Slide 1
Slide 1
Slide 1
Slide 1
Slide 1
Slide 1

ONLINE REGISTRATION NOW OPEN

           

THERE WILL ONLY BE A MAXIMUM OF 1010 SEATS SOLD - BE SURE TO REGISTER EARLY!!!

For up to the minute updates on HITB2012KUL, please follow our @hitbsecconf Twitter stream or join our Facebook Group

TECH TRAINING 4 – MOBILE APPLICATION HACKING – ATTACK & DEFENSE

TRAINER: Hemil Shah (Founder/Director, eSphere Security)

CAPACITY: 20 pax

SEATS LEFT: REGISTRATION CLOSED

DURATION: 2 days (8th & 9th October 2012)

COST (per pax): MYR3999 (early bird) / MYR4999 (non early-bird)

OVERVIEW

Mobile application hacking and its security is becoming a major concern in today’s world. In last few years we have seen range of new attack vectors and method of exploitation for these devices. Smart phones and tablets running on iPhone, Android, Windows and Blackberry have taken over the market in frenzy. In today’s world email, social networking, banking everything is possible on the go with Smart phones and derived applications. These Smart phones are now equipped with features like data, Wi-Fi, voice and GPS functions and applications can leverage these features. The sudden growth in number of applications available for these smart phones does raise a certain level of concern for the user’s security and server supporting these applications.

Mobile applications are vulnerable to various set of different attacks like local storage, user data harvesting, activity spying, unauthorized event injection, UI Jacking, Tab Jacking, Traffic redirection, Logical attacks, hard coded keys and few other. At the same time Mobile applications are talking with server side over HTTP/HTTPS, it opens up few possible attacks on Web Services and APIs. The server side applications can be attacked with Injections. Several new technology stacks are evolving over Mobile like HTML5 and Silverlight which opens up new attack surface.  In this context it is imperative for IT professional and corporate application owners to understand these attack vectors along with mechanism for securing. The class features real life cases, live demos, code scanning and defense plans. The course is designed by the author of “Web Hacking: Attacks and Defense”, “Hacking Web Services” and “Web 2.0 Security – Defending Ajax, RIA and SOA” bringing his experience in application and mobile security and research as part of curriculum to address new challenges. Following topics will be covered during the class.

Introduction to Mobile Applications

  • General Overview

  • Case studies of Vulnerable and old AppStore applications

  • Evaluation of Applications

  • Trend in Mobile application Security

  • Mobile Application Kiddos – What, Why, How and Where

  • Introduction to iOS and iPhone Security

  • Introduction to Android Security

Understand OS structure and permission

  • Sand boxing

  • Mobile Application Architecture

  • Understanding iPhone platforms

    • iOS Structure

    • Application Structure

    • Application Distribution

    • Permissions

  • Understanding Android platforms

    • Android file System/Dalvik

    • Application Distribution

    • Permissions

  • Understanding Windows Phone platforms

    • Windows file System

    • Application Distribution

    • Permission model

Write your own Application

  • Cocoa/Cocoa touch Framework

  • HTML5 applications

  • Introduction to xCode

  • Running application in iPhone simulator

  • Introduction to sample android applications

  • Running application in Android simulator

Set up Attack environment

  • Intercepting tools (iPhone & Android)

  • Analysis tools (iPhone & Android)

  • Monitoring tools (iPhone & Android)

  • Configuring simulators to use proxy (iPhone & Android)

  • Overcoming SSL traffic interception challenges (iPhone & Android)

  • Reverse engineering tools (iPhone & Android)

Mobile Application Attacks

  • Insecure storage

  • Insecure network Communication – Carriers network security & WiFi network attacks

  • Unauthorized dialing, SMS

  • UI Impersonation/Spoofing

  • Activity monitoring and data retrieval

  • Sensitive data leakage

  • Hardcoded passwords/keys

  • Language issues

  • Timely application update

  • Jail breaking/Physical device theft

  • KeyBoard cache/ClipBoard issue in iPhone

  • Reading information from SQLite database

  • Insecure Protocol Handler implementation

HTML 5 Attacks on Mobile

  • LocalStorage stealing

  • SQLite injections

  • Click/Tap Jacking

  • Logical attacks

  • JavaScript reverse engineering

Reverse Engineering

  • Reverse engineering iPhone application

  • Decompiling Android application

  • Interesting things to look for after reverse engineering

Source Code analysis for Mobile Applications

  • Secure coding for Mobile Application

  • How to incorporate secure design and coding principles for developing iOS & Android applications

  • Safe/Unsafe APIs

  • Avoiding Buffer Overflows And Underflows

  • Validating Input And Inter process Communication

  • Race Conditions and Secure File Operations

  • Designing Secure User Interfaces

  • Static Code Analyzer for iOS

  • Security Development Checklists

Hands-on:

All concepts taught in this class are punctuated with hands-on exercises based on situations observed in real life. The class ends with a challenge exercise. Working within a limited time period, participants are expected to analyze the code, identify loopholes, exploit vulnerabilities present in the applications and suggest appropriate defense strategies. Mobile applications running on iPhone, Android and Windows will be provided for testing. Also, participants will be building small application to capture important concepts of development as well.

WHAT TO BRING:

A working laptop with the following hardware/software requirements:

OS : XP, 7 or Server family (Please install .NET framework)
3 GB RAM

All other tools will be provided
Laptop should be wi-fi enabled
Administrative access on the computers
iPod Touch will be provided in the class to try hands on.

ABOUT THE TRAINER

Hemil Shah (Founder/Director, eSphere Security)

Hemil Shah, CISSP, CSSLP, ACP is the founder and Director of eSphere Security, company  that provides Professional services in Security Arena. He has worked with HBO, KPMG, IL&FS and Net-Square in security space. He has published several advisories, tools, and whitepapers, and has presented at numerous conferences. Hemil is expert in Mobile Application Security, Application Security, researching new methodologies and training designs. He has performed more than 1000 security consulting assignments in the area of penetration testing, code reviews, web application assessments, security architecture reviews and Mobile application security review.

EVENT ORGANIZER

SUPPORTED AND ENDORSED BY

GOLD SPONSORS

SILVER SPONSOR

HACKWEEKDAY SPONSOR

TITANIUM SPONSOR (POST CONFERENCE RECEPTION + SPEAKER RECEPTION)

ALCO_PWN SPONSOR (POST CONFERENCE RECEPTION)

CTF SPONSOR

CTF PRIZE SPONSOR

CTF MANAGED BY

VIDEO RECORDING SPONSOR

NETWORK EQUIPMENT SPONSOR

INTERNET CONNECTIVITY SPONSOR

ADDITIONAL SUPPORT BY

SUPPORTING MEDIA

FRIENDS OF HITB

Copyright © 2012 Hack In The Box | http://www.hackinthebox.org