Welcome to OWASP AppSec 2018 USA we look forward to seeing you in San Jose, CA
Back To Schedule
Monday, October 8 • 9:00am - Tuesday, October 9 • 5:00pm
2-day training: Mobile Security Testing Guide - Hands on FULL

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
Limited Capacity full

Course Abstract:

Even though modern mobile operating systems like iOS and Android offer great APIs for secure data storage and communication, those APIs have to be used correctly in order to be effective. Data storage, inter-app communication, proper usage of cryptographic APIs and secure network communication are only some of the aspects that require careful consideration. The OWASP Mobile Security Testing Guide (MSTG) is a comprehensive manual for testing the security of mobile apps. It describes processes and techniques for verifying the requirements listed in the Mobile Application Security Verification Standard (MASVS), and provides a baseline for complete and consistent security tests.

 The proposed training is based on the Mobile Security Testing Guide (MSTG) and will offer hands-on exercises in the form of different iOS and Android Apps. They will demonstrate bad practices and current security best practices to avoid vulnerabilities and flaws within mobile Apps.

The goal of this course is to learn
 the technical skills to execute a penetration test against iOS and Android mobile applications and utilise the Mobile Security Testing Guide (MSTG) as a baseline and comprehensive methodology during mobile security assessments.

Training Syllabus:
- iOS and Android security fundamentals
- Mobile Security Testing Environment Setup
- Overview of Mobile security vulnerabilities
- Hands-on testing on iOS and Android Apps
- Security best practices to mitigate Mobile security vulnerabilities
- Alternative iOS App testing without a jailbroken device

- Reverse Engineering of iOS and Android Apps

Key areas of training:
- Static and Dynamic Analysis of iOS and Android Apps
- Local Data Storage

- Communication with Trusted Endpoints

- Authentication and Authorization

- Client-side Security control bypass
- Advanced dynamic instrumentation use cases

The following prerequisites need to be fulfilled by the participants in order to be able to execute and follow all exercises:

- Laptop (> 4 GB Ram, 20GB of free disk space, working Wifi) with administrative access

- Docker
- Latest Android Studio and SDK

- Burp Suite Community Edition (Professional not needed)

- An iOS device with at least iOS 9.0 (without jailbreak) is needed and need to be brought by the participant, this will not be provided by the trainer.

avatar for Jinkun Ong

Jinkun Ong

Senior Consultant, Vantage Point Security Pte Ltd
Jinkun is a security enthusiast with years of Penetration Testing experience and has conducted numerous Web, Mobile, and source code reviews assessments. He is currently a Senior Consultant for Vantage Point in Singapore.Besides holding a variety of widely recognized professional... Read More →
avatar for Sven Schleier

Sven Schleier

Managing Principal, Vantage Point Security Pte Ltd
Sven is an application security expert with over 8 years of hands-on experience in web and mobile penetration testing, network penetration testing and source code review and is leading the penetration testing team for Vantage Point in Singapore. He is an experienced Security Architect... Read More →

Monday October 8, 2018 9:00am - Tuesday October 9, 2018 5:00pm PDT