Offensive iOS Internals (Live Training)

Live On-Site / Live Virtual

BECOME A CERTIFIED iOS SECURITY RESEARCHER

Gain deep insights into iOS internals, including security features and kernel and userland components, as part of becoming a Certified iOS Security Researcher (CISR). Learn essential skills such as reverse engineering, interpreting kernel panic reports to identify root causes, and developing proof-of-concept (POC) exploits to demonstrate real-world impact. Build proficiency in programming to leverage technical expertise for analyzing vulnerabilities and reviewing patches in the XNU codebase.

What You Will Learn

This course is designed to provide a comprehensive understanding of the internals of the iOS operating system and its security features. The course will cover topics such as the iOS operating system architecture, memory management, application sandboxing, code signing and more.

Students will learn the fundamental concepts and tools used in reverse engineering, and get a thorough introduction to the ARM64 architecture, including static and dynamic analysis techniques, as well as various debugging and disassembly tools. Exploit mitigations such as SPTM, TXM, PAC, PAN, PPL will also be discussed. Additionally, the course covers iOS application security, including topics such as encryption, and secure communication.

Students will learn how to use Frida, a dynamic instrumentation framework, for reverse engineering and dynamic analysis of mobile applications. We will also discuss advanced topics such as hooking,memory manipulation, and instrumenting network communication.

This course will also discuss the tools and techniques used for analyzing iOS malware. The course will also cover the different stages of iOS malware analysis, including static, dynamic, and behavioral analysis. Additionally, the course will walk the attendees through different methods of mitigating and preventing iOS malware.

This course will be a mix of lectures, practical labs, and projects designed to give students hands-on experience with iOS internals and iOS application security. Students will gain the skills needed to reverse engineer, design, develop, and secure iOS applications.

On attending this course, you will get:

An attempt to CISR (Certified iOS Security Researcher) certification exam
Certificate of completion for the Training program
Source code for vulnerable applications
Source code for Exploit PoCs’ that can be used for Bug Bounties
All Frida Scripts used during the course
Students will be provided with access to Corellium for for the duration of the course (Live On-site & Virtual Training only)
Students will be provided access to cloud instances for the duration of the course (Live On-site & Virtual Training only)
Slack access for the class and after for regular mobile security discussions (Live On-site & Virtual Training only)

Key Objectives

Introduction to ARM64 architecture
Understand iOS app lifecycle
Overview of the iOS Kernel and its Security Mitigations
Reverse engineering iOS binaries (Apps and system binaries)
Get an intro to common bug categories on iOS
Learn to audit iOS apps for security vulnerabilities
Understand Memory allocation in Userland and Kernel
Understand and bypass anti-debugging and obfuscation techniques
Learn manual and automated ways of bypassing security mitigations
Learn Device Fingerprinting and Anti-Fraud techniques
Advanced Dynamic Instrumentation using Frida
Understanding how Rooting and Jailbreaks work
Case Study of some known vulnerabilities
Learn to identify vulnerabilities in native as well as Cross-platform apps
Learn to exploit different iPC mechanisms (mach_msg, XPC and more)
mach_msg2 , SAD_FENG_SHUI, PGZ
Get a detailed walkthrough on using IDA Pro, Hopper, Ghidra and other tools
Secure Mobile apps by implementing custom solutions
Become a Certified iOS Security Researcher (CISR)

Duration

2 Days

Ways to Learn

On Demand

Live Virtual

Live On-Site

Who Should Attend?

This course is specifically designed with the needs of modern iOS developers. This course will also be applicable for vulnerability researchers, penetration testers, mobile developers, or anyone keen to learn more about the iOS application security ecosystem.

laptop Requirements

Laptop with: 8+ GB RAM and 40 GB hard disk space
Students will be provided with access to Linux cloud instances (Live On-site & Virtual Training only)
Students will be provided with access to Corellium for iOS hands-on and as such do not need to carry iOS devices (Live On-site & Virtual Training only)
Administrative access on the system

Detailed Course Setup instructions and Slack access will be sent a few weeks prior to the class (Live On-site & Virtual Training only)

Need To Justify To Your Manager?

Need a Template to Justify the Training Request to your Manager? Download the Template below

Syllabus

Module 1: iOS Operating System Architecture

Overview of iOS architecture
iOS system libraries and frameworks
Setting up a testing environment for iOS research
Overview of the Mach-O Binary Format
iOS virtual memory management
Overview of application sandboxing and code signing in iOS

Module 2: Introduction to Reverse Engineering in iOS

Key Concepts and Terminologies
Introduction to Hopper/Ghidra
Introduction to the ARM 64 instruction set
ARM64 security mitigations
ARM64 calling convention
Introduction to Objective-C and Swift
Reversing Objective-C and Swift Binaries
Disassembling methods
Modifying assembly instructions
Deciphering Mangled Swift Symbols
Identifying Native Code
Understanding the Program flow
Identifying Cross-Platform mobile frameworks

Module 3: Getting Started with iOS Security

iOS security model
App Signing, Sandboxing, and Provisioning
iOS App Groups
Primer to iOS 17-18 security
Xcode Primer
Address Sanitizer
Exploring the iOS filesystem
What’s in a Code Signature ?
Entitlements explained
How Sandboxing works on iOS
Setting up lldb for Debugging
lldb basic and advanced usage
Setting up the testing environment
Jailbreaking your device
What’s in a Rootless Jailbreak ?
Jailbreak Bootstraps
Sideloading apps
Binary protection measures
Decrypting IPA files
Self-signing iOS binaries
Analyzing Proprietary security Mitigations
Overview of Past Vulnerabilities
Intro to dyld_shared_cache

Module 4: iOS Kernel internals

Intro to XNU kernel
The Mach and BSD Layer
Overview of IOKit
Extracting the Kernelcache and Kexts
Analyzing specific kexts AMFI, CoreTrust, Sandbox
Sandbox Profiles
Symbolicating a Kernelcache
Overview of mach_msg2, SAD_FENG_SHUI, PGX
Entitlement validation in the Kernel
Analyzing Kernel Panic files
Walkthrough of PAC, SPTM, PAN, GXL, PPL etc
Patching Diffing XNU kernel

Module 5: Frida in-depth

Overview of Frida and its capabilities
Setting up the Frida environment
Frida usage and commands
Frida-trace and handlers
Frida hooking techniques
Frida on Swift applications
Frida on native code
Frida memory manipulation techniques
Analyzing messaging apps using Frida
Invoking custom functions with Frida

Module 6: iOS application vulnerabilities

Tracing Crypto operations
Side channel data leakage
Sensitive information disclosure
Bypassing Jailbreak Detection
Bypassing SSL Pinning
Bypassing Certificate transparency checks
Exploiting iOS WebViews
Exploiting URL schemes and Universal LInks
Client-side injection
Bypassing jailbreak, piracy checks
Inspecting Network traffic
Traffic interception over HTTP, HTTPs
Manipulating network traffic
Identifying iOS malware

Module 7: iOS vulnerabilities

Case Study of Sandbox Escapes
Incorrect validation of Entitlements
XPC Related vulnerabilities
Case Study of a Kernel Vulnerability
Case Study of a PAC Bypass

Module 8: iOS Malware Reversing

Understanding different stages of a Malware
Device Acquisition techniques
Using Custom IOCs
Case Study of some Public Malware

Module 9: Securing iOS Ecosystem

AppAttest and Device Check frameworks
Device Fingerprinting
Detecting GPS Spoofing
Implementing Secure Webviews
Code Obfuscation techniques
Protecting the Transport Layer
Detecting Malicious Libraries
Implementing Anti-Debug Checks
Detecting Suspicious Device Reset
Detecting Patched Applications
Detecting Proxied Applications
Jailbreak Detection Techniques
Pasteboard Security Measures
Understanding the Lockdown Mode
Understanding Code Signature Checks

Prerequisites

To successfully participate in this course, attendees should possess the following:

Working knowledge of cybersecurity and pentesting fundamentals
Basic working knowledge of iOS platform
Basic Linux skills and command-line proficiency
Understanding of fundamental programming concepts and looping structures in at least one higher-level language (Objective-C, Swift, C, C++, or similar)
Basic ARM/AARCH64 binary assembly and exploitation knowledge is recommended, but not required

CERTIFIED iOS SECURITY RESEARCHER (CISR)

This course prepares you for the Certified iOS Security Researcher (CISR) certification exam, a hands-on assessment specifically designed to test your grasp of advanced iOS security domains including userland and kernel components.

Exam Duration : 24 hours

TRUSTED TRAINING PROVIDERS

Our trainers boast more than ten years of experience delivering diverse training sessions at conferences such as Blackhat, HITB, Power of Community, Zer0con, OWASP Appsec, and more.

Interactive discussion in a mobile security training session at BlackHat

Trainer engaging with attendees in a mobile security training.

Participants in a mobile security training session watching a presentation.

Classroom setup during a mobile security training session.

Participants taking notes during a mobile security training session.

Group interaction in a mobile security training session.

Trainer presenting on mobile security to a group using a projector.

Participants viewing a slide presentation on mobile security.

Training session with participants using laptops in a mobile security course.

Wide view of a mobile security training session with attendees.

Participants listening during a mobile security training session.

Close-up of participants at a mobile security training session.

Trainer presenting to participants in a mobile security training session.

Hear from our Students

Our Students are our greatest voice, just read what they have to say!

OUR MODES OF TRAINING

Ideal for Individuals

Immediate access to materials
Lecture recordings and self-assessments
365 days of access
Certification of course completion
Dedicated email support
Certification exam

Perfect for Teams in Multiple Location

Real-time interaction with our expert trainers over Zoom
Customizable content tailored to your team’s needs
Continued support after the training
Certification exam

Perfect for Teams in One Location

Real-time interaction with our expert trainers at an onsite location
Customizable content tailored to your team’s needs
Continued support after the training
Certification exam

FAQ

What are the different formats in which the courses are offered?

Our Live Virtual and On-Site sessions replicate the interactive classroom experience, fostering real-time collaboration and engagement among participants.

Is prior experience in mobile security necessary to enroll in the training program?

While prior experience is helpful, the course is designed to accommodate various skill levels. It provides a structured learning path, starting from foundational concepts and progressing to advanced techniques.

How long does it take to prepare for the Certification?

The preparation time for the Certification varies based on your individual learning pace and level of engagement post-training. On average, participants spend a few days to several weeks preparing, which includes both theoretical learning and hands-on lab practice. It is recommended to spend at least 2-3 weeks practicing before attempting the Certification Exam after the training.

Can i share the purchased course material with other people?

No, the training that you purchase from 8kSec, including the course materials is exclusively for your individual use. You may not reproduce, distribute or display (post/upload) lecture notes, or recordings, or course materials in any other way — whether or not a fee is charged – without the express written consent of 8kSec.

Where can i find the Certificate of Course Completion?

For On-Site/Virtual Courses during private trainings/conferences, we provide a customized certificate after the completion of the course. Please note that the Certificate of Course Completion is different from the one obtained after clearning the Certification exam.

Is it mandatory to purchase training to give the certification EXAM?

We provide Certification exams exclusively to registered training participants. The cost of the Certification exam is bundled into the pricing of every training package purchased.

Do i need to setup any Labs in order to perform the Labs in the training?

For Virtual/Live Trainings, we will provide you access to our Lab environment and an instruction guide during the training.

How long does it take to get the results after submitting the Report?

Once you submit your report, one of the members of our review board will review the report and provide with the results in 3 business days.

How Much Does it Cost to Retake the Certification Exam?

The fee to retake the certification exam is USD $119. To schedule your re-examination, simply email info@8ksec.io and our logistics team will be in touch.

Where can i find the schedule of your Virtual/Live Training classes?

You can find our Training Schedule at https://8ksec.io/public-training/. To schedule a Live Virtual or Live On-site private training for a group of 5+ attendees, email trainings@8ksec.io and our logistics team will get in touch with you to organize one.

The information on this page is subject to change without notice.

CONTACT US

Please share with us the project requirements and the goals you want to achieve, and one of our sales representatives will contact you within one business day.

Our Location

51 Pleasant St # 843, Malden, MA, Middlesex, US, 02148

General and Business inquiries

contact@8ksec.io

Trainings

trainings@8ksec.io

Press

press@8ksec.io

Phone

+1(347)-4772-006

SEND ENQUIRY

Get the latest news & updates