Ending Soon! Get an iPad Air with Smart Keyboard, Surface Go, or $300 Off thru Dec 11 with OnDemand or vLive Training!

SANS 2013

Orlando, FL | Fri, Mar 8 - Fri, Mar 15, 2013
This event is over,
but there are more training opportunities.

SEC575: Mobile Device Security and Ethical Hacking

Sun, March 10 - Fri, March 15, 2013

The training in SEC575 pushes me out of my comfort zone. I am not a programmer, but I am heavily involved in mobile for enterprise.

James Taylor, DXA

Cutting edge security material, well taught.

Donald Farrell, Kingsisle Entertainment Inc.

Mobile phones and tablets have become an increasingly common system in enterprise and government networks, from small organizations to Fortune 10 companies. Often, mobile phone deployments grow organically, adopted by end-users for convenient email access, on up to the CEO for access to sensitive company resources and systems. In other cases, mobile phones and tablets have become critical systems for a wide variety of production applications from ERP to project management.

Whether Apple iPhone or iPad, Windows Phone, Android or BlackBerry phones or tablets, the use of mobile devices introduces new risks to an organization including distributed data storage and access mechanisms, lack of consistent patch management and firmware updates, the high probability of loss or device theft and more. Mobile code and software applications are also introducing new malware and data leakage problems that expose sensitive data or personally identifiable information assets. Topping off these problems is a non-technical issue: there simply are not enough people with the skills to securely deploy and manage mobile phone and tablet deployments today.

This course was designed to help organizations struggling with the problems introduced with mobile phone security. From policy to network architecture and deployment, from mobile code analysis to penetration testing and ethical hacking, this course will help you build the critical skills necessary to support the secure deployment and use of mobile phones and tablets. You'll get hands-on experience in designing a secure mobile phone network for local and remote users, make critical decisions to support devices, analyze and evaluate software threats, and learn how attackers exploit mobile phone weaknesses so you can test the security of your own deployment. With these skills you'll be a valued analyst, able to guide your organization through the challenges and pitfalls of securely deploying mobile devices.


A Sampling of Topics

  • Evaluating Mobile Device Management (MDM) systems for your organization
  • Benefits and weaknesses of device encryption systems
  • Building secure mobile phone remote access solutions
  • Unlocking, rooting and jail breaking mobile phones and tablets
  • Extracting sensitive data from Apple iOS and Android file systems
  • Bypassing device lock passcodes
  • Reverse engineering mobile code and applications
  • Identifying data leakage exposure from mobile applications
  • Fingerprinting mobile devices inside your organization
  • Impersonating secure WiFi networks for credential harvesting
  • Stealing usernames and passwords from BlackBerry phones
  • Exploiting weaknesses in popular mobile devuce applications


Course Syllabus

Joshua Wright
Sun Mar 10th, 2013
9:00 AM - 5:00 PM


In order to have a secure mobile phone deployment, you need to establish policies that define the acceptable use the technology and recognize the limitations and threats of mobile phones, tables and the associated infrastructure systems.

The first part of the course looks at the significant threats affecting mobile phone deployments and how organizations are being attacked through these systems. As a critical component of a secure deployment, we'll guide you through the process of defining mobile phone policies with sample policy language and recommendations for various vertical industries, taking into consideration the legal obligations of enterprise organizations. We'll also look at the architecture and technology behind mobile phone infrastructure systems from BlackBerry, Apple, Android and Windows as well as the platform-specific security controls available including device encryption, remote data wipe, application sandboxing and more.

CPE/CMU Credits: 6


Mobile Problems and Opportunities

  • Challenges and opportunities for secure mobile phone deployments
  • Weaknesses in mobile phones
  • Exploit tools and attacks against mobile phones and tablets

Mobile Devices and Infrastructure

  • BlackBerry network and platform architecture
  • iOS security features and weaknesses
  • Managing iOS devices with Microsoft Exchange
  • Google Play Marketplace and third-party application stores
  • Windows Phone architecture and development platforms

Mobile Device Security Models

  • Privilege and access models on multiple platforms
  • Device encryption support and threats
  • Emerging changes in platform security from Android and Apple

Legal Aspects of Mobile

  • Privacy concerns and threats
  • Mobile phones and data break reporting considerations
  • Proposed legislation affecting mobile devices

Policy Considerations and Development

  • Steps and recommendations for establishing policies
  • Mobile devices and local, cloud and offline data storage
  • Device theft/loss and company culture for reporting effectiveness

Joshua Wright
Mon Mar 11th, 2013
9:00 AM - 5:00 PM


With an understanding of the threats, architectural components and desired security methods, we can design and implement device and infrastructure systems to defend against threats. In this part of the course we'll examine the design and deployment of network and system infrastructure to support a mobile phone deployment including the selection and deployment of Mobile Device Management (MDM) systems.

CPE/CMU Credits: 6


Wireless Network Infrastructure

  • Designing a wireless LAN system for mobile phones
  • Decision: network isolation or integration for mobile phones
  • Threat of guest/open networks

Mobile Device Management System Architecture

  • Vendor options for MDM solutions
  • Limitations for remote device management by mobile phone platform
  • MDM network protocols and architectures

Mobile Device Management Selection

  • Critical MDM feature evaluation
  • Deployment model considerations for enterprise networks
  • Picking an MDM solution that fits your needs

Mitigating Stolen Devices

  • Bypassing iOS and Android passcode locks
  • Decrypting iOS keychain credentials
  • Accessing mobile device backup data
  • Creating a lost device reporting program
  • Leveraging remote device wipe strategies

Unlocking, Rooting, Jailbreaking Mobile Devices

  • Goals of unlocking
  • JailBreaking iOS
  • Unlocking Windows Phone
  • Rooting Android
  • BlackBerry platform restrictions

Joshua Wright
Tue Mar 12th, 2013
9:00 AM - 5:00 PM


One of the critical decisions you will need to make in supporting a mobile device deployment is to approve or disapprove of unique application requests from end-users in a corporate device deployment. With some analysis skills, we can evaluate applications to determine the type of access and information disclosure threats they represent. In this process, we'll use jailbreaking and other techniques to evaluate the data stored on mobile phones.

CPE/CMU Credits: 6


Mobile Phone Data Storage and Filesystem Architecture

  • Data stored on mobile devices
  • Mobile device filesystem structure introduction
  • Data storage mechanisms
  • Backup data analysis

Filesystem Application Modeling

  • Application modeling goals
  • Using Sleuthkit for filesystem runtime analysis
  • Analyzing filesystem changes

Network Activity Monitoring

  • Mobile application network capture and data extraction
  • Transparent network proxying
  • Encrypted data capture manipulation

Mobile Code and Application Analysis

  • Reverse engineering iOS binaries in Objective-C
  • Reverse engineering Android binaries in Java
  • Reverse engineering Android malware

Automated Application Analysis Systems

  • Runtime iOS application manipulation with Cycript
  • iOS application vulnerability analysis with iAuditor
  • Android application vulnerability analysis with DroidBox

Approving or Disapproving Applications In Your Organization

  • Policies regarding data access
  • Risk evaluation
  • On-going monitoring analysis requirements
  • MDM management and application blacklisting

Joshua Wright
Wed Mar 13th, 2013
9:00 AM - 5:00 PM


An essential component of developing a secure mobile phone deployment is to perform an ethical hacking assessment. Through ethical hacking or penetration testing, we examine the mobile devices and infrastructure from the perspective of an attacker, identifying and exploiting flaws that delivery unauthorized access to data or supporting networks. Through the identification of these flaws we can evaluate the mobile phone deployment risk to the organization with practical, useful risk metrics.

CPE/CMU Credits: 6


Fingerprinting mobile devices

  • Passive analysis
  • Active scanning
  • Application inspection

Wireless Network Probe Mapping

  • Monitoring network probing activity
  • Visualizing network discovery and search
  • Wireless anonymity attacks

Weak Wireless Attacks

  • Wireless network scanning and assessment
  • Exploiting weak wireless infrastructure
  • Monitoring mobile device network scanning
  • Exploiting "attwifi" and iPad or iPhone captive portal detection
  • Secure network impersonation

Enterprise Wireless Security Attacks

  • Certificate impersonation and mobile devices
  • Manipulating enterprise wireless authentication
  • RADIUS server impersonation attacks

Joshua Wright
Thu Mar 14th, 2013
9:00 AM - 5:00 PM


Continuing our look at ethical hacking or penetration testing, we turn our focus to exploiting weaknesses on individual mobile devices including iPhones, iPads, Android phones and tablets, Windows Phones and BlackBerry devices. We'll also examine platform-specific application weaknesses and look at the growing use of web framework attacks.

CPE/CMU Credits: 6


Network Manipulation Attacks

  • Leveraging man-in-the-middle tools against mobile devices
  • SSL certificate manipulation and bypass attacks
  • Effective SSL penetration testing techniques

Mobile Application Attacks

  • Exploiting mobile application authentication vulnerabilities
  • Manipulating mobile application network activity
  • Applying web attacks to thin mobile applications

Web Framework Attacks

  • Site impersonation attacks
  • Application cross-site scripting exploit
  • Remote browser manipulation and control
  • Data leakage detection and analysis

Back-end Application Support Attacks

  • Exploiting SQL injection in mobile application frameworks
  • Leveraging client side injection attacks
  • Getting end-to-end control of mobile application server resources

Joshua Wright
Fri Mar 15th, 2013
9:00 AM - 5:00 PM


On the last day of class we'll pull in all the concepts and technology we've covered in the week for a comprehensive Capture the Flag (CTF) event. In the CTF event, you'll have the option to participate in multiple roles, designing a secure infrastructure for the deployment of mobile phones, monitoring network activity to identify attacks against mobile devices, extracting sensitive data from a compromised iPad and attacking a variety of mobile phones and related network infrastructure components.

In the CTF you'll use the skills you've built to practically evaluate systems and defend against attackers, simulating the realistic environment you'll be prepared to protect when you get back to the office.

CPE/CMU Credits: 6

Additional Information

Throughout the course, students will participate in hands-on lab exercises. Students must bring their own laptops to class that meet the requirements described below.


Students must bring a Windows 7, Windows Vista, or Windows XP laptop to class, preferably running natively on the system hardware. It is possible to complete the lab exercises using a virtualized Windows installation, however, this will result in reduced performance when running device emulators within the virtualized Windows host. If you are a Windows XP user, make sure you also have the .NET 3.5 framework installed, which can be downloaded from http://www.microsoft.com/en-us/download/details.aspx?id=21 .

Administrative Windows Access

For several tools utilized in the course, students will be required to perform actions with administrative privileges. Students must have administrative access on their Windows host, including the ability to unload or disable security software such as anti-virus or firewall agents as necessary for the completion of lab exercises.


Students will use a virtualized MobiSec Linux VMware guest for several lab exercises. VMware Workstation or VMware Player is recommended. Note that there is no cost associated with the use of VMware Player, which can be downloaded from the VMware website.

While some students successfully use VMware Fusion for the exercises, the relative instability of VMware Fusion may introduce delays in exercise preparation, preventing the timely completion of lab exercises. VirtualBox and other virtualization tools are not supported at this time.

Hardware Requirements

Several of the software components used in the course are hardware intensive, requiring more system resources than what might be required otherwise for day-to-day use of a system. Please ensure your laptop meets the following minimum hardware requirements:

  • Minimum 2 GB RAM, 4 GB recommended
  • Ethernet (RJ45) network interface; students will not be able to complete lab exercises with systems that only have a wireless card, such as the Mac Book Air
  • 1.5 GHz processor minimum
  • 30 GB free hard disk space
  • DVD drive (not a CD drive)
  • Minimum screen resolution 1024x768, larger screen resolution will reduce scrolling in for several applications and a more pleasant end-user experience

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

  • Penetration testers
  • Ethical hackers
  • Auditors who need to build deeper technical skills
  • Security personnel whose job involves assessing, deploying or securing mobile phones and tablets
  • Network and system administrators supporting mobile phones and tablets

  • Develop effective policies to control employee-owned (Bring Your Own Device, BYOD) and enterprise-owned mobile devices including the enforcement of effective passcode policies and permitted application
  • Utilize jailbreak tools for Apple iOS and Android systems such as redsn0w, Absinthe
  • Conduct an analysis of iOS and Android filesystem data using SqliteSpy, Plist Editor, and AXMLPrinter to plunder compromised devices and extract sensitive mobile device use information such as the SMS history, browser history, GPS history, and user dictionary keywords
  • Analyze Apple iOS and Android applications with reverse engineering tools including class-dump, JD-GUI, dex-translator, and apktool to identify malware and information leakage threats in mobile applications
  • Conduct an automated security assessment of mobile applications using iAuditor, Cycript, Mo- bileSubstrate, TaintDroid, and DroidBox to identify security flaws in mobile applications
  • Use wireless network analysis tools to identify and exploit wireless networks, crack WEP and WPA/ WPA2 access points, bypass enterprise wireless network authentication requirements, and harvest user credentials
  • Intercept and manipulate mobile device network activity using Burp to manipulate the actions taken by a user in an application and to deliver mobile device exploits to vulnerable devices

Author Statement

I'm not sure exactly when it happened, but laptops and PC's have become legacy computing devices, replaced with mobile phones and tablets. Just when I thought we were getting a much better handle on the security of Windows, Mac and other Unix systems, there is an explosion of new devices wanting to join our networks that simply do not have the same security controls that we rely on in modern, secure networks.

Even with their weaknesses, mobile phones are here to stay and more and more we're being called on to support them. Some organizations try to drag their feet on allowing mobile phones, but that ultimately contributes to the problem: if we don't address security, the threats continue to grow uncontrolled and unmonitored.

Fortunately, we can securely deploy, manage and monitor mobile phones and tablets inside our organizations through policy and careful network deployment and monitoring. We need to build some essential skills in analyzing the risks of data leakage in mobile code and the applications our end-users want to run from app store, and we need to ethically hack our networks to identify the real threat and exposure of mobile phone weaknesses.

I wrote this course to help people build their skills in all these areas, focusing on the topics and concepts that are most important and immediately useful. Every organization should have an analyst who has the skills for mobile phone security analysis and deployment. By taking this course, you'll become an even more valued part of your organization, and we'll have lots of geeky fun in the process.

-Josh Wright