Offensive Mobile Reversing and Exploitation

Live On-Site / Live Virtual / On-Demand

Become an Offensive Mobile Security Expert

Get a solid grasp of advanced mobile security domains including userland and kernel components for both iOS & Android and learn the essential skills and techniques necessary to conduct comprehensive security audits of both iOS and Android applications.

Buy On-Demand Send Enquiry Download Syllabus

What You Will Learn

This comprehensive course offers an in-depth exploration of both iOS and Android operating systems, focusing on their internals and security features. The iOS segment dives into the architecture of iOS, memory management, application sandboxing, code signing, and advanced mitigations like SPTM, TXM, PAC, PAN, and PPL. Students will also receive a thorough introduction to the ARM64 architecture, including static and dynamic analysis techniques, debugging tools, and disassembly tools.

Moving into iOS application security, students will explore topics such as code signing, encryption, secure communication, and the use of Frida for dynamic instrumentation. Advanced topics like hooking, memory manipulation, and instrumenting network communication will also be covered. The course also covers iOS malware analysis, including static, dynamic, and behavioral analysis, along with mitigation and prevention strategies.

On the Android side, participants will gain a broad understanding of Android system architecture, including drivers, modules, the Linux kernel, and the Android Binder. Hands-on experience in reverse engineering, exploit development for ARM platforms, memory management, and vulnerabilities will be provided. The course also covers Android's boot, recovery, rooting processes, and permissions, along with security features like DAC, CAP, SECCOMP, and SELinux.

For a practical learning experience, the course covers how to extract and decrypt boot images for Android devices, symbolicating the Android kernel, and porting exploits to other Android devices. Advanced Frida techniques such as custom tracing, profiling, and memory inspection are explored with real-world applications. Case studies on prominent malware and custom malware samples shed light on reverse engineering and advanced forensics techniques.

Key Objectives

✓Get an understanding of the latest ARM64 instruction set
✓Learn the internals of Mobile Kernels along with several Kernel security mitigations
✓Learn Device Fingerprinting and Anti-Fraud techniques
✓Advanced Dynamic Instrumentation using Frida
✓Understand some of the latest bugs and mitigations (PAC, CoreTrust, PPL, and others)
✓Get an intro to common bug categories like UaF, Heap overflow and more
✓Understanding how Rooting and Jailbreaks work
✓Reverse engineer iOS and Android binaries (Apps and system binaries)
✓Learn how to audit iOS and Android apps for security vulnerabilities
✓Understand and bypass anti-debugging and obfuscation techniques
✓Get a quick walkthrough on using Ghidra, radare2, Hopper, Frida and other tools
✓Learn how accessibility malwares work, and how to reverse engineer well-known crypto wallet stealers
✓Learn how to symbolicate the iOS and Android kernel
✓Learn how to extract and decrypt boot images for Android devices
✓Perform patch diffing on iOS updates to spot security-relevant code changes
✓Reverse engineer and trace Android JNI bindings, including RegisterNatives
✓Use tools like JNINinja, Frida, and Medusa to hook and monitor JNI methods at runtime
✓Build a functional JVM environment and AFL++ Frida-mode to fuzz JNI bindings and validate crashes
✓Become an Offensive Mobile Security Expert (OMSE)

All our live trainings are highly customizable. We can tailor the content to cover topics specific to your team's needs. Contact us for more details.

Syllabus

Module 1: Introduction to Reverse Engineering in iOS and Android +

•Key Concepts and Terminologies
•Introduction to Hopper/Ghidra
•Introduction to the ARM 64 instruction set
•ARM64 security mitigations
•ARM64 calling convention
•Introduction to Objective-C and Swift
•Reversing Objective-C and Swift Binaries
•Introduction to Java and Kotlin
•Disassembling methods
•Modifying assembly instructions
•Deciphering Mangled Swift Symbols
•Identifying Native Code
•Understanding the Program flow
•Identifying Cross-Platform mobile frameworks
•Reversing ARM binaries
•Exploiting a simple Heap Overflow
•Building a simple ROP chain
•Breaking ASLR with Info leaks/Brute force
•Exploit mitigations (ASLR, Heap Poisoning, PAN, etc)

Module 2: Getting Started with iOS Security +

•iOS security model
•App Signing, Sandboxing, and Provisioning
•iOS App Groups
•Primer to iOS 17-18 security
•Xcode Primer
•Address Sanitizer
•Exploring the iOS filesystem
•What's in a Code Signature?
•Entitlements explained
•How Sandboxing works on iOS
•Setting up lldb for Debugging
•lldb basic and advanced usage
•Setting up the testing environment
•Jailbreaking your device
•What's in a Rootless Jailbreak?
•Jailbreak Bootstraps
•Sideloading apps
•Binary protection measures
•Decrypting IPA files
•Self-signing iOS binaries
•Analyzing Proprietary security Mitigations
•Overview of Past Vulnerabilities
•Intro to dyld_shared_cache

Module 3: iOS Kernel Internals +

•Intro to XNU kernel
•The Mach and BSD Layer
•Overview of IOKit
•Extracting the Kernelcache and Kexts
•Analyzing specific kexts AMFI, CoreTrust, Sandbox
•Sandbox Profiles
•Symbolicating iOS Kernelcache
•Overview of mach_msg2, SAD_FENG_SHUI, PGX
•Entitlement validation in the Kernel
•Analyzing Kernel Panic files
•Walkthrough of PAC, SPTM, PAN, GXL, PPL etc
•Patching Diffing XNU kernel

Module 4: Frida In-Depth +

•Overview of Frida and its capabilities
•Setting up the Frida environment
•Frida usage and commands
•Frida-trace and handlers
•Frida hooking techniques
•Frida on Swift applications
•Frida on native code
•Frida memory manipulation techniques
•Analyzing messaging apps using Frida
•Invoking custom functions with Frida

Module 5: iOS Application Vulnerabilities +

•Tracing Crypto operations
•Side channel data leakage
•Sensitive information disclosure
•Bypassing Jailbreak Detection
•Bypassing SSL Pinning
•Bypassing Certificate transparency checks
•Exploiting iOS WebViews
•Exploiting URL schemes and Universal Links
•Client-side injection
•Bypassing jailbreak, piracy checks
•Inspecting Network traffic
•Traffic interception over HTTP, HTTPS
•Manipulating network traffic
•Identifying iOS malware

Module 6: iOS Vulnerabilities +

•Case Study of Sandbox Escapes
•Incorrect validation of Entitlements
•XPC Related vulnerabilities
•Case Study of a Kernel Vulnerability
•Case Study of a PAC Bypass

Module 7: iOS Malware Reversing +

•Understanding different stages of a Malware
•Device Acquisition techniques
•Using Custom IOCs
•Case Study of some Public Malware

Module 8: Securing iOS Ecosystem +

•AppAttest and Device Check frameworks
•Device Fingerprinting
•Detecting GPS Spoofing
•Implementing Secure Webviews
•Code Obfuscation techniques
•Protecting the Transport Layer
•Detecting Malicious Libraries
•Implementing Anti-Debug Checks
•Detecting Suspicious Device Reset
•Detecting Patched Applications
•Detecting Proxied Applications
•Jailbreak Detection Techniques
•Pasteboard Security Measures
•Understanding the Lockdown Mode
•Understanding Code Signature Checks

Module 9: Intro to Android Security +

•Android Security Architecture
•Extracting APK files from Google Play
•Understanding Android application structure
•Signing Android applications
•Understanding Android ADB
•Understanding the Android file system
•Permission Model Flaws
•Attack Surfaces for Android applications

Module 10: Android Components +

•Understanding Android Components
•Introducing Android Emulator
•Introducing Android AVD
•Setting up Android Pentest Environment

Module 11: Reversing Android Apps +

•Process of Android Apps Engineering
•Reverse Engineering for Android Apps
•Smali Learning Labs
•Examining Smali files
•Dex Analysis and Obfuscation
•Reversing Obfuscated Android Applications
•Exploiting Android Accessibility Permissions
•Reverse Engineering known complex Malwares in the Wild
•Patching Android Applications
•Android App Hooking

Module 12: Static and Dynamic Analysis +

•Proxying Android Traffic
•Exploiting Local Storage
•Exploiting Weak Cryptography
•Exploiting Side Channel Data Leakage
•Exploiting Content Provider Path Traversal & Info Leakage
•Multiple Manual and Automated Root Detection and Bypass Techniques
•Exploiting Weak Authorization mechanism
•Identifying and Exploiting Android Components
•Exploiting Android NDK
•Android Game Hacking
•Multiple Manual and Automated SSL Pinning Bypass techniques
•Firebase Exploitation
•Exploiting Biometric Authentication
•In-memory tampering
•Exploiting Flutter Applications
•Exploiting AWS Cognito Misconfiguration
•Exploiting Android Deep Links and WebViews

Module 13: Frida and Automated Exploitation +

•Exploiting Crypto using Frida
•Basic App Exploitation techniques using Frida
•Dumping Class Information using Frida
•Dumping Method Information using Frida
•Viewing and Changing Information using Frida
•Calling Arbitrary functions using Frida
•Tracing using Frida
•Advance App Exploitation techniques using Frida
•Frida on non-rooted Android

Module 14: Securing Android Apps +

•Detecting Patched Android Applications
•App Integrity Protection
•Detecting Malicious Libraries
•Detecting Emulator/Rooted Devices
•Secure Implementation of WebViews
•Implementing Anti-Debug Checks
•Detecting Suspicious Device Reset
•Detecting Proxied Applications

Module 15: Android Kernel +

•Android Boot process and Bootloader interaction
•Customizing and Building Android Kernel for Vulnerability Research
•Android Rooting Process
•Debugging Android Kernel and binaries
•Extract Android kernel from Boot image
•Symbolicating the Android Kernel
•Privilege Escalation on Android
•SELinux explained
•Overview of Kernel protections and bypasses

Prerequisites

To successfully participate in this course, attendees should possess the following:

• Working knowledge of cybersecurity and pentesting fundamentals
• Basic working knowledge of iOS and Android platforms
• Basic Linux skills and command-line proficiency
• Understanding of fundamental programming concepts and looping structures in at least one higher-level language (Java, Kotlin, Objective-C, Swift, C, C++, or similar)
• Basic ARM/AARCH64 binary assembly and exploitation knowledge is recommended, but not required

Offensive Mobile Security Expert (OMSE)

This course prepares you for the OMSE certification exam, a hands-on assessment specifically designed to test your grasp of advanced mobile security domains including userland and kernel components.

EXAM DURATION: 48 Hours

Learn More

Duration

4 Days

Ways To Learn

On Demand
Live Virtual
Live On-Site

Who Should Attend?

This course is for penetration testers, mobile developers or anyone keen to learn mobile application security and wants to get started in OS exploitation.

Laptop Requirements

• Laptop with: 8+ GB RAM and 40 GB hard disk space
• Students will be provided with access to Linux cloud instances (Live On-site & Virtual Training only)
• Students will be provided with access to Corellium for iOS and Android hands-on and as such do not need to carry physical devices (Live On-site & Virtual Training only)
• Administrative access on the system

Send Enquiry

Trusted Training Providers

Our trainers boast more than ten years of experience delivering diverse training sessions at conferences such as Blackhat, HITB, Power of Community, Zer0con, OWASP Appsec, and more.