Offensive Mobile Reversing and Exploitation (iOS & Android) - 2023 Edition
Summary
- Fully updated for iOS 17 and Android 13
- Get 30 Days of Lab Access to our VMs
- Virtual Devices on iOS and Android using Corellium
- Get Certified as Mobile Security Expert
- Learn Reverse Engineering Mobile Apps from Scratch
- Learn Malware Reversing for iOS and Android
- Learn the internals of iOS and Android Kernel and their mitigations
- Learn Penetration Testing of iOS and Android apps
- Get an understanding of ARM64 architecture
- Learn Advanced Binary Instrumentation techniques using Frida
- Learn how to set up your own Mobile Research Environment
Detailed Description
After running sold-out trainings at multiple conferences over the last few years, we are back
with an updated version of our course which now covers ARM64, mobile browser security,
and detailed Mobile apps and operating system security. The class starts with a basic
introduction to the ARM instruction set and calling conventions followed by some reverse
engineering exercises. We then learn how to craft simple exploits for the ARM64
environment. Next, we move to Mobile browser security, understand some of the browser
mitigations deployed in Modern browsers. We then cover iOS and Android internals in
further detail. We then discuss some of the exploitation techniques using real-world
vulnerabilities followed by a walkthrough of how jailbreaks are written. We also discuss some
of the common vulnerability types (Heap Overflows, Use-after-free, Uninitialized Stack
variable, Race conditions).
The training then moves on to application security based on exploiting the Damn Vulnerable
iOS app, Android-InsecureBankv2, and InsecurePass application written by the authors of
this course in addition to a broad range of other real-world applications. We also cover a
variety of mitigations deployed in real-world apps and discuss how to bypass them.
Slides, videos, and detailed documentation on the labs will be provided to the students for
practice after the class. Corellium access will be provided to students during the duration of
the training course.
- Get an understanding of the ARM64 instruction set (including ARM 8.3)
- Understand the Browser Security mitigations on Mobile Devices
- Understand some common vulnerabilities in Mobile Browsers
- Learn the internals of iOS and Android Kernel along with several Kernel security mitigations
- Understand some of the latest bugs and mitigations (PAC, CoreTrust, PPL, etc)
- Get an intro to some common bug categories UaF, Heap overflow, etc
- Understand how jailbreaks and exploits are written
- Reverse engineer iOS and Android binaries (Apps and system binaries)
- Do basic fuzz testing of iOS and Android apps
- Learn how to audit iOS and Android apps for security vulnerabilities
- Understand and bypass anti-debugging and obfuscation techniques
- Get a quick walkthrough on using IDA Pro, Hopper, Frida, etc
Benefits
- Source code for vulnerable applications
- Source code for Exploit PoCs that can be used for Bug Bounties
- Students will be provided with access to Corellium for iOS hands-on for the duration of the course
- Students using machines that do not support virtualization will be provided access to cloud instances for the duration of the course
- Slack access for the class and after for regular mobile security discussions
Agenda / Topics to be Covered:
Part 1 – ARM and Browser Security
- Module 1:
- Exploring the ARM64 instruction set
- ARM calling conventions
- ARM memory management
- Reversing ARM binaries
- Reversing the XNU kernel
- Exploiting a simple Heap Overflow
- Building a simple ROP chain
- Exploiting a simple Race Condition vuln
- Exploiting uninitialized stack variable vulnerability
- Breaking ASLR with Info leaks/Brute force
- Exploit mitigations (ASLR, Heap Poisoning, PAN, etc)
- Module 2:
- Setting up WebKit environment
- Debugging WebKit
- WebCore and JavaScriptCore internals
- Browser Mitigations – IsoHeaps, Gigacage, StructureID randomness, Site Isolation, etc
- JSC Side effects
- UaF, TypeConfusion etc
- addrof() and fakeobj() primitive
- SOP Bypass, Impact of PAC
Part 2 – iOS Exploitation
- Module 1: Getting Started with iOS Security
- iOS security model
- App Signing, Sandboxing, and Provisioning
- Primer to iOS 15 security
- Exploring the iOS filesystem
- Intro to Objective-C and Swift5
- Setting up the testing environment
- Jailbreaking your device
- Cydia, Mobile Substrate
- Sideloading apps
- Binary protection
- Checking for PIE, ARC
- Decrypting IPA files
- Self-signing IPA files
- Module 2: iOS exploitation basics
- The Boot Chain – Bootrom, LLB, iBoot
- Keybags, firmware keys
- Decrypting iBoot
- Reversing the Kernel
- Symbolicating the kernel
- ARM Pointer authentication
- KPP and KTRR
- Intro to Mach IPC, Port spraying
- XNU zones
- Discussion of the voucher_swap and checkm8 exploit
- How are jailbreak exploits written?
- Diffing for Patches
- CoreTrust, PPL
- Sandbox escape
- Chaining exploits
- Applying Kernel Patches
- Achieving persistence
- Module 3: Static and Dynamic Analysis of iOS Apps
- Static Analysis of iOS applications
- Finding Secrets in Code
- Lint Testing
- Dumping class information
- Insecure local data storage
- Dumping Keychain
- Exploiting URL schemes
- Dynamic Analysis of iOS applications
- Method Swizzling
- Debugging apps using lldb
- Modifying ARM registers
- Basic App Exploitation techniques using Frida
- Advance App Exploitation techniques using Frida
- Testing React Native and Flutter Apps
- Module 4: iOS application vulnerabilities
- Exploiting iOS applications
- Broken Cryptography
- Side channel data leakage
- Sensitive information disclosure
- Exploiting URL schemes
- Client-side injection
- Bypassing jailbreak, piracy checks
- Inspecting Network traffic
- Traffic interception over HTTP, HTTPs
- Manipulating network traffic
- Bypassing SSL pinning
- Module 5: Reversing iOS Apps
- Introduction to Hopper
- Disassembling methods
- Modifying assembly instructions
- Patching App Binary
Part 3 – Android Exploitation
- Module 1: Intro to Android Security
- Why Android
- Android Security Architecture
- Extracting APK files from Google Play
- Understanding Android application structure
- Signing Android applications
- ADB – Non-Root
- Rooting Android devices
- ADB – Rooted
- Understanding the Android file system
- Permission Model Flaws
- Attack Surfaces for Android applications
- Module 2: Components
- Understanding Android Components
- Introducing Android Emulator
- Introducing Android AVD
- Setting up Android Pentest Environment
- Module 3: Reversing Android apps
- Process of Android Apps Engineering
- Reverse Engineering for Android Apps
- Smali Learning Labs
- Examining Smali files
- Smali vs Java
- Dex Analysis and Obfuscation
- Reversing Obfuscated Android Applications
- Patching Android Applications
- Android App Hooking
- Module 4: Static and Dynamic Analysis
- Proxying Android Traffic
- Exploiting Local Storage
- Exploiting Weak Cryptography
- Exploiting Side Channel Data Leakage
- Multiple Manual and Automated Root Detection and Bypass Techniques
- Exploiting Weak Authorization mechanism
- Identifying and Exploiting Android Components
- Analysing Proguard, DexGuard, and other Obfuscation Techniques
- Exploiting Android NDK
- Android Game Hacking
- Multiple Manual and Automated SSL Pinning Bypass techniques
- Writing One-Click Remote Code execution exploits for Android applications
- Exploiting Android Google Play Billing
- Firebase Exploitation
- Exploiting Android Games
- In-memory tampering
- Module 5: Frida and Automated Exploitation
- Exploiting Crypto using Frida
- Basic App Exploitation techniques using Frida
- Dumping Class Information using Frida
- Dumping Method Information using Frida
- Viewing and Changing Information using Frida
- Tracing using Frida
- Advance App Exploitation techniques using Frida
- Frida on non-rooted Android
- Target audience / Who should take this course?
- This course is for penetration testers, mobile developers or anyone keen to learn mobile
- application security.
What students should bring with them to the class:
The course covers topics ranging from beginners to advanced topics. Basic Linux skills are
the only requirement for the course. Additional set-up info will be provided closer to the
training date
What students will be provided with onsite:
- Videos for all the vulnerabilities shared in the class
- Huge list of good reads and articles for learning mobile application security
- Source code for vulnerable applications
- Custom VM with 30 days of Lab Access