Conference Web Banner

Back to Pre-Conference TrainingPage

Back to Conference Home Page

Mobile Security Testing Guide Hands-On: Android Edition

One-Day Interactive Training - OWASP New Zealand Day 2020

Abstract

How do I bypass SSL Pinning on a Flutter app, and what can I do with Frida when testing on a non-jailbroken device? All of this, and more, will be covered in this fast paced one-day course. Students will have lots of hands-on time to exploit vulnerabilities in apps created by the trainer.

The course is designed for beginners, but is also useful for intermediate students already familiar with testing mobile apps. Hands-on exercises are usually presented in two versions - ‘skid’ and ‘leet’ - to provide challenges for either skill level.

Overview

This course teaches you how to analyse an Android app for security vulnerabilities, by going through the different phases of testing, including dynamic testing, static analysis and reverse engineering. The instructors will share their experiences and many small tips and tricks to attack mobile apps.

At the beginning of the course we start by giving an overview of the Android Platform and it’s Security Architecture. It is no longer mandatory for students to bring their own Android device, instead a cloud-based virtualized Android device will be provided for each student. These are some of the topics that will be covered during the course:

At the end of the day, small groups will be created (2-3 students) and time will be given to investigate an app with the newly learned skills. Every team is then encouraged to make a short presentation about the analysed vulnerability.

After successful completion of this course, students will have a better understanding of how to test for vulnerabilities in Android apps, how to mitigate them and how to execute tests consistently. The course is based on the OWASP Mobile Security Testing Guide (MSTG) and is conducted by one of the author himself. The OWASP MSTG is a comprehensive and open source guide about mobile security testing for both iOS and Android.

Target Audience

Students who have mobile application development and application penetration testing experience enjoyed and benefited the most from the course. The following are common backgrounds we have seen in previous classes:

Course Details

Dates: Wednesday, 19 February 2020

Time: 8:45 a.m. to 5:30 p.m.

Course Fee: NZ $625.00 (plus EventBrite fees)

Registration Site: https://owaspnz2020-training.eventbrite.com

Prerequisite Skills:

Attendees Should Bring:

An Android hardware device is not needed by the participants and will also not be provided. The Android hands-on exercises of the training will instead be executed in a cloud-based virtualised environment that allows attendees to access a rooted Android device during the training. One Android instance will be provided for each participant.

The following technical prerequisites need to be fulfilled by participants in order to be able to execute and follow all exercises:

Attendees Will Be Provided:

Instructor: Sven Schleier, Seven Consulting

Course Objectives

Key take-aways for attendees include:

Course Outline

Your Instructor

Sven Schleier - Sven made several stops at big consultant companies and small boutique firms in Germany and Singapore and became specialised in Application Security and has supported and guided software development projects for Mobile and Web Applications during the whole SDLC. Besides his day job Sven is one of the core project leaders and authors of the OWASP Mobile Security Testing Guide and OWASP Mobile Application Security Verification Standard and has created the OWASP Mobile Hacking Playground. Sven is giving talks and workshops about Mobile and Web Application Security worldwide to different audiences, ranging from developers to students and penetration testers.