The Best Cybersecurity Training in the World - No Travel Required! Learn More

Rocky Mountain 2015

Denver, CO | Mon, Jun 22 - Sat, Jun 27, 2015
This event is over,
but there are more training opportunities.

SEC575: Mobile Device Security and Ethical Hacking

Mon, June 22 - Sat, June 27, 2015

I have learned a lot this week in SEC575 about how to test applications and verify applications, which will be invaluable in my day-to-day activities.

John S., Engineer

SEC575 was my first SANS training course, and I found it to be very valuable. The information was well delivered.

Rodney Helsens, KPMG LLP

Mobile phones and tablets have become essential to enterprise and government networks ranging from small organizations to Fortune 500 companies and large agencies. Often, mobile phone deployments grow organically, adopted by multitudes of end-users for convenient email access, as well as by managers and executives who need access to sensitive organizational resources from their favored personal mobile devices. In other cases, mobile phones and tablets have become critical systems for a wide variety of production applications from enterprise resource planning (ERP) to project management.

For all of its convenience, however, the ubiquitous use of mobile devices in the work place and beyond has brought new security risks. As reliance on these devices has grown exponentially, organizations have quickly recognized that mobile phones and tablets need greater security implementations than a simple screen protector and clever password. Whether an Apple iPhone or iPad, a Windows Phone, or an Android or BlackBerry phone or tablet, these devices have become hugely attractive and vulnerable targets for nefarious attackers. The use of such devices poses an array of new risks to organizations, including:

  • Distributed sensitive data storage and access mechanisms
  • Lack of consistent patch management and firmware updates
  • High probability of the device being hacked, lost or stolen

Mobile code and apps are also introducing new avenues for malware and data leakage, exposing critical enterprise secrets, intellectual property, and personally identifiable information assets to attackers. To further complicate matters, today there simply are not enough people with the security skills needed to manage mobile phone and tablet deployments.


SEC575: Mobile Device Security and Ethical Hacking is designed to help organizations secure their mobile devices by equipping personnel with the knowledge to design, deploy, operate, and assess a well-managed and safe mobile environment. The course will help you build the critical skills to support your organization's secure deployment and use of mobile phones and tablets. You will learn how to capture and evaluate mobile device network activity, disassemble and analyze mobile code, recognize weaknesses in common mobile applications, and conduct full-scale mobile penetration tests.

You will gain hands-on experience in designing a secure mobile phone network for local and remote users and learn how to make critical decisions to support devices effectively and securely. You will also learn to analyze and evaluate mobile software threats, as well as understand how attackers exploit mobile phone weaknesses, so that you can test the security of your own deployment. With these skills, you will be a valued mobile device security analyst, fully able to guide your organization through the challenges of securely deploying mobile devices.

You Will Learn:

  • How to capture and evaluate mobile application network activity
  • How to decrypt and manipulate Apple iOS application behavior
  • How to identify the steps taken by Android malware
  • How to reverse-engineer and change Android applications in the Google Play Store
  • How to conduct mobile device and mobile application penetration tests


Course Syllabus

Christopher Crowley
Mon Jun 22nd, 2015
9:00 AM - 5:00 PM


The first section of the course looks at the significant threats affecting mobile phone deployments and how organizations are being attacked through these systems. As a critical component of a secure deployment, we will examine the architectural and implementation differences between Android, Apple, BlackBerry and Windows Phone systems, including platform software defenses and application permission management. We will also look at the specific implementation details of popular platform features such as iBeacon, AirDrop, App Verification, and more. Hands-on exercises will be used to interact with mobile device emulator features, including low-level access to installed application services.

We will also examine the critical considerations for platform management systems and how attackers evade or manipulate platform management controls. While we look at the positive side of mobile device management (MDM) systems, we also examine how attackers use MDM tools to manipulate a victim's mobile device and use it for their own malicious purposes. Finally, we will address the threats of mobile malware, including emerging malware threats and the increasingly complex and advanced trends in mobile device malware.

CPE/CMU Credits: 6


Mobile Problems and Opportunities

  • Challenges and opportunities for secure mobile phone deployments
  • Weaknesses in mobile phones
  • Exploit tools and attacks against mobile phones and tablets

Mobile Devices and Infrastructure

  • BlackBerry network and platform architecture
  • iOS security features and weaknesses
  • Analysis of iOS features including iBeacon and AirDrop
  • Google Play Marketplace and third-party application stores
  • Windows Phone architecture and development platforms
  • Benefits and weaknesses of container-based mobile device management solutions

Mobile Device Security Models

  • Privilege and access models on multiple platforms
  • Device encryption support and threats
  • Emerging changes in platform security from Android and Apple

Mobile Device Lab Analysis Tools

  • Using iOS, Android, BlackBerry and Windows Phone emulators
  • Android mobile application analysis with Android Debug Bridge (ADB) tools
  • Uploading, downloading and installing applications with ADB
  • Application testing with the iOS Simulator

Mobile Device Malware Threats

  • Trends and popularity of mobile device malware
  • Mobile malware command and control architecture
  • Efficiency of Android ransomware" malware threats
  • Value and effectiveness of Android anti-malware platforms

Christopher Crowley
Tue Jun 23rd, 2015
9:00 AM - 5:00 PM


With an understanding of the threats, architectural components and desired security methods, we can design incident response processes to mitigate the effect of common threat scenarios, including device loss. This section looks at building such a program while developing your own skills to analyze mobile device data and applications through rooting and jailbreaking, filesystem data analysis and network activity analysis techniques.

CPE/CMU Credits: 6


Mitigating the Impact of Devices Being Stolen

  • Bypassing iOS and Android passcode locks
  • Decrypting iOS keychain credentials
  • Accessing mobile device backup data
  • Creating a lost device reporting program
  • Leveraging remote device wipe strategies

Unlocking, Rooting and Jailbreaking Mobile Devices

  • Goals of unlocking
  • Jailbreaking iOS
  • Unlocking Windows Phone
  • Rooting Android
  • BlackBerry platform restrictions

Mobile Phone Data Storage and Filesystem Architecture

  • Data stored on mobile devices
  • Mobile device filesystem structure
  • Decoding sensitive data from database files on iOS and Android
  • Extracting data from Android backups
  • Using filesystem artifacts for location disclosure attacks beyond GPS coordinates

Network Activity Monitoring

  • Mobile application network capture and data extraction
  • Capturing iOS network traffic through OS X systems
  • Transparent network proxying for data capture
  • Encrypted data capture manipulation
  • Extracting files and sensitive content from network captures
  • Recovering sensitive data from popular cloud storage providers

Christopher Crowley
Wed Jun 24th, 2015
9:00 AM - 5:00 PM


One of the critical decisions you will need to make in supporting a mobile device deployment is whether to approve unique application requests from end-users in a corporate deployment. With some analysis skills, you will be able to evaluate these requests to determine the type of access and information disclosure threats they represent.

This section will examine the techniques for reverse-engineering iOS and Android applications, obtaining source code for applications from public application stores. For Android applications, we will look at opportunities to change behavior as part of our analysis process by decompiling, manipulating and recompiling code, and by adding new code to existing applications without prior source code access. For iOS, we will extract critical application definition information available in all applications to examine and manipulate behavior through the Cycript tool.

CPE/CMU Credits: 6


Static Application Analysis

  • Reverse-engineering iOS binaries in Objective-C and ARM instructions
  • Reverse-engineering Android binaries in Java and Dalvik Bytecode
  • Evaluating mobile malware threats through source-code analysis
  • Defeating Apple FairPlay encryption for application binary access
  • Combining source-code and behavior analysis for effective application penetration testing
  • Overcoming anti-decompilation techniques in defensive code

Automated Application Analysis Systems

  • iOS application vulnerability analysis with iAuditor
  • Structured iOS application header analysis
  • Tracing iOS application behavior and API use with Snoop-it
  • Effective Android application analysis with Androwarn
  • Android application interaction and Intent manipulation with Drozer

Manipulating Application Behavior

  • Runtime iOS application manipulation with Cycript
  • iOS method swizzling
  • Android application manipulation with Apktool
  • Reading and modifying Dalvik Bytecode
  • Adding Android application functionality, from Java to Dalvik Bytecode

Christopher Crowley
Thu Jun 25th, 2015
9:00 AM - 5:00 PM


An essential component of developing a secure mobile phone deployment is to perform an ethical hacking assessment. Through ethical hacking and penetration testing, we examine the mobile devices and infrastructure from the perspective of an attacker, identifying and exploiting flaws that deliver unauthorized access to data or supporting networks. By identifying these flaws we can evaluate the mobile phone deployment risk to the organization with practical and useful risk metrics.

CPE/CMU Credits: 6


Fingerprinting Mobile Devices

  • Passive analysis
  • Active scanning
  • Application inspection

Wireless Network Probe Mapping

  • Monitoring network probing activity
  • Visualizing network discovery and search
  • Wireless anonymity attacks

Weak Wireless Attacks

  • Wireless network scanning and assessment
  • Exploiting weak wireless infrastructure
  • Monitoring mobile device network scanning
  • Exploiting "attwifi" and iPad or iPhone captive portal detection
  • Secure network impersonation

Enterprise Wireless Security Attacks

  • Certificate impersonation and mobile devices
  • Manipulating enterprise wireless authentication
  • RADIUS server impersonation attacks

Christopher Crowley
Fri Jun 26th, 2015
9:00 AM - 5:00 PM


Continuing our look at ethical hacking and penetration testing, we turn our focus to exploiting weaknesses on individual mobile devices including iPhones, iPads, Android phones and tablets, Windows Phones, and BlackBerry devices. We will also examine platform-specific application weaknesses and look at the growing use of web framework attacks.

CPE/CMU Credits: 6


Network Manipulation Attacks

  • Leveraging man-in-the-middle tools against mobile devices
  • SSL certificate manipulation and bypass attacks
  • Effective SSL penetration testing techniques

Mobile Application Attacks

  • Exploiting mobile application authentication vulnerabilities
  • Manipulating mobile application network activity
  • Applying web attacks to thin mobile applications
  • Exploiting common application flaws on Android and iOS platforms

Web Framework Attacks

  • Site impersonation attacks
  • Application cross-site scripting exploit
  • Remote browser manipulation and control
  • Data leakage detection and analysis

Back-end Application Support Attacks

  • Exploiting SQL injection in mobile application frameworks
  • Leveraging client-side injection attacks
  • Getting end-to-end control of mobile application server resources

Christopher Crowley
Sat Jun 27th, 2015
9:00 AM - 5:00 PM


On the last day of class we will pull together all the concepts and technology we have covered during the week in a comprehensive Capture the Flag event. In this hands-on exercise, you will have the option to participate in multiple roles: designing a secure infrastructure for the deployment of mobile phones, monitoring network activity to identify attacks against mobile devices, extracting sensitive data from a compromised iPad, and attacking a variety of mobile phones and related network infrastructure components.

During this mobile security event you will put into practice the skills you have learned in order to evaluate systems and defend against attackers, simulating the realistic environment you will be prepared to protect when you get back to the office.

CPE/CMU Credits: 6

Additional Information

Throughout the course, students will participate in hands-on lab exercises. Students must bring their own laptops to class that meet the requirements described below.


Students must bring a Windows 8/8.1 or Windows 7 laptop to class, preferably running natively on the system hardware. It is possible to complete the lab exercises using a virtualized Windows installation; however, this will result in reduced performance when running device emulators within the virtualized Windows host.

Administrative Access

For several tools utilized in the course, students will be required to perform actions with administrative privileges. Students must have administrative access on their Windows host, including the ability to unload or disable security software such as anti-virus or firewall agents as necessary for the completion of lab exercises. Further, students should have knowledge of the local passwords required to manage their system, including local Administrator account passwords, and passwords necessary to make system BIOS configuration changes.


Students will use a virtualized Linux VMware guest for several lab exercises. VMware Workstation or VMware Player is recommended. Note that there is no cost associated with the use of VMware Player, which can be downloaded from the VMware website.

VirtualBox and other virtualization tools are not supported at this time.

Hardware Requirements

Several of the software components used in the course are hardware intensive, requiring more system resources than what might be required otherwise for day-to-day use of a system. Please ensure your laptop meets the following minimum hardware requirements:

  • Minimum 2 GB RAM, 4 GB recommended
  • Ethernet (RJ45) network interface; students will not be able to complete lab exercises without an Ethernet interface, either built-in or through a USB adapter.
  • 30 GB free hard disk space
  • DVD drive
  • Minimum screen resolution 1024x768, larger screen resolution will reduce scrolling in for several applications and a more pleasant end-user experience

During the course, you will install numerous tools, and make several system changes. Some students may wish to bring a clean system that is not their everyday production system, or a dedicated Windows virtual machine that meets the minimum requirements for a system, to avoid any changes that may interfere with other system software.

If you have additional questions about the laptop specifications, please contact

  • Penetration testers
  • Ethical hackers
  • Auditors who need to build deeper technical skills
  • Security personnel whose job involves assessing, deploying or securing mobile phones and tablets
  • Network and system administrators supporting mobile phones and tablets

Students should have familiarity with network penetration testing concepts, such as those taught in SEC504 or SEC560.

Other Courses People Have Taken

Courses that lead in to SEC575

Courses that are prerequisites for SEC575

Courses that are good follow-ups to SEC575

  • Course book with a comprehensive index
  • Step-by-step instructions for all lab exercises
  • Handouts and cheat-sheets used for quick reference to detailed information sources
  • Course DVD and associated software, files and analysis resources
  • Use jailbreak tools for Apple iOS and Android systems
  • Conduct an analysis of iOS and Android filesystem data to plunder compromised devices and extract sensitive mobile device use information
  • Analyze Apple iOS and Android applications with reverse-engineering tools
  • Conduct an automated security assessment of mobile applications
  • Use wireless network analysis tools to identify and exploit wireless networks used by mobile devices
  • Intercept and manipulate mobile device network activity
  • Leverage mobile-device-specific exploit frameworks to gain unauthorized access to target devices
  • Manipulate the behavior of mobile applications to bypass security restrictions
  • Using the Android Emulator
  • Creating Malicious iOS Configuration Profiles
  • Bypassing Android Swipe Locks
  • Analyzing Mobile Device Network Traffic with NetworkMiner
  • Manipulating Android Application Intents
  • Decompiling Android Applications with JD-GUI, Procyon and Jadx
  • Analyzing Sensitive iOS File System Data
  • Hacking the Online Bank: Android Mobile App

"Cutting edge security material, well taught." - Donald Farrell, Kingsisle Entertainment Inc.

"In the fast paced world of Bring Your Own Device (BYOD) and mobile device management, SEC575 is a must course for infosec managers." - Jude Meche, DSCC

"SEC575 provides a pretty comprehensive overview of different attack vectors and vulnerabilities in the mobile field. It covers many topics in enough depth to really get a foothold in the subject. I wish I had taken this course several years ago when first entering the mobile landscape. It would have saved me months of painful self-teaching, and is vastly more complete in many areas." - Jeremy Erickson, Sandia National Labs

SEC575 Mobile Device Security and Ethical Hacking Review by Matt Edmonson

Author Statement

I'm not sure exactly when it happened, but laptops and PCs have become legacy computing devices, replaced by mobile phones and tablets. Just when I thought we were getting a much better handle on the security of Windows, Mac, and other Unix systems, there has been an explosion of new devices wanting to join our networks that simply do not have the same security controls that we rely on in modern, secure networks.

Even with their weaknesses, mobile phones are here to stay, and we are being called on to support them more and more. Some organizations try to drag their feet on allowing mobile phones, but that ultimately contributes to the problem: if we do not address security, the threats continue to grow, uncontrolled and unmonitored.

Fortunately, we can securely deploy, manage and monitor mobile phones and tablets inside our organizations through policy and careful network deployment and monitoring. We need to build some essential skills in analyzing the risks of data leakage in mobile code and in the applications our end-users want to run from the app store. And we need to ethically hack our networks to identify the real threat and exposure of mobile phone weaknesses.

I wrote this course to help people build their skills in all these areas, focusing on the topics and concepts that are most important and immediately useful. Every organization should have an analyst who has the skills for mobile phone security analysis and deployment. By taking this course, you will become an even more valued part of your organization. And we'll have lots of geeky fun in getting you there!

- Josh Wright