You are on page 1of 14

Must have skills in any penetration tester's

arsenal.

MASPT at a glance:
10 highly practical modules
4 hours of video material
1200+ interactive slides
20 Applications to practice with
Leads to eMAPT certification
Most practical and up-to-date
course on Mobile Application
Security and Penetration testing
Covers Mobile OSs Security
Mechanisms and Implementations
Exposes Android and iOS
vulnerabilities in-depth
For Penetration testers, Forensers
and Mobile app developers

eLearnSecurity has been chosen by


students in 120 countries in the
world and by leading organizations
such as:

MOBILE APPLICATION SECURITY


AND PENETRATION TESTING

SYLLABUS
v1.0 (28/01/2014)

Course description:
Mobile Application Security and Penetration Testing (MASPT) is the online
training course on Mobile Application Security that gives penetration testers and
IT Security professionals the practical skills necessary to understand technical
threats and attack vectors targeting mobile devices.
The course will walk you through the process of identifying security issues on
Android and iOS Applications, using a wide variety of techniques including
Reverse Engineering, Static/Dynamic/Runtime and Network analysis.
The student will learn how to code simple iOS and Android applications step by
step. These will be necessary to fully understand mobile application security and
to build real world POCs and exploits.
Moreover, a number of vulnerable mobile applications, included in the training
course, will give the student the chance to practice and learn things by actually
doing them: from decrypting and disassembling applications, to writing fully
working exploits and malicious applications.

Who should take this course and Pre-requisites:


The MASPT training course benefits the career of Penetration Testers and IT
security personnel in charge of defending their organization applications and
data. We also believe this course will be interesting and entertaining for
developers who want to know more about security mechanisms and features
implemented in mobile OSs such as Android and iOS.
Although the course uses and explains several snippets of iOS and Android
Applications source codes, strong programming skills are not required. Basic
mobile application development skills are provided within the training course.
NOTE: In order to go through some of the techniques explained in the iOS
related modules, physical devices such as iPod, iPhone, iPad might be
necessary. Unlike iOS, the Android related modules do not require the
possession of an Android device: Android SDK provides all the necessary tools
for both Windows and *Nix systems.

Who should not take this training course:


This course is probably not for you if you are looking for something that:

Teaches you how to jailbreak or root iOS/Android Devices


Will give you a certification without any effort
You can memorize to pass a multiple-choice test
Will not make you think

How am I going to learn this?


eLearnSecurity courses are very interactive and addictive. During this training
course you will have to deal with several guided challenges, so knowledge and
fun is guaranteed. Just don't expect the outdated way of learning by reading
pages and pages of theoretical methodologies.
NO BORING THEORIES ABOUT THE UNIVERSE
This course is practical and entertaining. We show you how attacks work in
practice. With real examples and labs that reflect real-world application
vulnerabilities.

Can I track my learning progress?


Or will I only find out during the exam if I actually learned something?
The answer to these questions is very simple. Your achievements will tell. During
the study of the training course you will find several labs to practice with. You
will solve these together with us, while we explain you all the necessary
concepts. Then you are free to practice as long as you want to on these
experiments. If you can solve a challenge, you know that you learned and
understood the concepts behind it properly.

Is there a final examination?


Yes. The final exam consists of a hands-on challenge in which the student has to
prove the skills acquired during the training course.
The student will be provided with a real world scenario of two Android
applications to analyze and pentest.
The final deliverable will be a working and reproducible proof of concept that
will be reviewed by the training course instructor.

Will I get a certificate?


Once you pass the final exam, you will be awarded with
the eMAPT "eLearnSecurity Mobile Application
Penetration Tester" certification.
You can print your shiny new certificate directly or have it shipped to you
internationally.

Organization of Contents
The student is provided with a suggested learning path to ensure the maximum
success rate and the minimum effort.
-

Module 1: Mobile Devices Overview


Module 2: Mobile OS Architectures & Security Models
Module 3: Android: Setting up a test environment
Module 4: iOS: Setting up a test environment
Module 5: Android: Reverse Engineering & Static Analysis
Module 6: iOS: Reverse Engineering & Static Analysis
Module 7: Android: Dynamic/Runtime Analysis
Module 8: iOS: Dynamic/Runtime Analysis
Module 9: Android: Network Analysis
Module 10: iOS: Network Analysis

Module 1: Mobile Devices Overview


In this module we will see which the
most used mobile platforms are and
why mobile security is so critical
nowadays.
We will enumerate the most
important mobile threats and provide
a taxonomy useful to fully
understand the rest of the training
course.

1.1. Mobile Platforms


1.1.1.Android
1.1.2.iOS
1.2. Why Mobile Security
1.3. Taxonomy of Security Threats
1.3.1.OWASP Top 10 Mobile Risks
1.3.2.Physical Security
1.3.3.Poor Keyboards
1.3.4.User Profiles
1.3.5.Web Browsing
1.3.6.Malwares
1.3.6.1. Malware History
1.3.6.2. Malware Spreading
1.3.7.Patching and Updating

Module 2: Mobile OS Architectures & Security Models


The second module covers in great
details all the security features and
mechanisms implemented in the two
most important mobile Operating
Systems: Android and iOS.

2.1. Android
2.1.1.Android Architecture
2.1.2.Android Security Models
2.1.2.1. Privilege Separation and
Sandboxing
2.1.2.2. File System Isolation
2.1.2.3. Storage and Database Isolation
2.1.2.4. Application Signing
2.1.2.5. Permission Model
2.1.2.6. Memory Management Security
Enhancement
2.1.2.7. Components
2.1.2.8. Google Bouncer
2.1.3.Rooting Devices
2.2. iOS
2.2.1.iOS Architecture
2.2.2.iOS Security Models
2.2.2.1. Privilege Separation
2.2.2.2. Sandbox
2.2.2.3. Code Signing
2.2.2.4. Keychain and Encryption
2.2.2.5. DEP/ASLR
2.2.2.6. Reduced OS
2.2.2.7. Security iOS Overview
2.2.3.Jailbreaking Devices

Module 3: Android - Setting up a Test Environment


In this module the student will learn
how to create and configure the local
environment for the Android SDK and
all the Android related tools.
An in-depth coverage of how to
create and interact with Android
Emulated and Actual Devices will
help the student build strong
foundations necessary to understand
attacks and techniques covered in
the following modules.

3.1. Android SDK


3.1.1.Windows OS
3.1.2.Linux OS
3.2. Eclipse IDE
3.3. AVD and Actual Devices
3.3.1.Start AVD
3.3.2.Edit Virtual Devices Definitions
3.3.3.Create New Virtual Device
3.3.4.Run and Interact with Virtual
Devices
3.3.5.Improve Virtual Devices
Performance
3.3.6.Connect Actual Devices via USB
3.4. Interact with the Devices
3.4.1.Android Debug Bridge
3.4.1.1. List Devices
3.4.1.2. Gather Device Information
3.4.1.3. ADB Shell
3.4.1.4. Browse the Device
3.4.1.5. Read Databases
3.4.1.6. Move Files from/to the
Device
3.4.1.7. Sqlite3
3.4.1.8. DDMS File Explorer
3.4.1.9. Mount Device Disk
3.4.1.10.
Install / Uninstall
Application with gdb
3.4.2.Install and Run Custom Application
3.4.3.BusyBox
3.4.4.SSH
3.4.5.VNC

Video and practical sessions included in this module

Module 4: iOS - Setting up a Test Environment


This module focuses on how to
configure the Mac OS environment to
work with simulated and iDevices.
The student will learn how to interact
with the device, write iOS
applications, install and run them on
emulated and actual devices as well
as use tools to access and inspect
data and files stored on the device.

4.1. iOS SDK


4.1.1.Xcode IDE
4.1.2.iOS Simulator
4.1.3.Writing an iOS App
4.2. iOS Simulator and Xcode Limitations
4.3. File System and Device Interaction
4.3.1.Directory Structure
4.3.2.Plist Files
4.3.3.Databases
4.3.4.Logs and Cache Files
4.3.5.Browse Application Files and Folders
4.3.5.1. Plist
4.3.5.2. Databases
4.3.5.3. Library and Caches
4.3.5.4. Cookies.bynaricookies
4.3.6.Extract Files from Devices
4.3.7.Snapshots
4.3.8.Export Installed Apps
4.3.9.Install Applications
4.3.10.
SSH Access
4.3.11.
Xcode Organizer
4.4. Backups
4.5. Interact with Jailbroken Devices
4.5.1.SSH Access
4.5.1.1. Windows OS
4.5.1.2. Mac/Linux OS
4.5.1.3. SSH via cable (USB)
4.5.1.4. BigBoss Recommended Tools
4.5.2.SFTP (FTP via SSH)
4.5.3.Explorer Software
4.5.4.VNC
4.5.5.Run Apps without Developer
Account
4.5.5.1. Dont code sign
4.5.5.2. Self-Signed Certificate
4.5.5.3. Create and Run Custom Apps
4.5.5.4. From .app to .ipa
4.5.6.Edit Existing Application Files
4.5.7.Keychain Dumper

Video and practical sessions included in this module

Module 5: Android - Reverse Engineering and Static Analysis


In the beginning, the student will
learn how Android applications
are built and packaged in order to
effectively reverse engineer them.
Moreover the student will be
exposed to techniques and tools
used for binary decompiling,
reading the application source
code and gathering hardcoded
information.

5.1. Decompiling and Disassembling .apk files


5.2. Smali
5.3. Decompile .apk to .jar files
5.4. From .jar to Source Code
5.5. Decompiling/Disassembling Overview
5.6. Labs
5.6.1.Locating Secrets
5.6.2.Bypassing Security Controls
5.7. Patching Binaries

Video and practical sessions included in this module

Module 6: iOS - Reverse Engineering and Static Analysis


During this module the student
will go through the process of
decompiling iOS applications.
Several tools will be used to
access and inspect information
contained in the applications
binaries.

6.1. .ipa and .App files


6.2. Plist
6.3. Decompiling iOS Apps: Otools
6.4. Decompiling iOS Apps: class-dump
6.5. Decompiling iOS Apps: IDA
6.6. LAB
6.6.1.Locating Information
6.7. Patching iOS Apps Simulator

Video and practical sessions included in this module

10

Module 7: Android - Dynamic / Runtime Analysis


During this module the student
will learn how to access runtime
information on Android devices.
Memory analysis techniques will
be covered through the use of
different tools for different
purposes.
The student will learn how to
subvert the normal execution flow
of an application to access
restricted information, data and
areas.
At the end of this highly practical
module, the student will be able
to bypass security controls and
write
exploit
applications
targeting implementations of
Android IPC mechanisms.

7.1. Debugging
7.2. LogCat
7.3. DDMS
7.4. Memory Analysis
7.4.1.DDMS
7.4.2.HPROF
7.4.3.Strings
7.4.4.Inspect HPROF Dump
7.4.5.MAT
7.5. IPC Mechanisms and App Components
7.5.1.Intents
7.5.2.Android Tools
7.5.2.1. Monkey
7.5.2.2. Activity Manager
7.5.2.3. LAB: Bypass Security Checks
7.5.3.Content Providers
7.5.3.1. Example #1
7.5.3.2. Example #2
7.5.3.3. Example #3
7.5.3.4. Query a Content Provider
7.5.3.5. Find the Correct URI
7.5.3.5.1. LAB: Content Providers
Leakage
7.5.3.6. SQL Injection
7.5.3.6.1. LAB: SQL injection
7.5.3.7. Directory Traversal
7.5.4.SharedUID

Video and practical sessions included in this module

11

Module 8: iOS - Dynamic/Runtime Analysis


During this module the student
will become familiar with the
most important tools and
techniques for dynamic analysis
and runtime manipulations on
iDevice.
The aim of this module is to teach
the student how applications can
be decrypted at runtime as well
as how they can be manipulated
in order to force the application
to run or display restricted areas.
The student will be guided step by
step through the exploitation
process of real world iOS
applications, provided within the
module.
By using advanced debugging
techniques and tools, the student
will learn how to bypass security
controls implemented within the
target application.

8.1. Manually Decrypt Applications Binaries


8.1.1.GDB
8.1.2.Ldid
8.1.3.Identify ASLR/PIE
8.1.4.Calculating Area to Dump
8.1.5.Attach GDB and Dump the Area
8.1.6.Mere the Dump
8.1.7.Edit cryptid values
8.1.7.1. MachOView
8.1.8.Debug/Run the App
8.2. Decrypt Applications Binaries: Clutch
8.3. Runtime Manipulation
8.3.1.Cycript
8.3.1.1. Install Cycript
8.3.1.2. Attach Cycript to a Process
8.3.1.3. Interact with Cycript
8.3.1.4. Pop up an Alert at runtime
8.3.1.5. Bypass the Lock Screen
8.3.1.6. Attack Custom Apps: LogMeIn
8.3.1.7. Attack Custom Apps: LogMeIn2
8.4. GDB
8.4.1.Objc_msgSend
8.4.2.ARMv6 Processor Registers
8.4.3.Runtime Analysis with GDB
8.4.4.Attack Applications with GDB

Video and practical sessions included in this module

12

Module 9: Android Network Analysis


This module focuses on specific
configurations that allow a user to
intercept and sniff all the Android
device communications.
The student will learn how to
analyze and manipulate the traffic
that goes through the Android
device.

9.1. Traffic Sniffing


9.2. Proxying Emulators and Actual Devices
9.3. Intercept Application and SSL Traffic
9.3.1.Intercept with Rooted Device and
ProxyDroid
9.4. Traffic Manipulation

Video and practical sessions included in this module

Module 10: iOS Network Analysis


This module focuses on specific
configurations that allow a user to
intercept and sniff all the iOS
device communications.
The student will learn how to
analyze and manipulate the traffic
that goes through the iOS device.

10.1. Traffic Sniffing


10.2. Proxying Simulators and Actual Devices
10.3. Proxying and Intercepting SSL Traffic:
Charles
10.4. Proxying and Intercepting SSL Traffic: Burp
10.5. SSL Traffic on Actual Devices
10.5.1.
Charles
10.5.2.
Burp

Video and practical sessions included in this module

13

About eLearnSecurity
A leading innovator in the field of practical, hands-on IT security training.
Based in Pisa (Italy), Dubai (UAE) and in San Jose (USA), eLearnSecurity is a leading
provider of IT security and penetration testing courses including certifications for IT
professionals.
eLearnSecurity's mission is to advance the career of IT security professionals by
providing affordable and comprehensive education and certification.
All eLearnSecurity courses utilize engaging eLearning and the most effective mix of
theory, practice and methodology in IT security - all with real-world lessons that
students can immediately apply to build relevant skills and keep their organization's
data and systems safe.

eLearnSecurity 2014
Via Matteucci 36/38
56124 Pisa, Italy

14

You might also like