Android & iOS App Exploitation BootCamp is an self-paced hands-on training that covers practical techniques to analyze, reverse and pentest Android and iOS applications.
The class has been built and improved constantly over the past 7 years (2013-now) to include all new tools, techniques, and vulnerabilities to exploit Android & iOS apps.
This class takes you behind-the-scenes of most of the concepts and explains the underlying fundamentals, rather than rushing through the concepts or the labs. It’s completely self-paced - that means you can take it at your own pace and can keep coming back to it for reference.
The class does not promise to make you a Mobile Application Pentesting rockstar - but it does increase your odds of becoming one.
If you feel that there is something that’s missing from the course, or not explained clearly - we make constant revisions and are just an email/DM away.
COURSE OUTLINE
The Fundamentals: Android 101 - Ecosystem, Operating System, App Distribution
Security Evolution of Android (apps and platform)
Visualizing Android Security RabbitHole
Tools / Mindset / Approach
Test lab setup
Android FileSystem explorations
What Makes an Android App
Android Permission Model
Android App LifeCycle and States
Languages and ByteCodes
IPC Communication
Reverse Engineering Android apps
Hardcoded values (app code, native code)
Exploring Android Data Storage
Modifying/Patching/Backdooring Android apps & Use Cases
Exploiting App Frameworks
Automated analysis of Android app security issues
Identifying Insecure components and Exploitation
Middleware utilities
Intents, Intent-Filters and Intent Interception
Broadcasts their Receivers and Security Issues
Deep Linking Deep Dive
Android Backups
Understanding Android Runtime
Debugging Java code and Native libraries
Hooking Fundamentals
Frida Foundations
Frida + Static Analysis tag-team
Recovering encryption keys and other secrets
Android Network Communication
Network APIs
HTTP, HTTPS, and TLS
Capturing Network traffic in Android
Webview based Security issues
Certificates and Authenticity
Defeating SSL Pinning
Android Defense Strategies
Code Obfuscation, Packers and Optimizers
Android Kernel Overview
Understanding Android Rooting
Summary and Wrap-up
Training Project & Submission Guidelines
Future Research Direction
What is iOS
iOS and Android - similarities and differences
iOS Ecosystem and Security Evolution
How are iOS applications built - overview
iOS frameworks
Obj-C and Swift
Navigating XCode
Signing and Certificates
Jailbreaking for non-jailbreakers
IPAs
MachO binaries
Reverse Engineering iOS apps
Patching iOS apps
Exploring iOS File System
iOS App Data Storage
Insecure data storage
iOS Network APIs
Capturing app communication
Defeating SSL pinning
Runtime manipulation concepts
Automated Runtime analysis
Frida for iOS Security Research
Fuzzing - Android and iOS components
Conclusion & Wrap-Up
Research Areas
Training Project for iOS
[CONTENT CONSTANTLY UPDATED] - You will get continuous access to the latest Mobile Exploitation training course material
All the above-mentioned topics are taught with extremely hands-on lab-based practical sessions.
WHAT STUDENTS WILL BE PROVIDED WITH
- Attify's Mobile pentesting VM
- Lab reference material and handouts
- 400+ slides (PDF Copy)
Ideal for
This course is ideal for individuals who:
Kickstart or accelerate their career in Android/iOS Security
Identify and Exploit vulnerabilities in real-world apps
Research into Mobile Security topics and are looking for a starting launchpad
Searching for a one-stop course covering ALL of Android and iOS application security
Requirements:
- Free 40 GB disk space
- iOS device (preferably 12 or above)
- Mac goes well with iOS security research (but not a requirement)
Certification
The course includes 2 certificates:
- Certificate of Completion
- Attify Certified Mobile Pentester (after submitting the Classroom project)