Proactive Mobile Defense

2 Days | Face to Face

Hack your way into a mobile app, discovering the full range of capabilities used by attackers – and the mindset behind their actions.

Attackers are increasingly focusing their efforts on compromising mobile applications. With mobile usage having surpassed laptop and desktop, now’s the time to understand: how attackers target mobile apps, the mindset behind their actions, and what you can do to ensure yours are resilient to such threats.

This course uses step-by-step tutorials and practical exercises to give participants working knowledge of mobile hacking on iOS and Android. Understanding the basic principles of vulnerability hunting on-platform, all the way through to advanced exploitation techniques, will equip you to develop secure and resilient mobile apps for your organization or clients.

  • Practical, exercise-driven, and business-focused
  • Developed by the same people behind publications such as The Mobile Application Hacker’s Handbook and tools like Drozer and Needle
  • Delivered by experienced cyber security professionals, responsible for providing mobile security assessments and security research, and developing assessment tools
  • Focused on the offensive techniques and capabilities of modern attackers, and how to defend against them
  • Free reign to exploit a realistic web-based mobile application with the latest tooling and techniques
  • Teaches how to introduce security into the development life-cycle in a way you can maintain and scale
  • Covers secure coding principles, design and source code reviews, and vulnerability assessment tools
Who should attend?

This is a technical course aimed at Android and iOS developers, but it’s suitable for anyone with a technical interest in mobile application security. You don’t require any prior cyber security knowledge to benefit, but working knowledge of both Android and iOS is a must. We also recommend that you’re familiar with the syntax and structure of Android and iOS applications, basic internal and external communications, as well as accessing resources from an application.

  • Get into the head of an attacker with advanced mobile hacking abilities
  • Identify, exploit, and remediate common mobile application security flaws, over and above the OWASP Mobile Top Ten
  • Learn from experts who’ve written books, developed tools, and taken part in global mobile hacking competitions, like Mobile Pwn2Own
  • Get the skills to develop secure mobile applications that withstand advanced attacks, using the most up-to-date and effective secure coding practices
Course highlights
  • Identify, exploit, and remediate all the common web application security flaws over and above the OWASP Top Ten
  • Build secure web applications that withstand advanced attacks
  • Learn how hackers attack web applications, web servers and database servers
  • Deploy secure web and database servers that can withstand an attack
  • Build a development team with the most up-to-date and effective secure coding practices at their disposal
Benefits to you and your organization

From your team to the board, everyone needs results, which is why our courses come with their own individual business case.

This 3-day Proactive Mobile Defense course will:

  • Strengthen your mobile apps’ resilience to attacks, including the most advanced threats
  • Kick-start a reputation of cyber security excellence to improve relationships with third parties and prospective employees
  • Increase your understanding of cyber security, reducing the time and cost of remediating vulnerabilities
  • Facilitate a positive attitude and an understanding of the importance of security within the mobile development team
Show your interest

Please enter your details below. We’ll be in touch to find out your requirements as soon as possible:

Syllabus

Android

Foundation

  • Relevance of mobile applications in the modern world
  • Mobile attackers’ goals

Android Security Model

  • User separation
  • File permissions
  • Package structure

Analyzing Android Applications

  • Structure of an APK
  • Application permissions
  • Protection levels
  • Decompiling and modifying an application
  • Code signing
  • Obfuscation

Android Application Components

  • Activities
  • Services
  • Broadcast receivers
  • Content providers
  • Intents
  • Native code

Storage and Logging

  • Android file system
  • Persistent storage
  • Data leakage
  • Backup Manager
  • File encryption
  • Logcat

Securing Communications

  • Clear text communications
  • Secure Socket Layer (SSL)
  • Certificate pinning
  • WebViews & JavaScript interfaces
  • Alternative communication mechanisms

Security In-Depth

  • Root detection
  • Debug detection
  • Runtime manipulation

Integrating Security

  • Current state of the industry
  • Secure software development life cycle
  • Security requirements
  • Conducting a design review
  • Conducting a code review
  • Vulnerability scanning with drozer
  • Penetration testing
  • Vulnerability management

iOS

Introduction

  • OWASP Top 10
  • Server & Client Side Security
  • Mobile attackers’ goals

Analysing iOS Application

  • Overview of the iOS ecosystem
  • Testing environment
  • iOS Assessments (what to look for)

iOS Development

  • Development environment
  • Objective-C overview
  • Source code review

iOS Security Model

  • Secure boot chain
  • Secure Enclave
  • Touch ID and Face ID
  • Application code signing
  • Application sandbox
  • Anti-exploitation mechanisms

Data Security

  • Data-at-rest encryption
  • Data Protection API
  • Keybags
  • Storage types
  • Caching
  • System Log
  • Inter-process communication

Runtime and Binary Protections

  • Jailbreaking
  • Instrumentation
  • Binary Protections

Transport Security

  • Network Communications in iOS
  • Intercepting communications
  • TLS certificate pinning

Integrating Security

  • Current state of the industry
  • Secure software development life cycle
  • Security requirements
  • Penetration testing
  • Vulnerability management
Accreditations & Certificates

F-Secure Consulting is a value-added supplier and have a B-BBEE procurement recognition level of 100%. Learn more

Follow us
@fsecure_consult F-Secure-Consulting /fsecurelabs