SEC575: Mobile Device Security and Ethical Hacking
SEC575 provides a pretty comprehensive overview of different attack vectors and vulnerabilities in the mobile field. It covers many topics in enough depth to really get a foothold in the subject. I wish I had taken this course several years ago when first entering the mobile landscape. It would have saved me months of painful self-teaching, and is vastly more complete in many areas.
Cutting edge security material, well taught.
Imagine an attack surface spread throughout your organization, in the hands of every user, which moves from place to place regularly, stores highly sensitive and critical data, and sports numerous different wireless technologies all ripe for attack. You have it today: mobile devices. These devices are the biggest attack surface in most organizations today, yet these same organizations often don't have the skills needed to assess them.
NOW COVERING ANDROID MARSHMALLOW, iOS 10, APPLE WATCH AND ANDROID WEAR
Mobile devices are no longer a convenience technology: they are an essential tool carried or worn by users worldwide, often displacing conventional computers for everyday enterprise data needs. You can see this trend in corporations, hospitals, banks, schools, and retail stores throughout the world. Users rely on mobile devices more today than ever before - we know it, and the bad guys do too.
LEARN HOW TO PEN TEST THE BIGGEST ATTACK SURFACE IN YOUR ENTIRE ORGANIZATION
This course is designed to give you the skills you need to understand the security strengths and weaknesses in Apple iOS, Android, and wearable devices including Apple Watch and Android Wear. With these skills, you will evaluate the security weaknesses of built-in and third party applications. You'll learn how to bypass platform encryption, and how to manipulate Android apps to circumvent obfuscation techniques. You'll leverage automated and manual mobile application analysis tools to identify deficiencies in mobile app network traffic, file system storage, and inter-app communication channels. You'll safely work with mobile malware samples to understand the data exposure and access threats affecting Android and iOS devices, and you'll exploit lost or stolen devices to harvest sensitive mobile application data.
TAKE A DEEP DIVE INTO EVALUATING MOBILE APPS, OPERATING SYSTEMS, AND THEIR ASSOCIATED INFRASTRUCTURES
Understanding and identifying vulnerabilities and threats to mobile devices is a valuable skill, but it must be paired with the ability to communicate the associated risks. Throughout the course, you'll review the ways in which we can effectively communicate threats to key stakeholders. You'll leverage tools including Mobile App Report Cards to characterize threats for management and decision makers, while identifying sample code and libraries that developers can use to address risks for in-house applications as well.
YOUR MOBILE DEVICES ARE GOING TO COME UNDER ATTACK - HELP YOUR ORGANIZATION PREPARE FOR THE ONSLAUGHT!
Through the use of your new skills, you'll apply a mobile device deployment penetration test in a step-by-step fashion. Starting with gaining access to wireless networks to implement man-in-the-middle attacks and finishing with mobile device exploits and data harvesting, you'll examine each step in conducting such a test with hands-on exercises, detailed instructions, and tips and tricks learned from hundreds of successful penetration tests. By building these skills, you'll return to work prepared to conduct your own test, or better informed on what to look for and how to review an outsourced penetration test.
Mobile device deployments introduce new threats to organizations including advanced malware, data leakage, and the disclosure of enterprise secrets, intellectual property, and personally identifiable information assets to attackers. Further complicating matters, there simply are not enough people with the security skills needed to identify and manage secure mobile phone and tablet deployments. By completing this course, you'll be able to differentiate yourself as having prepared to evaluate the security of mobile devices, to effectively assess and identify flaws in mobile applications, and to conduct a mobile device penetration test - all critical skills to protect and defend mobile device deployments.
SEC575.1: Device Architecture and Common Mobile Threats
Sun Apr 9th, 2017
9:00 AM - 5:00 PM
The first section of the course quickly looks at the significant threats affecting mobile device deployments, highlighted with a hands-on exercise evaluating network traffic from a vulnerable mobile banking application. As a critical component of a secure deployment, we will examine the architectural and implementation differences and similarities in Android (including Android Marshmallow), Apple iOS 10, and the Apple Watch and Google Wear platforms. We will also look at the specific implementation details of popular platform features such as iBeacon, AirDrop, App Verification, and more. Hands-on exercises will be used to interact with mobile devices running in a virtualized environment, including low-level access to installed application services and application data.
We'll look at the tools used to evaluate mobile devices as part of establishing a lab environment for mobile device assessments including the analysis of mobile malware affecting Android and non-jailbroken iOS devices. Finally, we will address the threats of lost and stolen devices (and opportunities for a pen tester) including techniques to bypass mobile device lock screens.
CPE/CMU Credits: 6
Mobile Problems and Opportunities
- Challenges and opportunities for secure mobile phone deployments
- Weaknesses in mobile devices
- Exploiting weaknesses in mobile apps: bank account hijacking exercise
Mobile Device Platform Analysis
- iOS and Android permission management models
- Code signing weaknesses on Android
- Inter-app communication channels on iOS
- Android app execution: Android Runtime vs. Android Dalvik virtual machine
- Android Marshmallow security benefits
- Application isolation and data sharing for Apple Watch
- Network connectivity and Android Wear apps
- Data exfiltration in WatchOS
- Weaknesses in wearable device authentication controls
- Deficiencies in Android Wear and storage encryption
- Evaluating other wearable platforms: Fitbit and Tizen
Mobile Device Lab Analysis Tools
- Using iOS and Android emulators
- Android mobile application analysis with Android Debug Bridge (ADB) tools
- Uploading, downloading and installing applications with ADB
- Application testing with the iOS Simulator
Mobile Device Malware Threats
- Trends and popularity of mobile device malware
- Mobile malware command and control architecture
- Efficiency of Android ransomware malware threats
- Analysis of iOS malware targeting non-jailbroken devices
- Hands-on analysis of Android malware
- Mobile malware defenses: what works, and what doesn't
SEC575.2: Mobile Platform Access and Application Analysis
Mon Apr 10th, 2017
9:00 AM - 5:00 PM
With an understanding of the threats, architectural components and desired security methods, we dig deeper into iOS and Android mobile platforms focusing on sandboxing and data isolation models, and the evaluation of mobile applications. This section is designed to help build skills in analyzing mobile device data and applications through rooting and jailbreaking Android and iOS devices and using that access to evaluate file system artifacts. We will also start to evaluate the security of mobile applications, using network capture analysis tools to identify weak network protocol use and sensitive data disclosure over the network. Finally, we'll wrap up the day with an introduction to reverse engineering of iOS and Android applications using decompilers, disassemblers, and manual analysis techniques.
CPE/CMU Credits: 6
Unlocking, Rooting and Jailbreaking Mobile Devices
- Legal issues with rooting and jailbreaking
- Jailbreaking iOS: Fuxi Qin
- Android root access through unlocked bootloaders
- Root exploits for Android
- Debugging and rooting Android Wear devices
- Using a rooted or jailbroken device effectively: tools you must have!
Mobile Phone Data Storage and File System Architecture
- Data stored on mobile devices
- Mobile device file system structure
- Decoding sensitive data from database files on iOS and Android
- Extracting data from Android backups
- Using file system artifacts for location disclosure attacks beyond GPS coordinates
- Hands-on attacks against password management apps
Network Activity Monitoring
- Mobile application network capture and data extraction
- Capturing iOS cellular/4G network traffic
- Transparent network proxying for data capture
- Encrypted data capture manipulation
- Extracting files and sensitive content from network captures
- Recovering sensitive data from popular cloud storage providers
Static Application Analysis
- Retrieving iOS and Android apps for reverse engineering analysis
- Decompiling Android applications including Android Wear
- Circumventing iOS app encryption with Dumpdecrypted and Rasticrac
- Header analysis and Objective-C disassembly
- Accelerating iOS disassembly: Hopper and IDA Pro
- Swift iOS apps and reverse engineering tools
SEC575.3: Mobile Application Reverse Engineering
Tue Apr 11th, 2017
9:00 AM - 5:00 PM
One of the critical decisions you will need to make in supporting a mobile device deployment is if a mobile app exposes the security of your organization. With some analysis skills, you will be able to evaluate critical mobile applications to determine the type of access threats and information disclosure threats they represent.
In this section we will use automated and manual application assessment tools to evaluate iOS and Android apps. We'll build upon the static application analysis skills covered in day 2 to manipulate application components including Android intents and iOS URL extensions. We'll also learn and practice techniques for manipulating iOS and Android applications: method swizzling on iOS, and disassembly, modification, and reassembly of iOS apps. The day ends with a look at a standard system for evaluating and grading the security of mobile applications in a consistent method through the application report card project.
CPE/CMU Credits: 6
Automated Application Analysis Systems
- iOS application vulnerability analysis with iDB
- Structured iOS application header analysis
- Tracing iOS application behavior and API use with Snoop-it
- Effective Android application analysis with Androwarn
- Android application interaction and Intent manipulation with Drozer
Manipulating Application Behavior
- Runtime iOS application manipulation with Cycript
- iOS method swizzling
- Android application manipulation with Apktool
- Reading and modifying Dalvik bytecode
- Adding Android application functionality, from Java to Dalvik bytecode
Application Report Cards
- Step-by-step recommendations for application analysis
- Tools and techniques for mobile platform vulnerability identification and evaluation
- Recommended libraries and code examples for developers
- Detailed recommendations for jailbreak detection, certificate pinning, and application integrity verification
- Android and iOS critical data storage: keychain and key store recommendations
SEC575.4: Penetration Testing Mobile Devices, Part 1
Wed Apr 12th, 2017
9:00 AM - 5:00 PM
An essential component of developing a secure mobile device deployment is to perform or outsource a penetration test. Through ethical hacking and penetration testing, we examine the mobile devices and infrastructure from the perspective of an attacker, identifying and exploiting flaws that deliver unauthorized access to data or supporting networks. By identifying these flaws we can evaluate the mobile phone deployment risk to the organization with practical and useful risk metrics. Whether your role is to implement the pen test, or to source and evaluate the pen tests of others, understanding these techniques will help your organization identify and resolve vulnerabilities before they become incidents.
CPE/CMU Credits: 6
Fingerprinting Mobile Devices
- Passive analysis
- Active scanning
- Application inspection
Wireless Network Probe Mapping
- Monitoring network probing activity
- Visualizing network discovery and search
- Wireless anonymity attacks
- Leveraging iOS and Android wireless network scanning characteristics
Weak Wireless Attacks
- Wireless network scanning and assessment
- Exploiting weak wireless infrastructure
- Monitoring mobile device network scanning
- Exploiting "Google WiFi" and iPad or iPhone captive portal detection
- Secure network impersonation
Enterprise Wireless Security Attacks
- Certificate impersonation and mobile devices
- Manipulating enterprise wireless authentication
- RADIUS server impersonation attacks
Network Manipulation Attacks
- Using man-in-the-middle tools against mobile devices
- Sniffing, modifying, and dropping packets as MitM
- Mobile application data injection attacks
- Identifying mobile applications vulnerable to sidejacking
- Using sidejacking effectively in a penetration test
- Hands-on exploitation of popular mobile applications
SEC575.5: Penetration Testing Mobile Devices, Part 2
Thu Apr 13th, 2017
9:00 AM - 5:00 PM
Continuing our look at ethical hacking and penetration testing, we turn our focus to exploiting weaknesses on iOS and Android devices. We will also examine platform-specific application weaknesses and look at the growing use of web framework attacks in mobile application exploitation. Hands-on exercises are used throughout the day to practice these attacks, exploiting both vulnerable mobile applications and the supporting back-end servers.
CPE/CMU Credits: 6
- Exploiting HTTPS transactions with MitM attacks
- Core pen test technique: TLS impersonation and iOS Mail.app for password harvesting
- Integrating MitM tools with Burp Suite for effective HTTP manipulation attacks
Client Side Injection (CSI) Attacks
- Harvesting session cookies through Android browser vulnerabilities with Metasploit
- Using the Spec.js library for mobile browser vulnerability detection and exploit delivery
Web Framework Attacks
- Site impersonation attacks
- Application cross-site scripting exploits
- Remote browser manipulation and control
- Data leakage detection and analysis
- Hands-on attacks: mobile banking app transaction manipulation
Back-end Application Support Attacks
- Exploiting SQL injection in mobile application frameworks
- Leveraging client-side injection attacks
- Getting end-to-end control of mobile application server resources
SEC575.6: Capture the Flag
Fri Apr 14th, 2017
9:00 AM - 5:00 PM
On the last day of class we will pull together all the concepts and technology we have covered during the week in a comprehensive Capture the Flag event. In this hands-on exercise, you will have the option to participate in multiple roles: designing a secure infrastructure for the deployment of mobile phones, monitoring network activity to identify attacks against mobile devices, extracting sensitive data from a compromised iPad, and attacking a variety of mobile phones and related network infrastructure components.
During this mobile security event you will put into practice the skills you have learned in order to evaluate systems and defend against attackers, simulating the realistic environment you will be prepared to protect when you get back to the office.
CPE/CMU Credits: 6
Throughout the course, students will participate in hands-on lab exercises. Students must bring their own laptops to class that meet the requirements described below.
Students must bring a Windows 10, Windows 8.1 or Windows 7 laptop to class. Virtualization of Windows is OK for Mac OS X and Linux users.
For several tools utilized in the course, students will be required to perform actions with administrative privileges. Students must have administrative access on their Windows host, including the ability to unload or disable security software such as anti-virus or firewall agents as necessary for the completion of lab exercises. Further, students should have knowledge of the local passwords required to manage their system, including local Administrator account passwords, and passwords necessary to make system BIOS configuration changes.
Students will use a virtualized Linux VMware guest for several lab exercises. VMware Workstation or VMware Player is recommended. Note that there is no cost associated with the use of VMware Player, which can be downloaded from the VMware website.
VirtualBox and other virtualization tools are not supported.
Several of the software components used in the course are hardware intensive, requiring more system resources than what might be required otherwise for day-to-day use of a system. Please ensure your laptop meets the following minimum hardware requirements:
- Minimum 2 GB RAM, 4 GB recommended
- Ethernet (RJ45) network interface; students will not be able to complete lab exercises without an Ethernet interface, either built-in or through a USB adapter.
- 30 GB free hard disk space
- Minimum screen resolution 1366x768, larger screen resolution will reduce scrolling in for several applications and a more pleasant end-user experience
During the course, you will install numerous tools, and make several system changes. Some students may wish to bring a clean system that is not their everyday production system, or a dedicated Windows virtual machine that meets the minimum requirements for a system, to avoid any changes that may interfere with other system software.
If you have additional questions about the laptop specifications, please contact firstname.lastname@example.org.
Who Should Attend
- Penetration testers
- Ethical hackers
- Auditors who need to build deeper technical skills
- Security personnel whose job involves assessing, deploying or securing mobile phones and tablets
- Network and system administrators supporting mobile phones and tablets
Other Courses People Have Taken
What You Will Receive
- Course books with table of contents and a comprehensive index
- Step-by-step instructions for all lab exercises
- Handouts and cheat-sheets used for quick reference to detailed information sources
- Access to associated software, files and analysis resources
- MP3 audio files of the complete course lecture
You Will Be Able To
- Use jailbreak tools for Apple iOS and Android systems
- Conduct an analysis of iOS and Android file system data to plunder compromised devices and extract sensitive mobile device use information
- Analyze Apple iOS and Android applications with reverse-engineering tools
- Change the functionality of Android and iOS apps to defeat anti-jailbreaking or circumvent in-app purchase requirements
- Conduct an automated security assessment of mobile applications
- Use wireless network analysis tools to identify and exploit wireless networks used by mobile devices
- Intercept and manipulate mobile device network activity
- Leverage mobile-device-specific exploit frameworks to gain unauthorized access to target devices
- Manipulate the behavior of mobile applications to bypass security restrictions
- Hijacking Mobile Banking: Evil Bank
- Virtualizing Android with VMware
- Accessing Android with the Android Debug Bridge (ADB) Tool
- Recovering Android Swipe Lock Patterns
- iPhone File System Data Analysis
- Evaluating Mobile Device Network Packet Captures
- Mobile App Analysis with NetworkMiner
- Android App Reverse Engineering with JD-GUI, Jadx
- Automated Android App Analysis with Androwarn
- Manipulating Android Intents with the Drozer Framework
- Modifying Android Applications with Apktool
- WiFi Monitor Mode Packet Capture Analysis
- Probed Network Mapping and Vulnerability Discovery
- Recovering WPA2-PSK Passphrases
- Mobile Device Fingerprinting with Satori
- Sidejacking WordPress
- Manipulating Web Browser Activity
- Bypassing Android Same Origin Policy with Metasploit for Session Hijacking
- Mobile App Banking Transaction Manipulation
- Crazy Cars SQL Injection Attack
Press & Reviews
"Cutting edge security material, well taught." - Donald Farrell, Kingsisle Entertainment Inc.
"In the fast paced world of Bring Your Own Device (BYOD) and mobile device management, SEC575 is a must course for infosec managers." - Jude Meche, DSCC
"SEC575 provides a pretty comprehensive overview of different attack vectors and vulnerabilities in the mobile field. It covers many topics in enough depth to really get a foothold in the subject. I wish I had taken this course several years ago when first entering the mobile landscape. It would have saved me months of painful self-teaching, and is vastly more complete in many areas." - Jeremy Erickson, Sandia National Labs
SEC575 Mobile Device Security and Ethical Hacking Review by Matt Edmonson http://digitalforensicstips.com/2014/11/sans-sec575-mobile-device-security-and-ethical-hacking-review/
I'm not sure exactly when it happened, but laptops and PCs have become legacy computing devices, replaced by mobile phones and tablets. Just when I thought we were getting a much better handle on the security of Windows, Mac, and other Unix systems, there has been an explosion of new devices wanting to join our networks that simply do not have the same security controls that we rely on in modern, secure networks.
Even with their weaknesses, mobile phones are here to stay, and we are being called on to support them more and more. Some organizations try to drag their feet on allowing mobile phones, but that ultimately contributes to the problem: if we do not address security, the threats continue to grow, uncontrolled and unmonitored.
Fortunately, we can securely deploy, manage and monitor mobile phones and tablets inside our organizations through policy and careful network deployment and monitoring. We need to build some essential skills in analyzing the risks of data leakage in mobile code and in the applications our end-users want to run from the app store. And we need to ethically hack our networks to identify the real threat and exposure of mobile phone weaknesses.
I wrote this course to help people build their skills in all these areas, focusing on the topics and concepts that are most important and immediately useful. Every organization should have an analyst who has the skills for mobile phone security analysis and deployment. By taking this course, you will become an even more valued part of your organization. And we'll have lots of geeky fun in getting you there!
- Josh Wright