OnDemand + GIAC = Relevant Skills, Proven Ability

SEC575: Mobile Device Security and Ethical Hacking

Cutting edge security material, well taught.

Donald Farrell, Kingsisle Entertainment Inc.

Mobile is what Windows was in the 90s--security and privacy are ignored in favor of functionality. SEC575 is fantastic for learning about what is vulnerable and how to exploit it. Plus, the course includes a Capture-The-Flag challenge using NetWars!

Pete Klabe, Anonymous

Imagine an attack surface that is spread across your organization and in the hands of every user. It moves regularly from place to place, stores highly sensitive and critical data, and sports numerous and different wireless technologies all ripe for attack. Unfortunately, such a surface already exists today: mobile devices. These devices constitute the biggest attack surface in most organizations, yet these same organizations often don't have the skills needed to assess them.

SEC575 Now Covers Android 10 and iOS 13

SEC575: Mobile Device Security and Ethical Hacking is designed to give you the skills to understand the security strengths and weaknesses of Apple iOS and Android devices. Mobile devices are no longer a convenience technology - they are an essential tool carried or worn by users worldwide, often displacing conventional computers for everyday enterprise data needs. You can see this trend in corporations, hospitals, banks, schools, and retail stores across the world. Users rely on mobile devices more today than ever before -- we know it, and the bad guys do too. The SEC575 course examines the full gamut of these devices.

Learn How to Pen Test the Biggest Attack Surface in Your Entire Organization

With the skills you learn in SEC575, you will be able to evaluate the security weaknesses of built-in and third-party applications. You'll learn how to bypass platform encryption and manipulate apps to circumvent client-side security techniques. You'll leverage automated and manual mobile application analysis tools to identify deficiencies in mobile app network traffic, file system storage, and inter-app communication channels. You'll safely work with mobile malware samples to understand the data exposure and access threats affecting Android and iOS, and you'll bypass lock screen to exploit lost or stolen devices.

Take a Deep Dive into Evaluating Mobile Apps and Operating Systems and Their Associated Infrastructures

Understanding and identifying vulnerabilities and threats to mobile devices is a valuable skill, but it must be paired with the ability to communicate the associated risks. Throughout the course, you'll review ways to effectively communicate threats to key stakeholders. You'll leverage tools, including Mobile App Report Cards, to characterize threats for managers and decision-makers, while also identifying sample code and libraries that developers can use to address risks for in-house applications.

Your Mobile Devices are Going to Come Under Attack - Help Your Organization Prepare for the Onslaught

In employing your newly learned skills, you'll apply a step-by-step mobile device deployment penetration test. Starting with gaining access to wireless networks to implement man-in-the-middle attacks and finishing with mobile device exploits and data harvesting, you'll examine each step of the test with hands-on exercises, detailed instructions, and tips and tricks learned from hundreds of successful penetration tests. By building these skills, you'll return to work prepared to conduct your own test, and you'll be better informed about what to look for and how to review an outsourced penetration test.

Mobile device deployments introduce new threats to organizations, including advanced malware, data leakage, and the disclosure to attackers of enterprise secrets, intellectual property, and personally identifiable information assets. Further complicating matters, there simply are not enough people with the security skills needed to identify and manage secure mobile phone and tablet deployments. By completing this course, you'll be able to differentiate yourself as someone prepared to evaluate the security of mobile devices, effectively assess and identify flaws in mobile applications, and conduct a mobile device penetration test - all critical skills to protect and defend mobile device deployments.

Course Syllabus

Overview

The first section of SEC575 looks at the significant threats affecting mobile device deployments, highlighted by a hands-on exercise evaluating network traffic from a vulnerable mobile banking application. As a critical component of a secure deployment, we will examine the architectural and implementation differences and similarities between Android (including Android 10) and Apple iOS 13. We will also look at the specific implementation details of popular platform features such as iBeacon, AirDrop, App Verification, and more. Hands-on exercises will be used to interact with mobile devices running in a virtualized environment, including low-level access to installed application services and application data. Finally, we will examine how applications interact with each other, as application interaction creates an interesting attack surface for mobile penetration tests.

CPE/CMU Credits: 6

Topics

Mobile Problems and Opportunities

  • Challenges and opportunities for secure mobile phone deployments
  • Weaknesses in mobile devices
  • Exploiting weaknesses in mobile apps: Bank account hijacking exercise

Mobile Device Platform Analysis

  • iOS and Android permission management models
  • Code signing weaknesses on Android
  • Android app execution: Android Runtime vs. Android Dalvik virtual machine
  • Latest Android and iOS security enhancements

Mobile Application Interaction

  • Android application interaction through activities, intents, services, and broadcasts
  • iOS application interaction through schemes and universal links
  • Protection of application components through permissions and signatures

Mobile Device Lab Analysis Tools

  • Using iOS and Android emulators
  • Android mobile application analysis with Android Debug Bridge (ADB) tools
  • Uploading, downloading, and installing applications with ADB
  • Interacting with applications through Activity Manager
Overview

A very important threat for mobile devices is the stolen or lost device, as this can cause a major disclosure of sensitive information. In this course section we first examine how a device can be properly protected, and how someone might be able to circumvent those protections. Once access to the device has been obtained, we examine which information is available and how we can access it. On the other hand, gaining privileged access to a device is often needed to perform a security assessment, so we will take a look at the steps required to root an Android phone and jailbreak an iOS device. At the end of the section, we will take a look at how mobile malware (ab)uses the ecosystem to steal money or data or brick the device.

CPE/CMU Credits: 6

Topics

Unlocking, Rooting, and Jailbreaking Mobile Devices

  • Legal issues with rooting and jailbreaking
  • Jailbreaking iOS
  • Android root access through unlocked bootloaders
  • Root exploits for Android
  • Using a rooted or jailbroken device effectively: Tools you must have!

Mobile Phone Data Storage and File System Architecture

  • Data stored on mobile devices
  • Mobile device file system structure
  • Decoding sensitive data from database files on iOS and Android
  • Extracting data from Android backups

Mobile Device Malware Threats

  • Trends and popularity of mobile device malware
  • Mobile malware command-and-control architecture
  • Efficiency of Android ransomware malware threats
  • Analysis of iOS malware targeting non-jailbroken devices
  • Hands-on analysis of Android malware
  • Mobile malware defenses: What works and what doesn't
Overview

One of the core skills you need as a mobile security analyst is the ability to evaluate the risks and threats a mobile app introduces to your organization. The lectures and hands-on exercises presented in this course section will enable you to use your analysis skills to evaluate critical mobile applications to determine the type of access threats and information disclosure threats they represent. We will use automated and manual application assessment tools to statically evaluate iOS and Android apps. Initially, the applications will be easy to understand, but towards the end of the section we will dig into obfuscated applications that are far more difficult to dissect. Finally, we will examine different kinds of application frameworks and how they can be analyzed with specialized tools.

CPE/CMU Credits: 6

Topics

Reverse-Engineering Obfuscated Applications

  • Identifying obfuscation techniques
  • Decompiling obfuscated applications
  • Effectively annotating reconstructed code with Android Studio
  • Decrypting obfuscated content with Simplify

Static Application Analysis

  • Retrieving iOS and Android apps for reverse engineering analysis
  • Decompiling Android applications
  • Circumventing iOS app encryption with Dumpdecrypted
  • Header analysis and Objective-C disassembly
  • Accelerating iOS disassembly: Hopper and IDA Pro
  • Swift iOS apps and reverse-engineering tools
  • Effective Android application analysis with MobSF

Third-Party Application Frameworks

  • Examining .NET-based Xamarin applications
  • Examining HTML5-based PhoneGap applications
Overview

After having performed static analysis on applications in section 3, we now move on to dynamic analysis. A skilled analyst combines both static and dynamic analysis to evaluate the security posture of an application. Using dynamic instrumentation frameworks, we see how applications can be modified at runtime, how method calls can be intercepted and modified, and how we can have direct access to the native memory of the device. We will learn about Frida, Objection, Needle, Drozer, and method swizzling to fully instrument and examine both Android and iOS applications. The section ends with a look at a consistent system for evaluating and grading the security of mobile applications using the Application Report Card Project. By identifying these flaws we can evaluate the mobile phone deployment risk to the organization with practical and useful risk metrics. Whether your role is to implement the penetration test or to source and evaluate the penetration tests of others, understanding these techniques will help you and your organization identify and resolve vulnerabilities before they become incidents.

CPE/CMU Credits: 6

Topics

Manipulating and Analyzing iOS Applications

  • Runtime iOS application manipulation with Cycript and Frida
  • iOS method swizzling
  • iOS application vulnerability analysis with Needle
  • Tracing iOS application behavior and API use
  • Extracting secrets with KeychainDumper
  • Method hooking with Frida and Objection

Manipulating and Analyzing Android Applications

  • Android application manipulation with Apktool
  • Reading and modifying Dalvik bytecode
  • Adding Android application functionality, from Java to Dalvik bytecode
  • Android application interaction and intent manipulation with Drozer
  • Method hooking with Frida and Objection

Application Report Cards

  • Step-by-step recommendations for application analysis
  • Tools and techniques for mobile platform vulnerability identification and evaluation
  • Recommended libraries and code examples for developers
  • Detailed recommendations for jailbreak detection, certificate pinning, and application integrity verification
  • Android and iOS critical data storage: Keychain and key store recommendations
Overview

After having analyzed the applications both statically and dynamically, one component is still left untouched: the back-end server. In this course section we will examine how you can perform ARP spoofing attacks on a network in order to obtain a man-in-the-middle position, and how Android and iOS try to protect users from having their sensitive information intercepted. Next, we'll examine how you can set up a test device to purposely intercept the traffic in order to find vulnerabilities on the back-end server. We end the section by creating a RAT application that can be used during a red team assessment in order to target users and gain access to internal networks.

CPE/CMU Credits: 6

Topics

Network Manipulation Attacks

  • Using man-in-the-middle tools against mobile devices
  • Sniffing, modifying, and dropping packets as a man-in-the-middle
  • Mobile application data injection attacks

SSL/TLS Attacks

  • Exploiting HTTPS transactions with man-in-the-middle attacks
  • Core pen test technique: TLS impersonation against iOS Mail.app for password harvesting
  • Integrating man-in-the-middle tools with Burp Suite for effective HTTP manipulation attacks
  • Bypassing Android's NetworkSecurityConfig and Apple's Transport Security

Web Framework Attacks

  • Site impersonation attacks
  • Application cross-site scripting exploits
  • Remote browser manipulation and control
  • Data leakage detection and analysis
  • Hands-on attacks: Mobile banking app transaction manipulation

Using Mobile Device Remote Access Trojans

  • Building RAT tools for mobile device attacks
  • Hiding RATs in legitimate Android apps
  • Customizing RATs to evade anti-virus tools
  • Integrating the Metasploit Framework into your mobile pen test
  • Effective deployment tactics for mobile device Phishing attacks
Overview

In the final module of SEC575 we will pull together all the concepts and technology covered throughout the course in a comprehensive Capture-the-Flag event. In this hands-on exercise, you will examine multiple applications and forensic images to identify weaknesses and sources of sensitive information disclosure, and analyze obfuscated malware samples to understand how they work. During this mobile security event you will put into practice the skills you have learned in order to evaluate systems and defend against attackers, simulating the realistic environment you will be prepared to protect when you get back to the office.

CPE/CMU Credits: 6

Additional Information

In this course, students will use an advanced lab system to maximize the time spent on learning objectives and minimize setup and troubleshooting.

Students may use a Windows or a macOS/OS X system for exercises. You will need a wired network adapter to connect to the classroom network. Larger laptop displays will make for an improved lab experience (less scrolling).

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

  • Penetration testers
  • Ethical hackers
  • Auditors who need to build deeper technical skills
  • Security personnel whose job involves assessing, deploying, or securing mobile phones and tablets
  • Network and system administrators supporting mobile phones and tablets

Students should have familiarity with network penetration testing concepts, such as those taught in SEC504 or SEC560.

  • Course books with a table of contents and a comprehensive index
  • Step-by-step instructions for all lab exercises
  • Access to associated software, files, and analysis resources
  • MP3 audio files of the complete course lecture

  • Use jailbreak tools for Apple iOS and Android systems
  • Conduct an analysis of iOS and Android file system data to plunder compromised devices and extract sensitive mobile device use information
  • Analyze Apple iOS and Android applications with reverse-engineering tools
  • Change the functionality of Android and iOS apps to defeat anti-jailbreaking or circumvent in-app purchase requirements
  • Conduct an automated security assessment of mobile applications
  • Intercept and manipulate mobile device network activity
  • Leverage mobile-device-specific exploit frameworks to gain unauthorized access to target devices
  • Manipulate the behavior of mobile applications to bypass security restrictions
  • Mobile Application Network Traffic Analysis
  • Manipulating Android Intents with Drozer
  • iPhone Data Analysis
  • Network Traffic Examination: Evil Bank
  • Android App Static Analysis
  • Using Frida and Objection for Dynamic Instrumentation
  • Manipulating Web Browser Activity
  • Android Malware Analysis
  • Meterpreter RAT Deployment
  • Obfuscated Android App Analysis
  • Modifying Android Applications
  • Banking Transaction Manipulation
  • Android Emulation and ADB Access
  • Android Backup Analysis
  • Android Intents
  • Xamarin App Analysis and PhoneGap App Analysis
  • Static Analysis with MobSF

Student Testimonials

  • "In the fast-paced world of bring-your-own-device and mobile device management, SEC575 is a must-have course for InfoSec managers." - Jude Meche, DSCC
  • "SEC575 was my first SANS training course, and I found it to be very valuable. The information was well delivered." - Rodney Helsens, KPMG LLP
  • "SEC575 is directly useful training - both to penetration testers and developers." - Roy Cabaniss, LGS
  • "SEC575 is a great course taught by a great instructor. There is so much useful information covered that is extremely relevant." - Adam Cravedi, Compass ITC
  • "The explanations of the concepts behind the tools are great! SEC575 provides both the process and application of tools - not just a ton of tools and information." - Sean Burden, Western Union
  • "I appreciate the formalized mobile application analysis report card information in SEC575. I can bring it back and use it at work to help formalize the application security program." - Adam Kliarsky, Disney
  • "I love the new lab structure in SEC575, because it doesn't require running or troubleshooting virtual machines - it's much faster." - Jem Jensen, NetSPI

Reviews

Author Statement

"The first iPhone was released in 2007, and it is considered by many to be the starting point of the smartphone era. Over the past decade, we have seen smartphones grow from rather simplistic into incredibly powerful devices with advanced features such as biometrics, facial recognition, GPS, hardware-backed encryption and beautiful high-definition screens. While many different smartphone platforms have been developed over the years, it's quite obvious that Android and iOS have come out victorious.

"While smartphones provide a solid experience right out of the box, the app ecosystem is probably the most powerful aspect of any mobile OS. Both the Google Play and Apple App stores have many millions of applications that increase the usefulness of their platforms and include everything from games to financial applications, navigation, movies, music, and countless other offerings.

"However, many people's smartphones also contain an incredible amount of data about both their personal and professional lives. Keeping those data secure should be a primary concern for both the OS and the mobile application developer. Yet, many companies today have implemented a bring-your-own-device policy that allows smartphones onto their network. These devices are often not managed and thus bring a new set of security threats to the company.

"I wrote this course to teach you about all the different aspects of mobile security, both at a high level and down into the nitty-gritty details. You will learn how to analyze mobile applications, attack smartphone devices on the network, man-in-the-middle either yourself or others, and root/jailbreak your device. You'll also learn what kind of malware may pose a threat to your company and your employees.

"Mobile security is a lot of fun, and I hope you will join this course so that we can share our enthusiasm with you!"

- Jeroen Beckers

Additional Resources

Take your learning beyond the classroom. Explore our site network for additional resources related to this course's subject matter.

Find ways to take this course