessary to understand technical threats and attack vectors targeting mobile devices. The course will walk you through the process of identifying security issues on Android and ios Applications, using a wide variety of techniques including Reverse Engineering, Static/Dynamic/Runtime and Network analysis. The student will learn how to code simple ios and Android applications step by step. These will be necessary to fully understand mobile application security and to build real world POC s and exploits. Moreover, a number of vulnerable mobile applications, included in the training course, will give the student the chance to practice and learn things by actually doing them: from decrypting and disassembling applications, to writing fully working exploits and malicious applications. Who should take this course and Pre-requisites: The MASPT training course benefits the career of Penetration Testers and IT security personnel in charge of defending their organization applications and data. We also believe this course will be interesting and entertaining for developers who want to know more about security mechanisms and features implemented in mobile OSs such as Android and ios. Although the course uses and explains several snippets of ios and Android Applications source codes, strong programming skills are not required. Basic mobile application development skills are provided within the training course. NOTE: In order to go through some of the techniques explained in the ios related modules, physical devices such as ipod, iphone, ipad might be necessary. Unlike ios, the Android related modules do not require the possession of an Android device: Android SDK provides all the necessary tools for both Windows and *Nix systems. 2

3 Who should not take this training course: This course is probably not for you if you are looking for something that: Teaches you how to jailbreak or root ios/android Devices Will give you a certification without any effort You can memorize to pass a multiple-choice test Will not make you think How am I going to learn this? elearnsecurity courses are very interactive and addictive. During this training course you will have to deal with several guided challenges, so knowledge and fun is guaranteed. Just don't expect the outdated way of learning by reading pages and pages of theoretical methodologies. NO BORING THEORIES ABOUT THE UNIVERSE This course is practical and entertaining. We show you how attacks work in practice. With real examples and labs that reflect real-world application vulnerabilities. Can I track my learning progress? Or will I only find out during the exam if I actually learned something? The answer to these questions is very simple. Your achievements will tell. During the study of the training course you will find several labs to practice with. You will solve these together with us, while we explain you all the necessary concepts. Then you are free to practice as long as you want to on these experiments. If you can solve a challenge, you know that you learned and understood the concepts behind it properly. 3

4 Is there a final examination? Yes. The final exam consists of a hands-on challenge in which the student has to prove the skills acquired during the training course. The student will be provided with a real world scenario of two Android applications to analyze and pentest. The final deliverable will be a working and reproducible proof of concept that will be reviewed by the training course instructor. Will I get a certificate? Once you pass the final exam, you will be awarded with the emapt "elearnsecurity Mobile Application Penetration Tester" certification. You can print your shiny new certificate directly or have it shipped to you internationally. 4

5 Organization of Contents The student is provided with a suggested learning path to ensure the maximum success rate and the minimum effort. - Module 1: Mobile Devices Overview - Module 2: Mobile OS Architectures & Security Models - Module 3: Android: Setting up a test environment - Module 4: ios: Setting up a test environment - Module 5: Android: Reverse Engineering & Static Analysis - Module 6: ios: Reverse Engineering & Static Analysis - Module 7: Android: Dynamic/Runtime Analysis - Module 8: ios: Dynamic/Runtime Analysis - Module 9: Android: Network Analysis - Module 10: ios: Network Analysis 5

6 Module 1: Mobile Devices Overview In this module we will see which the most used mobile platforms are and why mobile security is so critical nowadays. We will enumerate the most important mobile threats and provide a taxonomy useful to fully understand the rest of the training course Mobile Platforms Android ios 1.2. Why Mobile Security 1.3. Taxonomy of Security Threats OWASP Top 10 Mobile Risks Physical Security Poor Keyboards User Profiles Web Browsing Malwares Malware History Malware Spreading Patching and Updating 6

7 Module 2: Mobile OS Architectures & Security Models The second module covers in great details all the security features and mechanisms implemented in the two most important mobile Operating Systems: Android and ios Android Android Architecture Android Security Models Privilege Separation and Sandboxing File System Isolation Storage and Database Isolation Application Signing Permission Model Memory Management Security Enhancement Components Google Bouncer Rooting Devices 2.2. ios ios Architecture ios Security Models Privilege Separation Sandbox Code Signing Keychain and Encryption DEP/ASLR Reduced OS Security ios Overview Jailbreaking Devices 7

8 Module 3: Android - Setting up a Test Environment In this module the student will learn how to create and configure the local environment for the Android SDK and all the Android related tools. An in-depth coverage of how to create and interact with Android Emulated and Actual Devices will help the student build strong foundations necessary to understand attacks and techniques covered in the following modules Android SDK Windows OS Linux OS 3.2. Eclipse IDE 3.3. AVD and Actual Devices Start AVD Edit Virtual Devices Definitions Create New Virtual Device Run and Interact with Virtual Devices Improve Virtual Devices Performance Connect Actual Devices via USB 3.4. Interact with the Devices Android Debug Bridge List Devices Gather Device Information ADB Shell Browse the Device Read Databases Move Files from/to the Device Sqlite DDMS File Explorer Mount Device Disk Install / Uninstall Application with gdb Install and Run Custom Application BusyBox SSH VNC 8

9 Module 4: ios - Setting up a Test Environment This module focuses on how to configure the Mac OS environment to work with simulated and idevices. The student will learn how to interact with the device, write ios applications, install and run them on emulated and actual devices as well as use tools to access and inspect data and files stored on the device ios SDK Xcode IDE ios Simulator Writing an ios App 4.2. ios Simulator and Xcode Limitations 4.3. File System and Device Interaction Directory Structure Plist Files Databases Logs and Cache Files Browse Application Files and Folders Plist Databases Library and Caches Cookies.bynaricookies Extract Files from Devices Snapshots Export Installed Apps Install Applications SSH Access Xcode Organizer 4.4. Backups 4.5. Interact with Jailbroken Devices SSH Access Windows OS Mac/Linux OS SSH via cable (USB) BigBoss Recommended Tools SFTP (FTP via SSH) Explorer Software VNC Run Apps without Developer Account Don t code sign Self-Signed Certificate Create and Run Custom Apps From.app to.ipa Edit Existing Application Files Keychain Dumper 9

10 Module 5: Android - Reverse Engineering and Static Analysis In the beginning, the student will learn how Android applications are built and packaged in order to effectively reverse engineer them. Moreover the student will be exposed to techniques and tools used for binary decompiling, reading the application source code and gathering hardcoded information Decompiling and Disassembling.apk files 5.2. Smali 5.3. Decompile.apk to.jar files 5.4. From.jar to Source Code 5.5. Decompiling/Disassembling Overview 5.6. Labs Locating Secrets Bypassing Security Controls 5.7. Patching Binaries Module 6: ios - Reverse Engineering and Static Analysis During this module the student will go through the process of decompiling ios applications. Several tools will be used to access and inspect information contained in the applications binaries ipa and.app files 6.2. Plist 6.3. Decompiling ios Apps: Otools 6.4. Decompiling ios Apps: class-dump 6.5. Decompiling ios Apps: IDA 6.6. LAB Locating Information 6.7. Patching ios Apps Simulator 10

11 Module 7: Android - Dynamic / Runtime Analysis During this module the student will learn how to access runtime information on Android devices. Memory analysis techniques will be covered through the use of different tools for different purposes. The student will learn how to subvert the normal execution flow of an application to access restricted information, data and areas. At the end of this highly practical module, the student will be able to bypass security controls and write exploit applications targeting implementations of Android IPC mechanisms Debugging 7.2. LogCat 7.3. DDMS 7.4. Memory Analysis DDMS HPROF Strings Inspect HPROF Dump MAT 7.5. IPC Mechanisms and App Components Intents Android Tools Monkey Activity Manager LAB: Bypass Security Checks Content Providers Example # Example # Example # Query a Content Provider Find the Correct URI LAB: Content Providers Leakage SQL Injection LAB: SQL injection Directory Traversal SharedUID 11

12 Module 8: ios - Dynamic/Runtime Analysis During this module the student will become familiar with the most important tools and techniques for dynamic analysis and runtime manipulations on idevice. The aim of this module is to teach the student how applications can be decrypted at runtime as well as how they can be manipulated in order to force the application to run or display restricted areas. The student will be guided step by step through the exploitation process of real world ios applications, provided within the module. By using advanced debugging techniques and tools, the student will learn how to bypass security controls implemented within the target application Manually Decrypt Applications Binaries GDB Ldid Identify ASLR/PIE Calculating Area to Dump Attach GDB and Dump the Area Mere the Dump Edit cryptid values MachOView Debug/Run the App 8.2. Decrypt Applications Binaries: Clutch 8.3. Runtime Manipulation Cycript Install Cycript Attach Cycript to a Process Interact with Cycript Pop up an Alert at runtime Bypass the Lock Screen Attack Custom Apps: LogMeIn Attack Custom Apps: LogMeIn GDB Objc_msgSend ARMv6 Processor Registers Runtime Analysis with GDB Attack Applications with GDB 12

13 Module 9: Android Network Analysis This module focuses on specific configurations that allow a user to intercept and sniff all the Android device communications. The student will learn how to analyze and manipulate the traffic that goes through the Android device Traffic Sniffing 9.2. Proxying Emulators and Actual Devices 9.3. Intercept Application and SSL Traffic Intercept with Rooted Device and ProxyDroid 9.4. Traffic Manipulation Module 10: ios Network Analysis This module focuses on specific configurations that allow a user to intercept and sniff all the ios device communications. The student will learn how to analyze and manipulate the traffic that goes through the ios device Traffic Sniffing Proxying Simulators and Actual Devices Proxying and Intercepting SSL Traffic: Charles Proxying and Intercepting SSL Traffic: Burp SSL Traffic on Actual Devices Charles Burp 13

14 About elearnsecurity A leading innovator in the field of practical, hands-on IT security training. Based in Pisa (Italy), Dubai (UAE) and in San Jose (USA), elearnsecurity is a leading provider of IT security and penetration testing courses including certifications for IT professionals. elearnsecurity's mission is to advance the career of IT security professionals by providing affordable and comprehensive education and certification. All elearnsecurity courses utilize engaging elearning and the most effective mix of theory, practice and methodology in IT security - all with real-world lessons that students can immediately apply to build relevant skills and keep their organization's data and systems safe. elearnsecurity 2014 Via Matteucci 36/ Pisa, Italy 14

Mobile Application Security and Penetration Testing Syllabus

Mobile Application Security and Penetration Testing Syllabus Mobile Application Security and Penetration Testing Syllabus Mobile Devices Overview 1.1. Mobile Platforms 1.1.1.Android 1.1.2.iOS 1.2. Why Mobile Security 1.3. Taxonomy of Security Threats 1.3.1.OWASP

More information

Mobile Application Hacking for ios. 3-Day Hands-On Course. Syllabus

Mobile Application Hacking for ios. 3-Day Hands-On Course. Syllabus Mobile Application Hacking for ios 3-Day Hands-On Course Syllabus Course description ios Mobile Application Hacking 3-Day Hands-On Course This course will focus on the techniques and tools for testing

More information

Mobile Application Hacking for Android and iphone. 4-Day Hands-On Course. Syllabus

Mobile Application Hacking for Android and iphone. 4-Day Hands-On Course. Syllabus Mobile Application Hacking for Android and iphone 4-Day Hands-On Course Syllabus Android and iphone Mobile Application Hacking 4-Day Hands-On Course Course description This course will focus on the techniques

More information

Advanced ANDROID & ios Hands-on Exploitation

Advanced ANDROID & ios Hands-on Exploitation Advanced ANDROID & ios Hands-on Exploitation By Attify Trainers Aditya Gupta Prerequisite The participants are expected to have a basic knowledge of Mobile Operating Systems. Knowledge of programming languages

More information

Android Mobile Application Hacking Penetration Testing. 3-Day Hands-On Course. Course Syllabus

Android Mobile Application Hacking Penetration Testing. 3-Day Hands-On Course. Course Syllabus Android Mobile Application Hacking Penetration Testing 3-Day Hands-On Course Course Syllabus Android mobile application hacking 3-day hands on course Course description This course will focus on the techniques

More information

ABSTRACT' INTRODUCTION' COMMON'SECURITY'MISTAKES'' Reverse Engineering ios Applications

ABSTRACT' INTRODUCTION' COMMON'SECURITY'MISTAKES'' Reverse Engineering ios Applications Reverse Engineering ios Applications Drew Branch, Independent Security Evaluators, Associate Security Analyst ABSTRACT' Mobile applications are a part of nearly everyone s life, and most use multiple mobile

More information

Enterprise Application Security Workshop Series

Enterprise Application Security Workshop Series Enterprise Application Security Workshop Series Phone 877-697-2434 fax 877-697-2434 www.thesagegrp.com Defending JAVA Applications (3 Days) In The Sage Group s Defending JAVA Applications workshop, participants

More information

PND at a glance: The World s Premier Online Practical Network Defense course. Self-paced, online, flexible access

PND at a glance: The World s Premier Online Practical Network Defense course. Self-paced, online, flexible access The World s Premier Online Practical Network Defense course PND at a glance: Self-paced, online, flexible access 1500+ interactive slides (PDF, HTML5 and Flash) 7+ hours of video material 10 virtual labs

More information

Penetration Testing for iphone Applications Part 1

Penetration Testing for iphone Applications Part 1 Penetration Testing for iphone Applications Part 1 This article focuses specifically on the techniques and tools that will help security professionals understand penetration testing methods for iphone

More information

Android & ios Application Vulnerability Assessment & Penetration Testing Training. 2-Day hands on workshop on VAPT of Android & ios Applications

Android & ios Application Vulnerability Assessment & Penetration Testing Training. 2-Day hands on workshop on VAPT of Android & ios Applications Android & ios Application Vulnerability Assessment & Penetration Testing Training 2-Day hands on workshop on VAPT of Android & ios Applications Course Title Workshop on VAPT of Android & ios Applications

More information

Security Testing Guidelines for mobile Apps

Security Testing Guidelines for mobile Apps The OWASP Foundation http://www.owasp.org Security Testing Guidelines for mobile Apps Florian Stahl Johannes Ströher AppSec Research EU 2013 Who we are Florian Stahl Johannes Ströher Lead Consultant for

More information

ios applications security testing cheat sheet Oana Cornea

ios applications security testing cheat sheet Oana Cornea ios applications security testing cheat sheet Oana Cornea About Me Oana Cornea Application Security Analyst at Electronic Arts, in Bucharest, Romania. Agenda Introduction ios security model ios application

More information

Pentesting Android Apps. Sneha Rajguru (@Sneharajguru)

Pentesting Android Apps. Sneha Rajguru (@Sneharajguru) Pentesting Android Apps Sneha Rajguru (@Sneharajguru) About Me Penetration Tester Web, Mobile and Infrastructure applications, Secure coding ( part time do secure code analysis), CTF challenge writer (at

More information

Pentesting Mobile Applications

Pentesting Mobile Applications WEB 应 用 安 全 和 数 据 库 安 全 的 领 航 者! 安 恒 信 息 技 术 有 限 公 司 Pentesting Mobile Applications www.dbappsecurity.com.cn Who am I l Frank Fan: CTO of DBAPPSecurity Graduated from California State University as a Computer

More information

OWASP NZ Day 2011 Testing Mobile Applications

OWASP NZ Day 2011 Testing Mobile Applications OWASP NZ Day 2011 Testing Mobile Applications Presenter: Nick von Dadelszen Date: 7 th July 2011 Company: Lateral Security (IT) Services Limited Company overview Company Lateral Security (IT) Services

More information

Please Complete Speaker Feedback Surveys. SecurityTube.net

Please Complete Speaker Feedback Surveys. SecurityTube.net Please Complete Speaker Feedback Surveys Advanced ios Applica:on Pentes:ng Vivek Ramachandran Founder, SecurityTube.net vivek@securitytube.net Vivek Ramachandran B.Tech, ECE IIT Guwaha: Media Coverage

More information

Learn the fundamentals of Software Development and Hacking of the iphone Operating System.

Learn the fundamentals of Software Development and Hacking of the iphone Operating System. Course: Duration: 5 Day Hands-On Lab & Lecture Course Price: $ 3,495.00 Description: Learn the fundamentals of Software Development and Hacking of the iphone Operating System. provides an Instructor-led

More information

Pentesting iphone Applications. Satishb3 http://www.securitylearn.net

Pentesting iphone Applications. Satishb3 http://www.securitylearn.net Pentesting iphone Applications Satishb3 http://www.securitylearn.net Agenda iphone App Basics App development App distribution Pentesting iphone Apps Methodology Areas of focus Major Mobile Threats Who

More information

CompTIA Mobile App Security+ Certification Exam (ios Edition) Live exam IOS-001 Beta Exam IO1-001

CompTIA Mobile App Security+ Certification Exam (ios Edition) Live exam IOS-001 Beta Exam IO1-001 CompTIA Mobile App Security+ Certification Exam (ios Edition) Live exam IOS-001 Beta Exam IO1-001 INTRODUCTION This exam will certify that the successful candidate has the knowledge and skills required

More information

Mobile Application Security Testing ASSESSMENT & CODE REVIEW

Mobile Application Security Testing ASSESSMENT & CODE REVIEW Mobile Application Security Testing ASSESSMENT & CODE REVIEW Sept. 31 st 2014 Presenters ITAC 2014 Bishop Fox Francis Brown Partner Joe DeMesy Security Associate 2 Introductions FRANCIS BROWN Hi, I m Fran

More information

PTSv2 in pills: The Best First for Beginners who want to become Penetration Testers. Self-paced, online, flexible access

PTSv2 in pills: The Best First for Beginners who want to become Penetration Testers. Self-paced, online, flexible access The Best First for Beginners who want to become Penetration Testers PTSv2 in pills: Self-paced, online, flexible access 900+ interactive slides and 3 hours of video material Interactive and guided learning

More information

Pentesting Android Mobile Application

Pentesting Android Mobile Application Pentesting Android Mobile Application Overview on Mobile applications Connect in Superior Way!! Mobile market is the worldwide rapidly developing segments since many customers are using mobile phones.

More information

AppUse - Android Pentest Platform Unified

AppUse - Android Pentest Platform Unified AppUse - Android Pentest Platform Unified Standalone Environment AppUse is designed to be a weaponized environment for Android application penetration testing. It is a unique, free, and rich platform aimed

More information

Security Vulnerabilities in 3rd-Party ios Applications

Security Vulnerabilities in 3rd-Party ios Applications Security Vulnerabilities in 3rd-Party ios Applications Wentworth Institute of Technology Boston, MA Sonny Fazio Sonny Fazio - Wentworth Institute of Technology - Security Vulnerabilities in 3rd-party ios

More information

Mobile Application Security: Who, How and Why

Mobile Application Security: Who, How and Why Mobile Application Security: Who, How and Why Presented by: Mike Park Managing Security Consultant Trustwave SpiderLabs Who Am I Mike Park Managing Consultant, Application Security Services, Trustwave

More information

Mobile Applications: The True Potential Risks Where to look for information when performing a Pentest on a Mobile Application

Mobile Applications: The True Potential Risks Where to look for information when performing a Pentest on a Mobile Application Mobile Applications: The True Potential Risks Where to look for information when performing a Pentest on a Mobile Application Since the introduction of the iphone, Apple has sold more than 315 million

More information

How Security Testing can ensure Your Mobile Application Security. Yohannes, CEHv8, ECSAv8, ISE, OSCP(PWK) Information Security Consultant

How Security Testing can ensure Your Mobile Application Security. Yohannes, CEHv8, ECSAv8, ISE, OSCP(PWK) Information Security Consultant How Security Testing can ensure Your Mobile Application Security Yohannes, CEHv8, ECSAv8, ISE, OSCP(PWK) Information Security Consultant Once More Consulting & Advisory Services IT Governance IT Strategic

More information

Securing ios Applications. Dr. Bruce Sams, OPTIMAbit GmbH

Securing ios Applications. Dr. Bruce Sams, OPTIMAbit GmbH Securing ios Applications Dr. Bruce Sams, OPTIMAbit GmbH About Me President of OPTIMAbit GmbH Responsible for > 200 Pentests per Year Ca 50 ios Pentests and code reviews in the last two years. Overview

More information

Penetration Testing for iphone / ipad Applications

Penetration Testing for iphone / ipad Applications Penetration Testing for iphone / ipad Applications Author: Kunjan Shah Security Consultant Foundstone Professional Services Table of Contents Penetration Testing for iphone / ipad Applications... 1 Table

More information

Course overview. CompTIA A+ Certification (Exam 220 902) Official Study Guide (G188eng verdraft)

Course overview. CompTIA A+ Certification (Exam 220 902) Official Study Guide (G188eng verdraft) Overview This 5-day course is intended for those wishing to qualify with. A+ is a foundation-level certification designed for IT professionals with around 1 year's experience whose job role is focused

More information

ANDROID SECURITY ATTACKS AND DEFENSES ABHISHEK DUBEY I ANMOL MISRA. ( r öc) CRC Press VV J Taylor & Francis Group ^ "^ Boca Raton London New York

ANDROID SECURITY ATTACKS AND DEFENSES ABHISHEK DUBEY I ANMOL MISRA. ( r öc) CRC Press VV J Taylor & Francis Group ^ ^ Boca Raton London New York ANDROID SECURITY ATTACKS AND DEFENSES ABHISHEK DUBEY I ANMOL MISRA ( r öc) CRC Press VV J Taylor & Francis Group ^ "^ Boca Raton London New York CRC Press is an imprint of the Taylor & Francis Croup, an

More information

Pentesting iphone & ipad Apps Hack In Paris 2011 June 17

Pentesting iphone & ipad Apps Hack In Paris 2011 June 17 Pentesting iphone & ipad Apps Hack In Paris 2011 June 17 Who are we? Flora Bottaccio Security Analyst at ADVTOOLS Sebastien Andrivet Director, co-founder of ADVTOOLS ADVTOOLS Swiss company founded in 2002

More information

Information Security. Training

Information Security. Training Information Security Training Importance of Information Security Training There is only one way to keep your product plans safe and that is by having a trained, aware and a conscientious workforce. - Kevin

More information

Android Security Evaluation Framework

Android Security Evaluation Framework INTRODUCING... A S E F Android Security Evaluation Framework - Parth Patel $ whoami_ Agenda Manual Research Automation - A S E F Let s solve problems Conclusion Android OS Open Source Security Evaluation

More information

ios Testing Tools David Lindner Director of Mobile and IoT Security

ios Testing Tools David Lindner Director of Mobile and IoT Security ios Testing Tools David Lindner Director of Mobile and IoT Security Who is this guy? David Lindner @golfhackerdave david.lindner@nvisium.com 15+ years consulting experience I hack and golf, sometimes at

More information

TECHNOLOGY TRANSFER PRESENTS KEN VAN WYK JUNE 8-9, 2015 JUNE 10-11, 2015 VISCONTI PALACE HOTEL - VIA FEDERICO CESI, 37 ROME (ITALY)

TECHNOLOGY TRANSFER PRESENTS KEN VAN WYK JUNE 8-9, 2015 JUNE 10-11, 2015 VISCONTI PALACE HOTEL - VIA FEDERICO CESI, 37 ROME (ITALY) TECHNOLOGY TRANSFER PRESENTS KEN VAN WYK BREAKING AND FIXING WEB APPLICATIONS SECURITY PENETRATION TESTING IOS APPS JUNE 8-9, 2015 JUNE 10-11, 2015 VISCONTI PALACE HOTEL - VIA FEDERICO CESI, 37 ROME (ITALY)

More information

Android (in)security. Having fun with Android. Sarantis Makoudis

Android (in)security. Having fun with Android. Sarantis Makoudis Android (in)security Having fun with Android Sarantis Makoudis About Me BSc in Digital Systems, University of Piraeus, 2010 MSc in Information Security, Royal Holloway, University of London,2012 Penetration

More information

Application Security Testing

Application Security Testing Tstsec - Version: 1 09 July 2016 Application Security Testing Application Security Testing Tstsec - Version: 1 4 days Course Description: We are living in a world of data and communication, in which the

More information

Cyber Security in Taiwan's Government Institutions: From APT To. Investigation Policies

Cyber Security in Taiwan's Government Institutions: From APT To. Investigation Policies Cyber Security in Taiwan's Government Institutions: From APT To Investigation Policies Ching-Yu, Hung Investigation Bureau, Ministry of Justice, Taiwan, R.O.C. Abstract In this article, we introduce some

More information

Blackbox Android. Breaking Enterprise Class Applications and Secure Containers. Marc Blanchou Mathew Solnik 10/13/2011. https://www.isecpartners.

Blackbox Android. Breaking Enterprise Class Applications and Secure Containers. Marc Blanchou Mathew Solnik 10/13/2011. https://www.isecpartners. Blackbox Android Breaking Enterprise Class Applications and Secure Containers Marc Blanchou Mathew Solnik 10/13/2011 https://www.isecpartners.com Agenda Background Enterprise Class Applications Threats

More information

Penetration Testing Android Applications

Penetration Testing Android Applications Author: Kunjan Shah Security Consultant Foundstone Professional Services Table of Contents Penetration Testing Android Applications... 1 Table of Contents... 2 Abstract... 3 Background... 4 Setting up

More information

Building a Mobile App Security Risk Management Program. Copyright 2012, Security Risk Advisors, Inc. All Rights Reserved

Building a Mobile App Security Risk Management Program. Copyright 2012, Security Risk Advisors, Inc. All Rights Reserved Building a Mobile App Security Risk Management Program Your Presenters Who Are We? Chris Salerno, Consultant, Security Risk Advisors Lead consultant for mobile, network, web application penetration testing

More information

Secure your ios applications and uncover hidden vulnerabilities by conducting penetration tests

Secure your ios applications and uncover hidden vulnerabilities by conducting penetration tests Fr ee Learning ios Penetration Testing discusses the common vulnerabilities and security-related shortcomings in an ios application and operating system, and will teach you to conduct static and dynamic

More information

Defending Behind The Device Mobile Application Risks

Defending Behind The Device Mobile Application Risks Defending Behind The Device Mobile Application Risks Tyler Shields Product Manager and Strategist Veracode, Inc Session ID: MBS-301 Session Classification: Advanced Agenda The What The Problem Mobile Ecosystem

More information

APPLICATION SECURITY: FROM WEB TO MOBILE. DIFFERENT VECTORS AND NEW ATTACK

APPLICATION SECURITY: FROM WEB TO MOBILE. DIFFERENT VECTORS AND NEW ATTACK APPLICATION SECURITY: FROM WEB TO MOBILE. DIFFERENT VECTORS AND NEW ATTACK John T Lounsbury Vice President Professional Services, Asia Pacific INTEGRALIS Session ID: MBS-W01 Session Classification: Advanced

More information

Lab 4 In class Hands-on Android Debugging Tutorial

Lab 4 In class Hands-on Android Debugging Tutorial Lab 4 In class Hands-on Android Debugging Tutorial Submit lab 4 as PDF with your feedback and list each major step in this tutorial with screen shots documenting your work, i.e., document each listed step.

More information

BUILDING SECURITY IN. Analyzing Mobile Single Sign-On Implementations

BUILDING SECURITY IN. Analyzing Mobile Single Sign-On Implementations BUILDING SECURITY IN Analyzing Mobile Single Sign-On Implementations Analyzing Mobile Single Sign-On Implementations 1 Introduction Single sign-on, (SSO) is a common requirement for business-to-employee

More information

Mercury User Guide v1.1

Mercury User Guide v1.1 Mercury User Guide v1.1 Tyrone Erasmus 2012-09-03 Index Index 1. Introduction... 3 2. Getting started... 4 2.1. Recommended requirements... 4 2.2. Download locations... 4 2.3. Setting it up... 4 2.3.1.

More information

Running a Program on an AVD

Running a Program on an AVD Running a Program on an AVD Now that you have a project that builds an application, and an AVD with a system image compatible with the application s build target and API level requirements, you can run

More information

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES. www.kaspersky.com

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES. www.kaspersky.com KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES www.kaspersky.com EXPERT SERVICES Expert Services from Kaspersky Lab are exactly that the services of our in-house experts, many of them global

More information

Industry Oriented Training and Capacity Building Program on Mobile Threats, Android Security, IOS security and Cyber Laws

Industry Oriented Training and Capacity Building Program on Mobile Threats, Android Security, IOS security and Cyber Laws Industry Oriented Training and Capacity Building Program on Mobile Threats, Android Security, IOS security and Cyber Laws IEEE Gujarat Section In association with CLS- Cyberra Legal Services announces

More information

Enterprise Apps: Bypassing the Gatekeeper

Enterprise Apps: Bypassing the Gatekeeper Enterprise Apps: Bypassing the Gatekeeper By Avi Bashan and Ohad Bobrov Executive Summary The Apple App Store is a major part of the ios security paradigm, offering a central distribution process that

More information

The "Eclipse Classic" version is recommended. Otherwise, a Java or RCP version of Eclipse is recommended.

The Eclipse Classic version is recommended. Otherwise, a Java or RCP version of Eclipse is recommended. Installing the SDK This page describes how to install the Android SDK and set up your development environment for the first time. If you encounter any problems during installation, see the Troubleshooting

More information

CompTIA Mobile App Security+ Certification Exam (Android Edition) Live exam ADR-001 Beta Exam AD1-001

CompTIA Mobile App Security+ Certification Exam (Android Edition) Live exam ADR-001 Beta Exam AD1-001 CompTIA Mobile App Security+ Certification Exam (Android Edition) Live exam ADR-001 Beta Exam AD1-001 INTRODUCTION This exam will certify that the successful candidate has the knowledge and skills required

More information

XenMobile Logs Collection Guide

XenMobile Logs Collection Guide XenMobile Logs Collection Guide 1 Contents Summary... 3 Background... 3 How to Collect Logs from Server Components... 4 Support Bundle Contents... 4 Operations Supported for Server Components... 5 Configurations

More information

Centre of Digital Innovation

Centre of Digital Innovation Centre of Digital Innovation mlab v1.1 mgovernment Centre of Digital Innovation CoDI http://mgovlab.government.ae Version Control Version Date Author 1.0 24 December 2014 Humaid Al Ali 1.1 29 December

More information

Android Programming and Security

Android Programming and Security Android Programming and Security Dependable and Secure Systems Andrea Saracino andrea.saracino@iet.unipi.it Outlook (1) The Android Open Source Project Philosophy Players Outlook (2) Part I: Android System

More information

Practical Attacks against Mobile Device Management Solutions

Practical Attacks against Mobile Device Management Solutions Practical Attacks against Mobile Device Management Solutions Michael Shaulov, CEO michael@lacoon.com Daniel Brodie, Sr Security Researcher daniel@lacoon.com About: Daniel Security researcher for nearly

More information

The Incident Response Playbook for Android and ios

The Incident Response Playbook for Android and ios SESSION ID: AIR-W03R The Incident Response Playbook for Android and ios Andrew Hoog CEO and Co-founder NowSecure @ahoog42 @NowSecureMobile Andrew Hoog Author of three books Incident Response for Android

More information

Threat Modelling for Web Application Deployment. Ivan Ristic ivanr@webkreator.com (Thinking Stone)

Threat Modelling for Web Application Deployment. Ivan Ristic ivanr@webkreator.com (Thinking Stone) Threat Modelling for Web Application Deployment Ivan Ristic ivanr@webkreator.com (Thinking Stone) Talk Overview 1. Introducing Threat Modelling 2. Real-world Example 3. Questions Who Am I? Developer /

More information

Attack and Penetration Testing 101

Attack and Penetration Testing 101 Attack and Penetration Testing 101 Presented by Paul Petefish PaulPetefish@Solutionary.com July 15, 2009 Copyright 2000-2009, Solutionary, Inc. All rights reserved. Version 2.2 Agenda Penetration Testing

More information

Kaspersky Fraud Prevention: a Comprehensive Protection Solution for Online and Mobile Banking

Kaspersky Fraud Prevention: a Comprehensive Protection Solution for Online and Mobile Banking Kaspersky Fraud Prevention: a Comprehensive Protection Solution for Online and Mobile Banking Today s bank customers can perform most of their financial activities online. According to a global survey

More information

Pentesting ios Apps Runtime Analysis and Manipulation. Andreas Kurtz

Pentesting ios Apps Runtime Analysis and Manipulation. Andreas Kurtz Pentesting ios Apps Runtime Analysis and Manipulation Andreas Kurtz About PhD candidate at the Security Research Group, Department of Computer Science, University of Erlangen-Nuremberg Security of mobile

More information

BYPASSING THE ios GATEKEEPER

BYPASSING THE ios GATEKEEPER BYPASSING THE ios GATEKEEPER AVI BASHAN Technology Leader Check Point Software Technologies, Ltd. OHAD BOBROV Director, Mobile Threat Prevention Check Point Software Technologies, Ltd. EXECUTIVE SUMMARY

More information

Network Test Labs (NTL) Software Testing Services for igaming

Network Test Labs (NTL) Software Testing Services for igaming Network Test Labs (NTL) Software Testing Services for igaming Led by committed, young and dynamic professionals with extensive expertise and experience of independent testing services, Network Test Labs

More information

Security Intelligence Services. Cybersecurity training. www.kaspersky.com

Security Intelligence Services. Cybersecurity training. www.kaspersky.com Kaspersky Security Intelligence Services. Cybersecurity training www.kaspersky.com CYBERSECURITY TRAINING Leverage Kaspersky Lab s cybersecurity knowledge, experience and intelligence through these innovative

More information

BYOD: End-to-End Security

BYOD: End-to-End Security BYOD: End-to-End Security Alen Lo MBA(CUHK), BSc(HKU), CISA, CCP, CISSP, CISM, CEH IRCA Certified ISMS Lead Auditor, itsmf ISO 20000 Auditor Principal Consultant i-totalsecurity Consulting Limited alenlo@n2nsecurity.com

More information

Hello World. by Elliot Khazon

Hello World. by Elliot Khazon Hello World by Elliot Khazon Prerequisites JAVA SDK 1.5 or 1.6 Windows XP (32-bit) or Vista (32- or 64-bit) 1 + more Gig of memory 1.7 Ghz+ CPU Tools Eclipse IDE 3.4 or 3.5 SDK starter package Installation

More information

Certified Ethical Hacker Exam 312-50 Version Comparison. Version Comparison

Certified Ethical Hacker Exam 312-50 Version Comparison. Version Comparison CEHv8 vs CEHv7 CEHv7 CEHv8 19 Modules 20 Modules 90 Labs 110 Labs 1700 Slides 1770 Slides Updated information as per the latest developments with a proper flow Classroom friendly with diagrammatic representation

More information

Web Application Hacking (Penetration Testing) 5-day Hands-On Course

Web Application Hacking (Penetration Testing) 5-day Hands-On Course Web Application Hacking (Penetration Testing) 5-day Hands-On Course Web Application Hacking (Penetration Testing) 5-day Hands-On Course Course Description Our web sites are under attack on a daily basis

More information

Learning Course Curriculum

Learning Course Curriculum Learning Course Curriculum Security Compass Training Learning Curriculum. Copyright 2012. Security Compass. 1 It has long been discussed that identifying and resolving software vulnerabilities at an early

More information

BYOD Guidance: BlackBerry Secure Work Space

BYOD Guidance: BlackBerry Secure Work Space GOV.UK Guidance BYOD Guidance: BlackBerry Secure Work Space Published 17 February 2015 Contents 1. About this guidance 2. Summary of key risks 3. Secure Work Space components 4. Technical assessment 5.

More information

ASL IT SECURITY BEGINNERS WEB HACKING AND EXPLOITATION

ASL IT SECURITY BEGINNERS WEB HACKING AND EXPLOITATION ASL IT SECURITY BEGINNERS WEB HACKING AND EXPLOITATION V 2.0 A S L I T S e c u r i t y P v t L t d. Page 1 Overview: Learn the various attacks like sql injections, cross site scripting, command execution

More information

Malware in ios and Android The Gathering Storm?

Malware in ios and Android The Gathering Storm? Malware in ios and Android The Gathering Storm? 2 Introduction About Me Security consultant Android and ios security testing Researcher in Android malware 3 Agenda Introduction to Mobile Malware Introduction

More information

Security testing in mobile applications. José Manuel Ortega Candel

Security testing in mobile applications. José Manuel Ortega Candel Security testing in mobile applications José Manuel Ortega Candel About me Ø Centers Technician at Everis Ø Computer engineer by Alicante University Ø Frontend and backend developer in Java/J2EE Ø Speaker

More information

Loophole+ with Ethical Hacking and Penetration Testing

Loophole+ with Ethical Hacking and Penetration Testing Loophole+ with Ethical Hacking and Penetration Testing Duration Lecture and Demonstration: 15 Hours Security Challenge: 01 Hours Introduction Security can't be guaranteed. As Clint Eastwood once said,

More information

Why you need. McAfee. Multi Acess PARTNER SERVICES

Why you need. McAfee. Multi Acess PARTNER SERVICES Why you need McAfee Multi Acess PARTNER SERVICES McAfee Multi Access is an online security app that protects all types of devices. All at once. The simple monthly subscription covers up to five devices

More information

Learn Ethical Hacking, Become a Pentester

Learn Ethical Hacking, Become a Pentester Learn Ethical Hacking, Become a Pentester Course Syllabus & Certification Program DOCUMENT CLASSIFICATION: PUBLIC Copyrighted Material No part of this publication, in whole or in part, may be reproduced,

More information

CYBERTRON NETWORK SOLUTIONS

CYBERTRON NETWORK SOLUTIONS CYBERTRON NETWORK SOLUTIONS CybertTron Certified Ethical Hacker (CT-CEH) CT-CEH a Certification offered by CyberTron @Copyright 2015 CyberTron Network Solutions All Rights Reserved CyberTron Certified

More information

Penetration Test JSPLC. Contact: James, APS (CCNA, CEH) contactep105t@secure- mail.biz

Penetration Test JSPLC. Contact: James, APS (CCNA, CEH) contactep105t@secure- mail.biz Contact: James, APS (CCNA, CEH) contactep105t@secure- mail.biz Ok, so this isn t the typical way that a pen test report would start, but we might as well get straight in to it. I am a customer of Sainsbury

More information

imaginea white paper

imaginea white paper white paper Building Mobile Android Applications Even though Android was created for handsets, there is a great opportunity for developing other innovative devices on the Android platform with significant

More information

How to Install Applications (APK Files) on Your Android Phone

How to Install Applications (APK Files) on Your Android Phone How to Install Applications (APK Files) on Your Android Phone Overview An Android application is stored in an APK file (i.e., a file named by {Application Name}.apk). You must install the APK on your Android

More information

Mobile Security Framework

Mobile Security Framework Automated Mobile Application Security Testing with Mobile Security Framework Ajin Abraham About Me! Security Consultant @ Yodlee! Security Engineering @ IMMUNIO! Next Gen Runtime Application Self Protection

More information

Università Degli Studi di Parma. Distributed Systems Group. Android Development. Lecture 1 Android SDK & Development Environment. Marco Picone - 2012

Università Degli Studi di Parma. Distributed Systems Group. Android Development. Lecture 1 Android SDK & Development Environment. Marco Picone - 2012 Android Development Lecture 1 Android SDK & Development Environment Università Degli Studi di Parma Lecture Summary - 2 The Android Platform Android Environment Setup SDK Eclipse & ADT SDK Manager Android

More information

DiamondStream Data Security Policy Summary

DiamondStream Data Security Policy Summary DiamondStream Data Security Policy Summary Overview This document describes DiamondStream s standard security policy for accessing and interacting with proprietary and third-party client data. This covers

More information

Mobile Application Security Sharing Session May 2013

Mobile Application Security Sharing Session May 2013 Mobile Application Security Sharing Session Agenda Introduction of speakers Mobile Application Security Trends and Challenges 5 Key Focus Areas for an mobile application assessment 2 Introduction of speakers

More information

FORBIDDEN - Ethical Hacking Workshop Duration

FORBIDDEN - Ethical Hacking Workshop Duration Workshop Course Module FORBIDDEN - Ethical Hacking Workshop Duration Lecture and Demonstration : 15 Hours Security Challenge : 01 Hours Introduction Security can't be guaranteed. As Clint Eastwood once

More information

ArcGIS Server Security Threats & Best Practices 2014. David Cordes Michael Young

ArcGIS Server Security Threats & Best Practices 2014. David Cordes Michael Young ArcGIS Server Security Threats & Best Practices 2014 David Cordes Michael Young Agenda Introduction Threats Best practice - ArcGIS Server settings - Infrastructure settings - Processes Summary Introduction

More information

Smartphone Pentest Framework v0.1. User Guide

Smartphone Pentest Framework v0.1. User Guide Smartphone Pentest Framework v0.1 User Guide 1 Introduction: The Smartphone Pentest Framework (SPF) is an open source tool designed to allow users to assess the security posture of the smartphones deployed

More information

ABC LTD EXTERNAL WEBSITE AND INFRASTRUCTURE IT HEALTH CHECK (ITHC) / PENETRATION TEST

ABC LTD EXTERNAL WEBSITE AND INFRASTRUCTURE IT HEALTH CHECK (ITHC) / PENETRATION TEST ABC LTD EXTERNAL WEBSITE AND INFRASTRUCTURE IT HEALTH CHECK (ITHC) / PENETRATION TEST Performed Between Testing start date and end date By SSL247 Limited SSL247 Limited 63, Lisson Street Marylebone London

More information

SENSITIVE AUSTRALIAN SPORTS COMMISSION ATHLETE MANAGEMENT SYSTEM (AMS) SMARTBASE SECURITY TEST PLAN. Final. Version 1.0

SENSITIVE AUSTRALIAN SPORTS COMMISSION ATHLETE MANAGEMENT SYSTEM (AMS) SMARTBASE SECURITY TEST PLAN. Final. Version 1.0 SENSITIVE AUSTRALIAN SPORTS COMMISSION ATHLETE MANAGEMENT SYSTEM (AMS) SMARTBASE SECURITY TEST PLAN Final Version 1.0 Preconditions This security testing plan is dependent on the following preconditions:

More information

S E C U R I T Y A S S E S S M E N T : B o m g a r A p p l i a n c e s

S E C U R I T Y A S S E S S M E N T : B o m g a r A p p l i a n c e s S E C U R I T Y A S S E S S M E N T : B o m g a r A p p l i a n c e s During the period between November 2012 and March 2013, Symantec Consulting Services partnered with Bomgar to assess the security

More information

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: 10.1.1. Security Note

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: 10.1.1. Security Note BlackBerry Enterprise Service 10 Secure Work Space for ios and Android Version: 10.1.1 Security Note Published: 2013-06-21 SWD-20130621110651069 Contents 1 About this guide...4 2 What is BlackBerry Enterprise

More information

Kautilya: Teensy beyond shells

Kautilya: Teensy beyond shells Kautilya: Teensy beyond shells Kautilya Toolkit for Teensy device Nikhil Mittal 1 P a g e Contents Kautilya Toolkit for Teensy device... 1 Nikhil Mittal... 1 Abstract... 3 Attack Surface and Scenarios...

More information

COURSE NAME: INFORMATION SECURITY INTERNSHIP PROGRAM

COURSE NAME: INFORMATION SECURITY INTERNSHIP PROGRAM COURSE NAME: INFORMATION SECURITY INTERNSHIP PROGRAM Course Description This is the Information Security Training program. The Training provides you Penetration Testing in the various field of cyber world.

More information

WEB CONTENT MANAGEMENT SYSTEM

WEB CONTENT MANAGEMENT SYSTEM WEB CONTENT MANAGEMENT SYSTEM February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in

More information

2016 TÜBİTAK BİLGEM Cyber Security Institute

2016 TÜBİTAK BİLGEM Cyber Security Institute 2016 Revision 5.0 2016 TÜBİTAK BİLGEM Cyber Security Institute 1 ... 3 1. Information Security Awareness for End Users... 4 2. Information Security Awareness for Managers... 5 3. Social Engineering: Attack

More information

Penetration Testing in Romania

Penetration Testing in Romania Penetration Testing in Romania Adrian Furtunǎ, Ph.D. 11 October 2011 Romanian IT&C Security Forum Agenda About penetration testing Examples Q & A 2 What is penetration testing? Method for evaluating the

More information

SECURITY TRENDS & VULNERABILITIES REVIEW 2015

SECURITY TRENDS & VULNERABILITIES REVIEW 2015 SECURITY TRENDS & VULNERABILITIES REVIEW 2015 Contents 1. Introduction...3 2. Executive summary...4 3. Inputs...6 4. Statistics as of 2014. Comparative study of results obtained in 2013...7 4.1. Overall

More information