Offensive Mobile Reversing & Exploitation Training (On-site)
Expert-Led Mobile Security Training • December 17–20, 2024 • On-site in Tokyo
4 Days of In-depth Mobile Security
Key Learning Objectives:
- Get an understanding of the latest ARM64 instruction set
- Learn the internals of Mobile Kernels along with several Kernel security mitigations
- Learn Device Fingerprinting and Anti-Fraud techniques
- Advanced Dynamic Instrumentation using Frida
Understand some of the latest bugs and mitigations (PAC, CoreTrust, PPL, etc) - Get an intro to common bug categories like UaF, Heap overflow, etc
- Understanding how Rooting and Jailbreaks work
- Reverse engineer iOS and Android binaries (Apps and system binaries)
- Learn how to audit iOS and Android apps for security vulnerabilities
- Understand and bypass anti-debugging and obfuscation techniques
- Get a quick walkthrough on using Ghidra, radare2, Hopper, Frida, etc
- Learn how accessibility malwares work, and how to reverse engineer well-known crypto wallet stealers
- Learn how to symbolicate the iOS and Android kernel
- Learn how to extract and decrypt boot images for Android devices
- Become a Offensive Mobile Security Expert (OMSE)
Syllabus
- Key Concepts and Terminologies
- Introduction to Hopper/Ghidra
- Introduction to the ARM 64 instruction set
- ARM64 security mitigations
- ARM64 calling convention
- Introduction to Objective-C and Swift
- Reversing Objective-C and Swift Binaries
- Introduction to Java and Kotlin
- Disassembling methods
- Modifying assembly instructions
- Deciphering Mangled Swift Symbols
- Identifying Native Code
- Understanding the Program flow
- Identifying Cross-Platform mobile frameworks
- Reversing ARM binaries
- Exploiting a simple Heap Overflow
- Building a simple ROP chain
- Breaking ASLR with Info leaks/Brute force
- Exploit mitigations (ASLR, Heap Poisoning, PAN, etc)
- iOS security model
- App Signing, Sandboxing, and Provisioning
- iOS App Groups
- Primer to iOS 17-18 security
- Xcode Primer
- Address Sanitizer
- Exploring the iOS filesystem
- What’s in a Code Signature?
- Entitlements explained
- How Sandboxing works on iOS
- Setting up lldb for Debugging
- lldb basic and advanced usage
- Setting up the testing environment
- Jailbreaking your device
- What’s in a Rootless Jailbreak?
- Jailbreak Bootstraps
- Sideloading apps
- Binary protection measures
- Decrypting IPA files
- Self-signing iOS binaries
- Analyzing Proprietary security Mitigations
- Overview of Past Vulnerabilities
- Intro to dyld_shared_cache
- Intro to XNU kernel
- The Mach and BSD Layer
- Overview of IOKit
- Extracting the Kernelcache and Kexts
- Analyzing specific kexts AMFI, CoreTrust, Sandbox
- Sandbox Profiles
- Symbolicating iOS Kernelcache
- Overview of mach_msg2, SAD_FENG_SHUI, PGX
- Entitlement validation in the Kernel
- Analyzing Kernel Panic files
- Walkthrough of PAC, SPTM, PAN, GXL, PPL etc
- Patching Diffing XNU kernel
- Overview of Frida and its capabilities
- Setting up the Frida environment
- Frida usage and commands
- Frida-trace and handlers
- Frida hooking techniques
- Frida on Swift applications
- Frida on native code
- Frida memory manipulation techniques
- Analyzing messaging apps using Frida
- Invoking custom functions with Frida
- Tracing Crypto operations
- Side channel data leakage
- Sensitive information disclosure
- Bypassing Jailbreak Detection
- Bypassing SSL Pinning
- Bypassing Certificate transparency checks
- Exploiting iOS WebViews
- Exploiting URL schemes and Universal LInks
- Client-side injection
- Bypassing jailbreak, piracy checks
- Inspecting Network traffic
- Traffic interception over HTTP, HTTPs
- Manipulating network traffic
- Identifying iOS malware
- Case Study of Sandbox Escapes
- Incorrect validation of Entitlements
- XPC Related vulnerabilities
- Case Study of a Kernel Vulnerability
- Case Study of a PAC Bypass
- Understanding different stages of a Malware
- Device Acquisition techniques
- Using Custom IOCs
- Case Study of some Public Malware
- AppAttest and Device Check frameworks
- Device Fingerprinting
- Detecting GPS Spoofing
- Implementing Secure Webviews
- Code Obfuscation techniques
- Protecting the Transport Layer
- Detecting Malicious Libraries
- Implementing Anti-Debug Checks
- Detecting Suspicious Device Reset
- Detecting Patched Applications
- Detecting Proxied Applications
- Jailbreak Detection Techniques
- Pasteboard Security Measures
- Understanding the Lockdown Mode
- Understanding Code Signature Checks
- Android Security Architecture
- Extracting APK files from Google Play
- Understanding Android application structure
- Signing Android applications
- Understanding Android ADB
- Understanding the Android file system
- Permission Model Flaws
- Attack Surfaces for Android applications
- Understanding Android Components
- Introducing Android Emulator
- Introducing Android AVD
- Setting up Android Pentest Environment
- Process of Android Apps Engineering
- Reverse Engineering for Android Apps
- Smali Learning Labs
- Examining Smali files
- Dex Analysis and Obfuscation
- Reversing Obfuscated Android Applications
- Exploiting Android Accessibility Permissions
- Reverse Engineering known complex Malwares in the Wild
- Patching Android Applications
- Android App Hooking
- Proxying Android Traffic
- Exploiting Local Storage
- Exploiting Weak Cryptography
- Exploiting Side Channel Data Leakage
- Exploiting Content Provider Path Traversal & Info Leakage
- Multiple Manual and Automated Root Detection and Bypass Techniques
- Exploiting Weak Authorization mechanism
- Identifying and Exploiting Android Components
- Exploiting Android NDK
- Android Game Hacking
- Multiple Manual and Automated SSL Pinning Bypass techniques
- Firebase Exploitation
- Exploiting Biometric Authentication
- In-memory tampering
- Exploiting Flutter Applications
- Exploiting AWS Cognito Misconfiguration
- Exploiting Android Deep Links and WebViews
- Exploiting Crypto using Frida
- Basic App Exploitation techniques using Frida
- Dumping Class Information using Frida
- Dumping Method Information using Frida
- Viewing and Changing Information using Frida
- Calling Arbitrary functions using Frida
- Tracing using Frida
- Advance App Exploitation techniques using Frida
- Frida on non-rooted Android
- Detecting Patched Android Applications
- App Integrity Protection
- Detecting Malicious Libraries
- Detecting Emulator/Rooted Devices
- Secure Implementation of WebViews
- Implementing Anti-Debug Checks
- Detecting Suspicious Device Reset
- Detecting Proxied Applications
- Android Boot process and Bootloader interaction
- Customizing and Building Android Kernel for Vulnerability Research
- Android Rooting Process
- Debugging Android Kernel and binaries
- Extract Android kernel from Boot image
- Symbolicating the Android Kernel
- Privilege Escalation on Android
- SELinux explained
- Overview of Kernel protections and bypasses
Offensive Mobile Security Expert (OMSE)
This course prepares you for the Offensive Mobile Security Expert (OMSE) certification exam, a hands-on assessment specifically designed to test your grasp of advanced mobile security domains including userland and kernel components.
Exam Duration : 48 hours
Features & Bonuses
Hands-on and up-to-date
The course covers latest in mobile security. Participants will engage in reverse engineering exercises, craft exploits, and explore real-world vulnerabilities and mitigations.
In-Person Training
The training is conducted in a live format, fostering an interactive learning environment. Engage with instructors in real-time, ask questions, and receive immediate feedback
No system specifications
You'll have access to Corellium throughout the training duration
Resources for Future Reference
You'll receive access to presentations, custom scripts, videos, VM and detailed documentation on the labs for future reference
Certification Included
You'll be granted the opportunity to attempt our OMSE certification exam, challenging and validating acquired knowledge
Post-Training Support
A Slack channel will be available after the training for ongoing support. Instructors will be accessible to answer questions and offer guidance as needed
TRUSTED TRAINING PROVIDERS
Our trainers boast more than ten years of experience delivering diverse training sessions at conferences such as Blackhat, HITB, Power of Community, Zer0con, OWASP Appsec, and more.
On-site Location in Tokyo, Japan
- Venue location: To be confirmed.
CONTACT US
Request more details or get a group discount.