Conference Web Banner

Back to Pre-Conference TrainingPage

Back to Conference Home Page

Mobile Security Testing Guide Hands-On: iOS Edition

One-Day Interactive Training - OWASP New Zealand Day 2020

Abstract

How do I bypass SSL Pinning on a Flutter app, and what can I do with Frida when testing on a non-jailbroken device? All of this, and more, will be covered in this fast paced one-day course. Students will have lots of hands-on time to exploit vulnerabilities in apps created by the trainer.

The course is designed for beginners, but is also useful for intermediate students already familiar with testing mobile apps. Hands-on exercises are usually presented in two versions - ‘skid’ and ‘leet’ - to provide challenges for either skill level.

Overview

This course teaches you how to analyse an iOS app for security vulnerabilities, by going through the different phases of testing, including dynamic testing, static analysis and reverse engineering. The instructor will share his experiences and many small tips and tricks to attack mobile apps.

At the beginning of the course we start by giving an overview of the iOS Platform and its Security Architecture (Hardware Security, Code Signing, Sandbox, Secure Boot, Security Enclave, etc.). After explaining what an IPA container is and the iOS file system structure we start creating an iOS testing environment and make a deep dive into various topics and techniques, including:

At the end of the day, small groups will be created (2-3 students) and time will be given to investigate an app with the newly learned skills. Every team is then encouraged to make a short presentation about the analysed vulnerability.

After successful completion of this course, students will have a better understanding of how to test for vulnerabilities in iOS apps, how to mitigate them and how to execute tests consistently. The course is based on the OWASP Mobile Security Testing Guide (MSTG) and the OWASP Mobile AppSec Verification Standard (MASVS) and is conducted by one of the authors himself. The OWASP MSTG is a comprehensive and open source guide about mobile security testing for both iOS and Android.

Target Audience

Students who have mobile application development and application penetration testing experience enjoyed and benefited the most from the course. The following are common backgrounds we have seen in previous classes:

Course Details

Dates: Thursday, 20 February 2020

Time: 8:45 a.m. to 5:30 p.m.

Course Fee: NZ $625.00 (plus EventBrite fees)

Registration Site: https://owaspnz2020-training.eventbrite.com

Prerequisite Skills:

Attendees Should Bring:

You need to bring your own iOS device, with at least iOS 11, to complete all exercises.

The following technical prerequisites need to be fulfilled by participants in order to be able to execute and follow all exercises:

Attendees Will Be Provided:

Instructor: Sven Schleier, Seven Consulting

Course Objectives

Key take-aways for attendees include:

Course Outline

Your Instructor

Sven Schleier - Sven made several stops at big consultant companies and small boutique firms in Germany and Singapore and became specialised in Application Security and has supported and guided software development projects for Mobile and Web Applications during the whole SDLC. Besides his day job Sven is one of the core project leaders and authors of the OWASP Mobile Security Testing Guide and OWASP Mobile Application Security Verification Standard and has created the OWASP Mobile Hacking Playground. Sven is giving talks and workshops about Mobile and Web Application Security worldwide to different audiences, ranging from developers to students and penetration testers.