New

SEC575: Mobile Device Security and Ethical Hacking

GIAC Mobile Device Security Analyst (GMOB)
GIAC Mobile Device Security Analyst (GMOB)
  • In Person (6 days)
  • Online
36 CPEs

SEC575 will prepare you to effectively evaluate the security of mobile devices, assess and identify flaws in mobile applications, and conduct a mobile device penetration test, which are all critical skills required to protect and defend mobile device deployments. You will learn how to pen test the biggest attack surface in your organization; dive deep into evaluating mobile apps and operating systems and their associated infrastructure; and better defend your organization against the onslaught of mobile device attacks.

What You Will Learn

Imagine an attack surface that is spread across your organization and in the hands of every user. It moves regularly from place to place, stores highly sensitive and critical data, and sports numerous, different wireless technologies all ripe for attack. Unfortunately, such a surface already exists today: mobile devices. These devices constitute the biggest attack surface in most organizations, yet these same organizations often don't have the skills needed to assess them.

SEC575: Mobile Device Security and Ethical Hacking is designed to give you the skills to understand the security strengths and weaknesses of Apple iOS and Android devices, including Android 12 and iOS 15. Mobile devices are no longer a convenience technology. They are an essential tool carried or worn by users worldwide, often displacing conventional computers for everyday enterprise data needs. You can see this trend in corporations, hospitals, banks, schools, and retail stores across the world. Users rely on mobile devices today more than ever before and the bad guys do too. SEC575 examines the full gamut of these devices.

Learn How to Pen Test the Biggest Attack Surface in Your Entire Organization

With the skills you acquire in SEC575, you will be able to evaluate the security weaknesses of built-in and third-party applications. You'll learn how to bypass platform encryption and manipulate apps to circumvent client-side security techniques. You'll leverage automated and manual mobile application analysis tools to identify deficiencies in mobile app network traffic, file system storage, and inter-app communication channels. You'll safely work with mobile malware samples to understand the data exposure and access threats affecting Android and iOS devices, and you'll learn how to bypass locked screens to exploit lost or stolen devices.

Corellium for Android and iOS Emulation

Throughout the course, students will use the innovative Corellium platform to experience iOS and Android penetration testing in a realistic environment. Corellium allows users to create virtualized iOS and Android devices with full root access even on the latest versions. By using this platform, SEC575 students can immediately test their skills right in their own browser, while still having full SSH/ADB capabilities and access to a range of powerful tools.

Take a Deep Dive into Evaluating Mobile Apps and Operating Systems and Their Associated Infrastructure

Understanding and identifying vulnerabilities and threats to mobile devices is a valuable skill, but it must be paired with the ability to communicate the associated risks. Throughout the course, you'll review ways to effectively communicate threats to key stakeholders. You'll learn how to use industry standards such as the OWASP Mobile Application Security Verification Standard (MASVS) to assess an application and understand all the risks so that you can characterize threats for managers and decision-makers.

Your Mobile Devices Are Going to Come Under Attack: Help Your Organization Prepare for the Onslaught

Mobile device deployments introduce new threats to organizations, including advanced malware, data leakage, and the disclosure to attackers of enterprise secrets, intellectual property, and personally identifiable information assets. Further complicating matters, there simply are not enough professionals with the security skills needed to identify and manage secure mobile phone and tablet deployments. By completing this course, you'll be able to differentiate yourself as someone prepared to evaluate the security of mobile devices, effectively assess and identify flaws in mobile applications, and conduct a mobile device penetration test. These are all critical skills to protect and defend mobile device deployments.

Syllabus (36 CPEs)

Download PDF
  • Overview

    The first section of SEC575 looks at the iOS platform. In examining the structure of iOS, we will see that it has many security controls built in by default, and that Apple has a very tight grip on both the hardware and software. Next, we will discuss ways to disable different security controls by jailbreaking a device, which allows us to install various tools that can help us during our penetration tests. Since mobile devices contain a lot of sensitive information, we take a look at the internal file structure of both iOS and any installed applications in order to identify issues such as insecure storage of sensitive information, or examine interesting information to be used during a full penetration test. Of course, applications can also be attacked by other applications, which is why we will examine application interaction on iOS. Finally, we will take a look at iOS malware to see how malicious actors try to attack both the platform and the end user.

    Hands-on exercises will use Corellium to interact with iOS devices running in a virtualized environment, including low-level access to installed application services and application data.

    Topics

    Mobile Problems and Opportunities

    • Challenges and opportunities for secure mobile phone deployments
    • Weaknesses in mobile devices

    iOS Architecture

    • Architecture of iOS devices
    • Analysis of implemented security controls
    • iOS application development and publication
    • Apples update policy

    Jailbreaking iOS Devices

    • Legal issues with jailbreaking
    • Jailbreaking iOS
    • Connecting to jailbroken iOS devices
    • Using a jailbroken device effectively: Tools you must have!

    iOS Data Storage and File System Architecture

    • iOS file system structure
    • iOS application data storage
    • Examining typical file types on iOS
    • Extracting data from iOS backups

    iOS Application Interaction

    • iOS application interaction through schemes, universal links, and extensions

    iOS Malware Threats

    • Trends and popularity of mobile device malware
    • Analysis of iOS malware targeting non-jailbroken devices
    • Examining advanced attacks by nation state actors

    iOS Labs

    • Using the Corellium platform
    • Installing tools on your jailbroken device
    • Analyzing file storage on iOS
    • Analyzing application interaction

  • Overview

    Android is by far the most popular mobile operating system. Devices with Android come in many shapes and sizes, which leads to a lot of fragmentation. In this course section we will take a look at Android internals and all the different security controls that are implemented to keep the user safe. In contrast to iOS, Android is open-source. It also gives developers many different ways to let their applications interact with other applications, including services, intents, broadcast receivers, and content providers. As these interactions define the attack surface of the application, we will take a close look at how they can be properly protected and exploited. Android can give us shell access through Android Debug Bridge tools, but if we really want full access, we still need to root the device by unlocking the bootloader or using a device-specific exploit. Once rooted, we will take a look at the internal file structure of both a typical Android device and installed applications to identify useful information. Finally, we will examine Android malware, which includes many different malware types such as ransomware, mobile banking Trojans, and spyware.

    Topics

    Android Architecture

    • Architecture of Android devices
    • Analysis of implemented security controls
    • Android app execution: Android Runtime vs. Android Dalvik virtual machine
    • Android application development and publication
    • Androids update policy

    Rooting Android Devices

    • Examine different ways to obtain root, including unlocking the bootloader and using exploits
    • Installing custom ROMs, bootloaders, and recoveries
    • Installing Magisk systemless root

    Android Data Storage and File System Architecture

    • Android file system structure
    • Android application data storage
    • Examining typical file types on Android
    • Extracting data from Android backups

    Android Application Interaction

    • Android application interaction through activities, intents, services, and broadcasts
    • Protection of application components through permissions and signatures

    Android Malware Threats

    • Trends and popularity of mobile device malware
    • Analysis of Android malware, including ransomware, mobile banking Trojans, and spyware

    Android Labs

    • Using the Corellium platform
    • Android mobile application analysis with Android Debug Bridge (ADB) tools
    • Uploading, downloading, and installing applications with ADB
    • Analyzing file storage on Android
    • Analyzing application interaction

    Android Platform Analysis

    • iOS and Android permission management models
    • Code signing weaknesses on Android
    • Android app execution: Android Runtime vs. Android Dalvik virtual machine
    • Latest Android and iOS security enhancements

  • Overview

    One of the core skills you need as a mobile security analyst is the ability to evaluate the risks and threats a mobile app introduces to your organization. The lectures and hands-on exercises presented in this course section will enable you to use your analysis skills to evaluate critical mobile applications to determine the type of access threats and information disclosure threats they represent. We will use automated and manual application assessment tools to statically evaluate iOS and Android apps. Initially, the applications will be easy to understand, but towards the end of the section we will dig into obfuscated applications that are far more difficult to dissect. Finally, we will examine different kinds of application frameworks and how they can be analyzed with specialized tools.

    Topics

    Static Application Analysis

    • Retrieving iOS and Android apps for reverse engineering analysis
    • Decompiling Android applications
    • Circumventing iOS app encryption
    • Header analysis and Objective-C disassembly
    • Accelerating iOS disassembly: Hopper and IDA Pro
    • Swift iOS apps and reverse-engineering tools
    • Android application analysis with MobSF

    Reverse-Engineering Obfuscated Applications

    • Identifying obfuscation techniques
    • Decompiling obfuscated applications
    • Effectively annotating reconstructed code with Android Studio
    • Decrypting obfuscated content with Simplify

    Third-Party Application Frameworks

    • Examining .NET-based Xamarin and Unity applications
    • Examining HTML5-based PhoneGap applications
    • Examining Flutter and React-Native applications
  • Overview

    After performing static analysis on applications in the previous course section, we now move on to dynamic analysis. A skilled analyst combines static and dynamic analysis to evaluate the security posture of an application. Using dynamic instrumentation frameworks, we see how applications can be modified at runtime, how method calls can be intercepted and modified, and how we can gain direct access to the native memory of the device. We will learn about Cycript, Frida, Objection, and method swizzling to fully instrument and examine both Android and iOS applications. The section ends with a look at a consistent system for evaluating and grading the security of mobile applications using the OWASP Mobile Application Security Verification (MASVS) Standard. By identifying these flaws, we can evaluate the mobile phone deployment risk to the organization with practical and useful risk metrics. Whether your role is to implement the penetration test or to source and evaluate the penetration tests of others, understanding these techniques will help you and your organization identify and resolve vulnerabilities before they become incidents.

    Topics

    Manipulating and Analyzing iOS Applications

    • Runtime iOS application manipulation with Cycript and Frida
    • iOS method swizzling
    • iOS application vulnerability analysis with Objection
    • Tracing iOS application behavior and API use
    • Extracting secrets with KeychainDumper
    • Method hooking with Frida and Objection

    Manipulating and Analyzing Android Applications

    • Android application manipulation with Apktool
    • Reading and modifying Dalvik bytecode
    • Adding Android application functionality, from Java to Dalvik bytecode
    • Method hooking with Frida and Objection

    Mobile Application Security Verification Standard

    • Step-by-step recommendations for application analysis
    • Taking a methodical approach to application security verification
    • Common pitfalls while assessing applications
    • Detailed recommendations for jailbreak detection, certificate pinning, and application integrity verification
    • Android and iOS critical data storage: Keychain and Keystore recommendations
  • Overview

    After analyzing the applications both statically and dynamically, one component is still left untouched: the back-end server. This course section will examine how you can perform Address Resolution Protocol spoofing attacks on a network in order to obtain a man-in-the-middle position, and how Android and iOS try to protect users from having their sensitive information intercepted. We will examine how you can set up a test device to purposely intercept the traffic in order to find vulnerabilities on the back-end server. In some engagements, we will need to access someone elses device, so we will examine whether we can break into a mobile device thats protected with a pin code or biometrics. We will end the section by creating a Remote Access Trojan (RAT) application that can be installed either on a remotely compromised device or on a physically acquired device during a red team engagement in order to target users and gain access to internal networks.

    Topics

    Intercepting TLS Traffic

    • Exploiting HTTPS transactions with man-in-the-middle attacks
    • Integrating man-in-the-middle tools with Burp Suite for effective HTTP manipulation attacks
    • Bypassing Android NetworkSecurityConfig and Apple Transport Security
    • Bypassing SSL pinning

    Man-in-the-Middle Troubleshooting

    • Analyzing common issues when performing a man-in-the-middle attack
    • Using different setups to obtain a man-in-the-middle position
    • Creating custom Frida hooks to bypass SSL pinning

    Accessing Locked Devices

    • Bruteforcing pincodes on Android and iOS
    • Bypassing bruteforce protection
    • Abusing Siri to acquire information
    • Bypassing biometric authentication

    Using Mobile Device Remote Access Trojans

    • Building RAT tools for mobile device attacks
    • Hiding RATs in legitimate Android apps
    • Customizing RATs to evade anti-virus tools
    • Integrating the Metasploit Framework into your mobile pen test
    • Effective deployment tactics for mobile device Phishing attacks
  • Overview

    In this final section we will pull together all the concepts and technology covered throughout the course in a comprehensive Capture-the-Flag event. In this hands-on mobile security challenge, you will examine multiple applications and forensic images to identify weaknesses and sources of sensitive information disclosure, and analyze obfuscated malware samples to understand how they work. Youll put the skills you have learned into practice in order to evaluate systems and applications, simulating the realistic environment you will be need to protect when you get back to the office.

GIAC Mobile Device Security Analyst

The GIAC Mobile Device Security Analyst (GMOB) certification ensures that people charged with protecting systems and networks know how to properly secure mobile devices that are accessing vital information. GMOB certification holders have demonstrated knowledge about assessing and managing mobile device and application security, as well as mitigating against malware and stolen devices.

  • Managing Android and iOS devices and applications; jailbreaking, and rooting mobile devices
  • Assessing application security; manipulating mobile application behavior; static application analysis
  • Analyzing applications and network activity; intercepting encrypted network traffic
  • Mitigating against mobile malware and stolen mobile devices; penetration testing mobile devices
More Certification Details

Prerequisites

Students should have familiarity with penetration testing concepts such as those taught in SANS SEC504: Hacker Tools, Techniques, and Incident Handling.

Laptop Requirements

Important! Bring your own system configured according to these instructions!

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.

In this course, students will use an advanced lab system to maximize the time spent on learning objectives and minimize setup and troubleshooting.

Students may use the latest version of Windows 10 or macOS 10.15.x or later for exercises. You will need a wired network adapter to connect to the classroom network. Larger laptop displays will make for an improved lab experience (less scrolling).

CRITICAL NOTE: Apple systems using the M1 processor line cannot perform the necessary virtualization functionality and therefore cannot in any way be used for this course.

Your course media will now be delivered via download. The media files for class can be large, some in the 40-50 GB range, so you need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as soon as you get the link. You will need your course media immediately on the first day of class. Waiting until the night before the class starts to begin your download has a high probability of failure.

SANS has begun providing printed materials in PDF form. Additionally, certain classes are using an electronic workbook in addition to the PDFs. The number of classes using eWorkbooks will increase quickly. In this new environment, we have found that a second monitor and/or a tablet device can be useful by keeping the class materials visible while the instructor is presenting or while you are working on lab exercises.

Author Statement

The first iPhone was released in 2007, and it is considered by many to be the starting point of the smartphone era. Over the past decade, we have seen smartphones grow from rather simplistic into incredibly powerful devices with advanced features such as biometrics, facial recognition, GPS, hardware-backed encryption, and beautiful high-definition screens. While many different smartphone platforms have been developed over the years, it is quite obvious that Android and iOS have come out victorious.

While smartphones provide a solid experience right out of the box, the app ecosystem is probably the most powerful aspect of any mobile operating system. Both the Google Play and Apple App stores have countless applications that increase the usefulness of their platforms and include everything from games to financial apps, navigation, movies, music, and other offerings.

However, many smartphones also contain an incredible amount of data about both the personal and professional lives of people. Keeping those data secure should be a primary concern for both the operating system and the mobile application developer. Yet, many companies today have implemented a bring-your-own-device policy that allows smartphones onto their network. These devices are often not managed and thus bring a new set of security threats to the company.

This course will teach you about all the different aspects of mobile security, both at a high level and down into the nitty-gritty details. You will learn how to analyze mobile applications, attack smartphone devices on the network, man-in-the-middle either yourself or others, and root/jailbreak your device. You will also learn what kind of malware may pose a threat to your company and your employees.

Mobile security is a lot of fun, and I hope you will join us for this course so that we can share our enthusiasm with you!

Reviews

You think you know cybersecurity, then you take SANS SEC575 and --bam!-- you realize there is so much more to learn!
Steve M.
SEC575 is directly useful training - both to penetration testers and developers.
Roy Cabaniss
LGS
Very well organized, absolutely interesting and fun. Very effective way of getting passionate about as well as learning to analyze apps.
Myriam Leggieri
Google

    Register for SEC575

    Loading...