Hacking iOS - MSTG Hands-on Course

We are pleased to inform an Hacking iOS Hands-On workshop by Sven and Ryan based on the Mobile Security Testing Guide (MSTG).

Please note, this is an invite only but FREE hands-on workshop, we can accommodate only few selected participants. If you get selected, you will receive email from humla champion a week before the workshop.

Selection Criteria:
Selection (25-30 persons only) will be based on the following two criteria:

1. Contribution to the community. Speakers, humla, bachav champions, core team, volunteers and venue hosts will get priority to the workshop.
2. Passion towards Information security + attendance in previous meet ups.

If you are new to the community, selection will be based on the answers to the survey questions asked during the registration process. Please answer these questions carefully.

Agenda:

Even though modern mobile operating systems like iOS and Android offer great APIs for secure data storage and communication, those APIs have to be used correctly in order to be effective. Data storage, inter-app communication, proper usage of cryptographic APIs and secure network communication are only some of the aspects that require careful consideration. The OWASP Mobile Security Testing Guide (MSTG) is a comprehensive manual for testing the security of mobile apps. It describes processes and techniques for verifying the requirements listed in the Mobile Application Security Verification Standard (MASVS), and provides a baseline for complete and consistent security tests.

The proposed training is based on the Mobile Security Testing Guide (MSTG) and will offer hands-on exercises in the form of different iOS and Android Apps.

The goal of this course is to learn
the technical skills to execute a penetration test against iOS mobile applications and utilise the Mobile Security Testing Guide (MSTG) as a baseline and comprehensive methodology during mobile security assessments.

Training Syllabus:

• iOS security fundamentals
• Mobile Security Testing Environment Setup
• Overview of Mobile security vulnerabilities
• Hands-on testing on iOS Apps
• Security best practices to mitigate Mobile security vulnerabilities
• Alternative iOS App testing without a jailbroken device
• Reverse Engineering of iOS Apps

Key areas of training:

• Static and Dynamic Analysis of iOS Apps
• Local Data Storage
• Communication with Trusted Endpoints
• Authentication and Authorization
• Client-side Security control bypass
• Advanced dynamic instrumentation use cases

Hardware and Software Requirements.

• Laptop (> 8 GB Ram, 20GB of free disk space, working Wifi) with administrative access
• Burp Suite Community Edition (Professional not needed)
• Ideally a MacBook, otherwise Windows laptop with Virtualbox
• An iOS device with at least iOS 9.0 (without jailbreak)

Speaker Bio:

Sven:
Sven is an experienced web and mobile penetration tester and assessed everything from historic Flash applications to progressive mobile apps. He is also a security engineer that supported many projects end-to-end during the SDLC to "build security in". He was speaking at local and international meetups and conferences and is conducting hands-on workshops about web application and mobile app security.

Ryan
Ryan Teoh (OSCE, OSCP, CRT) is a Security Engineer at Grab with a strong focus on Mobile Security. Whilst his main job involves mobile/web/infrastructure security assessment. He spends a considerable amount of time in iOS kernel exploitation, contributing to the iOS security testing chapter and the iOS Crackmes which are part of the OWASP Mobile Security Testing Guide. That aside, he is active on both private and public bug bounty programs and has successfully obtained several critical mobile security bugs. Ryan is a strong believer in knowledge sharing - initiated a security blog on top of facilitating workshops to security engineers, developers and students about mobile security, dynamic instrumentation and reverse engineering of mobile applications.