In this beginner-friendly training, you’ll learn the fundamentals of mobile reverse engineering on iOS and Android devices.
On the first day, you’ll step into the shoes of a malware analyst. The training starts with an introduction to the fundamentals of reverse engineering Android applications. With these basics, you’re all set to look into an Android app, which masquerades as an Instant Messenger, but hides various malicious functionality in both Kotlin and native code. Let’s figure out what the app is doing, which information is leaked, and to whom!
On the second day, you’ll learn how to review the security of a complex iOS app, which includes an App Extension and a mix of various programming languages. After an exploration of the app’s basic functionality, you’ll learn how to make a proper threat model prior to security testing. Based on this, let’s find and trigger a bug in the app!
This training teaches all methods and tools required to follow mobile pentesting guides, such as OWASP Mobile, while also providing you with the basics to build your own security analysis tools where needed.
Venue
This training will take place on October 1st and 2nd, 2024 on-site at Hexacon 2024 in Paris.
Booking
As a BlackHoodie training, dedicated to women*, this 2-day Android and iOS training is free for all attendees! It is part of a 4-day BlackHoodie training, which also includes an introduction to x86 reverse engineering and firmware reverse engineering. For further details, see the BlackHoodie website.
Day 1 – Android
- The internal structure of an Android app.
- Static analysis of applications written in Java/Kotlin using Ghidra and jadx.
- Android specifics: Java virtualization, native libraries, JNI, …
- Dynamic instrumentation of applications that mix Java and native code using Frida.
- Android security boundaries: Intents, content providers, Binder, SELinux, sandboxing.
- Inter-process communication: Understanding Binder internals and tracing its interactions.
- Using existing tools to bypass TLS certificate pinning and root detection.
Day 2 – iOS
- Apple’s public documentation and source code.
- Attack surface and threat modeling: How to approach an App from a security point of view.
- The Apple App Store security model: Code signing, App Review, Entitlements, the iOS sandbox, and TCC.
- The internal structure of an iOS application: metadata and resources in Application Bundles, third-party frameworks, AppExtensions, and Mach-O internals, FairPlay DRM & decrypting iOS Apps, introduction to the DYLD Shared Cache.
- Static analysis: Navigating through larger binaries, Objective-C and Swift calling conventions and name mangling.
- Dynamic analysis: Writing stand-alone Frida scripts to inject data and trigger bugs. Reading and interpreting crash logs.
Training Prerequisites
- Basic programming knowledge, ideally one of the following programming languages: Python, JavaScript, C/C++, Java/Kotlin, Objective-C/Swift.
- Optional: Mobile app development background.
What to Bring
- Laptop that can run Android Studio and an Android Virtual Device, with an Internet connection and possibility to install additional software. Android Studio must be installed on your host and cannot run inside a VM.
- The laptop should be running macOS or Linux. If you are on Windows, you’ll need to run a Linux VM with the tools for the iOS part of the training, including support for forwarding USB devices.
- Your laptop needs at least 8GB of RAM on macOS and Linux, or 16GB of RAM if you’re on Windows.
- Your rooted Android devices can be used as well, but we won’t be able to provide support for this.
- If you do have jailbroken iPhones and could bring those, that would help us a lot – please let us know in advance, including the jailbreak that you’re using.
Who should attend?
This training is aimed at anyone interested in mobile app security, including up and coming pen testers, security or vulnerability researchers, or app developers.
Trainer
Jiska Classen is a wireless and mobile security researcher, leading a research group at Hasso Plattner Institute. The intersection of her research topics means that she digs into iOS internals, reverse engineers wireless firmware, and analyzes proprietary protocols. Her practical work on public Bluetooth security analysis tooling uncovered remote code execution and cryptographic flaws in billions of mobile devices. She also likes to work on obscure and upcoming wireless technologies, for example, she recently uncovered vulnerabilities in Ultra-wideband distance measurement, reverse-engineered Apple's AirTag communication protocol, and published about Apple’s satellite communication implementation.
She has previously spoken at Black Hat USA, DEF CON, RECon, Hardwear.io, Chaos Communication Congress, Chaos Communication Camp, Gulasch Programmer Nacht, MRMCDs, Easterhegg, Troopers, Pass the Salt, NotPinkCon, gave various lectures and training, and published at prestigious academic venues. Jiska Classen gave iOS and Android security at TROOPERS, Nullcon, and Objective by the Sea, and has teaching experience from creating own lectures and labs as a postdoctoral researcher at TU Darmstadt.