Must have skills in any penetration tester's arsenal. MASPT at a glance: 10 highly practical modules 4 hours of video material 1200+ interactive slides 20 Applications to practice with Leads to emapt certification Most practical and up-to-date course on Mobile Application Security and Penetration testing Covers Mobile OSs Security Mechanisms and Implementations Exposes Android and ios vulnerabilities in-depth MOBILE APPLICATION SECURITY AND PENETRATION TESTING SYLLABUS v1.0 (28/01/2014) For Penetration testers, Forensers and Mobile app developers elearnsecurity has been chosen by students in 120 countries in the world and by leading organizations such as:
Course description: Mobile Application Security and Penetration Testing (MASPT) is the online training course on Mobile Application Security that gives penetration testers and IT Security professionals the practical skills necessary to understand technical threats and attack vectors targeting mobile devices. The course will walk you through the process of identifying security issues on Android and ios Applications, using a wide variety of techniques including Reverse Engineering, Static/Dynamic/Runtime and Network analysis. The student will learn how to code simple ios and Android applications step by step. These will be necessary to fully understand mobile application security and to build real world POC s and exploits. Moreover, a number of vulnerable mobile applications, included in the training course, will give the student the chance to practice and learn things by actually doing them: from decrypting and disassembling applications, to writing fully working exploits and malicious applications. Who should take this course and Pre-requisites: The MASPT training course benefits the career of Penetration Testers and IT security personnel in charge of defending their organization applications and data. We also believe this course will be interesting and entertaining for developers who want to know more about security mechanisms and features implemented in mobile OSs such as Android and ios. Although the course uses and explains several snippets of ios and Android Applications source codes, strong programming skills are not required. Basic mobile application development skills are provided within the training course. NOTE: In order to go through some of the techniques explained in the ios related modules, physical devices such as ipod, iphone, ipad might be necessary. Unlike ios, the Android related modules do not require the possession of an Android device: Android SDK provides all the necessary tools for both Windows and *Nix systems. 2
Who should not take this training course: This course is probably not for you if you are looking for something that: Teaches you how to jailbreak or root ios/android Devices Will give you a certification without any effort You can memorize to pass a multiple-choice test Will not make you think How am I going to learn this? elearnsecurity courses are very interactive and addictive. During this training course you will have to deal with several guided challenges, so knowledge and fun is guaranteed. Just don't expect the outdated way of learning by reading pages and pages of theoretical methodologies. NO BORING THEORIES ABOUT THE UNIVERSE This course is practical and entertaining. We show you how attacks work in practice. With real examples and labs that reflect real-world application vulnerabilities. Can I track my learning progress? Or will I only find out during the exam if I actually learned something? The answer to these questions is very simple. Your achievements will tell. During the study of the training course you will find several labs to practice with. You will solve these together with us, while we explain you all the necessary concepts. Then you are free to practice as long as you want to on these experiments. If you can solve a challenge, you know that you learned and understood the concepts behind it properly. 3
Is there a final examination? Yes. The final exam consists of a hands-on challenge in which the student has to prove the skills acquired during the training course. The student will be provided with a real world scenario of two Android applications to analyze and pentest. The final deliverable will be a working and reproducible proof of concept that will be reviewed by the training course instructor. Will I get a certificate? Once you pass the final exam, you will be awarded with the emapt "elearnsecurity Mobile Application Penetration Tester" certification. You can print your shiny new certificate directly or have it shipped to you internationally. 4
Organization of Contents The student is provided with a suggested learning path to ensure the maximum success rate and the minimum effort. - Module 1: Mobile Devices Overview - Module 2: Mobile OS Architectures & Security Models - Module 3: Android: Setting up a test environment - Module 4: ios: Setting up a test environment - Module 5: Android: Reverse Engineering & Static Analysis - Module 6: ios: Reverse Engineering & Static Analysis - Module 7: Android: Dynamic/Runtime Analysis - Module 8: ios: Dynamic/Runtime Analysis - Module 9: Android: Network Analysis - Module 10: ios: Network Analysis 5
Module 1: Mobile Devices Overview In this module we will see which the most used mobile platforms are and why mobile security is so critical nowadays. We will enumerate the most important mobile threats and provide a taxonomy useful to fully understand the rest of the training course. 1.1. Mobile Platforms 1.1.1. Android 1.1.2. ios 1.2. Why Mobile Security 1.3. Taxonomy of Security Threats 1.3.1. OWASP Top 10 Mobile Risks 1.3.2. Physical Security 1.3.3. Poor Keyboards 1.3.4. User Profiles 1.3.5. Web Browsing 1.3.6. Malwares 1.3.6.1. Malware History 1.3.6.2. Malware Spreading 1.3.7. Patching and Updating 6
Module 2: Mobile OS Architectures & Security Models The second module covers in great details all the security features and mechanisms implemented in the two most important mobile Operating Systems: Android and ios. 2.1. Android 2.1.1. Android Architecture 2.1.2. Android Security Models 2.1.2.1. Privilege Separation and Sandboxing 2.1.2.2. File System Isolation 2.1.2.3. Storage and Database Isolation 2.1.2.4. Application Signing 2.1.2.5. Permission Model 2.1.2.6. Memory Management Security Enhancement 2.1.2.7. Components 2.1.2.8. Google Bouncer 2.1.3. Rooting Devices 2.2. ios 2.2.1. ios Architecture 2.2.2. ios Security Models 2.2.2.1. Privilege Separation 2.2.2.2. Sandbox 2.2.2.3. Code Signing 2.2.2.4. Keychain and Encryption 2.2.2.5. DEP/ASLR 2.2.2.6. Reduced OS 2.2.2.7. Security ios Overview 2.2.3. Jailbreaking Devices 7
Module 3: Android - Setting up a Test Environment In this module the student will learn how to create and configure the local environment for the Android SDK and all the Android related tools. An in-depth coverage of how to create and interact with Android Emulated and Actual Devices will help the student build strong foundations necessary to understand attacks and techniques covered in the following modules. 3.1. Android SDK 3.1.1. Windows OS 3.1.2. Linux OS 3.2. Eclipse IDE 3.3. AVD and Actual Devices 3.3.1. Start AVD 3.3.2. Edit Virtual Devices Definitions 3.3.3. Create New Virtual Device 3.3.4. Run and Interact with Virtual Devices 3.3.5. Improve Virtual Devices Performance 3.3.6. Connect Actual Devices via USB 3.4. Interact with the Devices 3.4.1. Android Debug Bridge 3.4.1.1. List Devices 3.4.1.2. Gather Device Information 3.4.1.3. ADB Shell 3.4.1.4. Browse the Device 3.4.1.5. Read Databases 3.4.1.6. Move Files from/to the Device 3.4.1.7. Sqlite3 3.4.1.8. DDMS File Explorer 3.4.1.9. Mount Device Disk 3.4.1.10. Install / Uninstall Application with gdb 3.4.2. Install and Run Custom Application 3.4.3. BusyBox 3.4.4. SSH 3.4.5. VNC 8
Module 4: ios - Setting up a Test Environment This module focuses on how to configure the Mac OS environment to work with simulated and idevices. The student will learn how to interact with the device, write ios applications, install and run them on emulated and actual devices as well as use tools to access and inspect data and files stored on the device. 4.1. ios SDK 4.1.1. Xcode IDE 4.1.2. ios Simulator 4.1.3. Writing an ios App 4.2. ios Simulator and Xcode Limitations 4.3. File System and Device Interaction 4.3.1. Directory Structure 4.3.2. Plist Files 4.3.3. Databases 4.3.4. Logs and Cache Files 4.3.5. Browse Application Files and Folders 4.3.5.1. Plist 4.3.5.2. Databases 4.3.5.3. Library and Caches 4.3.5.4. Cookies.bynaricookies 4.3.6. Extract Files from Devices 4.3.7. Snapshots 4.3.8. Export Installed Apps 4.3.9. Install Applications 4.3.10. SSH Access 4.3.11. Xcode Organizer 4.4. Backups 4.5. Interact with Jailbroken Devices 4.5.1. SSH Access 4.5.1.1. Windows OS 4.5.1.2. Mac/Linux OS 4.5.1.3. SSH via cable (USB) 4.5.1.4. BigBoss Recommended Tools 4.5.2. SFTP (FTP via SSH) 4.5.3. Explorer Software 4.5.4. VNC 4.5.5. Run Apps without Developer Account 4.5.5.1. Don t code sign 4.5.5.2. Self-Signed Certificate 4.5.5.3. Create and Run Custom Apps 4.5.5.4. From.app to.ipa 4.5.6. Edit Existing Application Files 4.5.7. Keychain Dumper 9
Module 5: Android - Reverse Engineering and Static Analysis In the beginning, the student will learn how Android applications are built and packaged in order to effectively reverse engineer them. Moreover the student will be exposed to techniques and tools used for binary decompiling, reading the application source code and gathering hardcoded information. 5.1. Decompiling and Disassembling.apk files 5.2. Smali 5.3. Decompile.apk to.jar files 5.4. From.jar to Source Code 5.5. Decompiling/Disassembling Overview 5.6. Labs 5.6.1. Locating Secrets 5.6.2. Bypassing Security Controls 5.7. Patching Binaries Module 6: ios - Reverse Engineering and Static Analysis During this module the student will go through the process of decompiling ios applications. Several tools will be used to access and inspect information contained in the applications binaries. 6.1..ipa and.app files 6.2. Plist 6.3. Decompiling ios Apps: Otools 6.4. Decompiling ios Apps: class-dump 6.5. Decompiling ios Apps: IDA 6.6. LAB 6.6.1. Locating Information 6.7. Patching ios Apps Simulator 10
Module 7: Android - Dynamic / Runtime Analysis During this module the student will learn how to access runtime information on Android devices. Memory analysis techniques will be covered through the use of different tools for different purposes. The student will learn how to subvert the normal execution flow of an application to access restricted information, data and areas. At the end of this highly practical module, the student will be able to bypass security controls and write exploit applications targeting implementations of Android IPC mechanisms. 7.1. Debugging 7.2. LogCat 7.3. DDMS 7.4. Memory Analysis 7.4.1. DDMS 7.4.2. HPROF 7.4.3. Strings 7.4.4. Inspect HPROF Dump 7.4.5. MAT 7.5. IPC Mechanisms and App Components 7.5.1. Intents 7.5.2. Android Tools 7.5.2.1. Monkey 7.5.2.2. Activity Manager 7.5.2.3. LAB: Bypass Security Checks 7.5.3. Content Providers 7.5.3.1. Example #1 7.5.3.2. Example #2 7.5.3.3. Example #3 7.5.3.4. Query a Content Provider 7.5.3.5. Find the Correct URI 7.5.3.5.1. LAB: Content Providers Leakage 7.5.3.6. SQL Injection 7.5.3.6.1. LAB: SQL injection 7.5.3.7. Directory Traversal 7.5.4. SharedUID 11
Module 8: ios - Dynamic/Runtime Analysis During this module the student will become familiar with the most important tools and techniques for dynamic analysis and runtime manipulations on idevice. The aim of this module is to teach the student how applications can be decrypted at runtime as well as how they can be manipulated in order to force the application to run or display restricted areas. The student will be guided step by step through the exploitation process of real world ios applications, provided within the module. By using advanced debugging techniques and tools, the student will learn how to bypass security controls implemented within the target application. 8.1. Manually Decrypt Applications Binaries 8.1.1. GDB 8.1.2. Ldid 8.1.3. Identify ASLR/PIE 8.1.4. Calculating Area to Dump 8.1.5. Attach GDB and Dump the Area 8.1.6. Mere the Dump 8.1.7. Edit cryptid values 8.1.7.1. MachOView 8.1.8. Debug/Run the App 8.2. Decrypt Applications Binaries: Clutch 8.3. Runtime Manipulation 8.3.1. Cycript 8.3.1.1. Install Cycript 8.3.1.2. Attach Cycript to a Process 8.3.1.3. Interact with Cycript 8.3.1.4. Pop up an Alert at runtime 8.3.1.5. Bypass the Lock Screen 8.3.1.6. Attack Custom Apps: LogMeIn 8.3.1.7. Attack Custom Apps: LogMeIn2 8.4. GDB 8.4.1. Objc_msgSend 8.4.2. ARMv6 Processor Registers 8.4.3. Runtime Analysis with GDB 8.4.4. Attack Applications with GDB 12
Module 9: Android Network Analysis This module focuses on specific configurations that allow a user to intercept and sniff all the Android device communications. The student will learn how to analyze and manipulate the traffic that goes through the Android device. 9.1. Traffic Sniffing 9.2. Proxying Emulators and Actual Devices 9.3. Intercept Application and SSL Traffic 9.3.1. Intercept with Rooted Device and ProxyDroid 9.4. Traffic Manipulation Module 10: ios Network Analysis This module focuses on specific configurations that allow a user to intercept and sniff all the ios device communications. The student will learn how to analyze and manipulate the traffic that goes through the ios device. 10.1. Traffic Sniffing 10.2. Proxying Simulators and Actual Devices 10.3. Proxying and Intercepting SSL Traffic: Charles 10.4. Proxying and Intercepting SSL Traffic: Burp 10.5. SSL Traffic on Actual Devices 10.5.1. Charles 10.5.2. Burp 13
About elearnsecurity A leading innovator in the field of practical, hands-on IT security training. Based in Pisa (Italy), Dubai (UAE) and in San Jose (USA), elearnsecurity is a leading provider of IT security and penetration testing courses including certifications for IT professionals. elearnsecurity's mission is to advance the career of IT security professionals by providing affordable and comprehensive education and certification. All elearnsecurity courses utilize engaging elearning and the most effective mix of theory, practice and methodology in IT security - all with real-world lessons that students can immediately apply to build relevant skills and keep their organization's data and systems safe. elearnsecurity 2014 Via Matteucci 36/38 56124 Pisa, Italy 14