Course Abstract:


Even though modern mobile operating systems like iOS and Android offer great APIs for secure data storage and communication, those APIs have to be used correctly in order to be effective. Data storage, inter-app communication, proper usage of cryptographic APIs and secure network communication are only some of the aspects that require careful consideration. The OWASP Mobile Security Testing Guide (MSTG) is a comprehensive manual for testing the security of mobile apps. It describes processes and techniques for verifying the requirements listed in the Mobile Application Security Verification Standard (MASVS), and provides a baseline for complete and consistent security tests.

 The proposed training is based on the Mobile Security Testing Guide (MSTG) and will offer hands-on exercises in the form of different iOS and Android Apps. They will demonstrate bad practices and current security best practices to avoid vulnerabilities and flaws within mobile Apps.

The goal of this course is to learn
 the technical skills to execute a penetration test against iOS and Android mobile applications and utilise the Mobile Security Testing Guide (MSTG) as a baseline and comprehensive methodology during mobile security assessments.

Training Syllabus:
- iOS and Android security fundamentals
- Mobile Security Testing Environment Setup
- Overview of Mobile security vulnerabilities
- Hands-on testing on iOS and Android Apps
- Security best practices to mitigate Mobile security vulnerabilities
- Alternative iOS App testing without a jailbroken device

- Reverse Engineering of iOS and Android Apps

Key areas of training:
- Static and Dynamic Analysis of iOS and Android Apps
- Local Data Storage

- Communication with Trusted Endpoints

- Authentication and Authorization

- Client-side Security control bypass
- Advanced dynamic instrumentation use cases


The following prerequisites need to be fulfilled by the participants in order to be able to execute and follow all exercises:


- Laptop (> 4 GB Ram, 20GB of free disk space, working Wifi) with administrative access

- Docker
- Latest Android Studio and SDK

- Burp Suite Community Edition (Professional not needed)


- An iOS device with at least iOS 9.0 (without jailbreak) is needed and need to be brought by the participant, this will not be provided by the trainer.