This mobile training covers common vulnerabilities that can be discovered in Android & iOS mobile applications. The participants will discover the methodology and the tools used to attack and exploit mobile applications. This workshop focuses on practical learning, demonstrating real-world attacks that participants apply in diverse lab scenarios. This includes reverse engineering vulnerable applications and crafting malicious applications that exploit security vulnerabilities. This training is designed specifically for mobile developers or security engineers seeking to initiate and improve their knowledge in the realm of attacking mobile applications.
Workshop
Attacking Mobile Applications
March 11th & 12th, 2025
2 days training, by Dylan Iffrig-Bourfa & Fabrice Caralinda
This training will be given in ENGLISH
Normal price: CHF 2000.-
Student price: CHF 1500.- (limited availability)
Description
About the trainer
Dylan Iffrig-Bourfa is an IT security engineer with 6 years of experience. He started his career at Airbus and Thales, working initially in the fields of avionics and aerospace security. Later on, he shifted domains and specialized in security assessments of mobile banking applications and, more broadly, the world of penetration testing. In 2019, he joined SCRT as a security engineer and continued his mobile audit activities within the company. Aside from these responsibilities, he is also involved with the Insomni’hack organization, contributing to the creation of Capture The Flag (CTF) challenges annually for both the Teaser and Finale editions.
Fabrice Caralinda is an IT security professional with 9 years of experience. He started his career in 2014 as a scientific collaborator at School of Engineering and Management Vaud where he was in charge of the student’s hacking laboratories. He joined SCRT Team in 2016 as a penetration tester and is also one of the team leaders of the ethical hacking team. Specialized in the world of mobile pentesting, he has conducted more than hundred projects with customers in various sectors during his career. Next to the pentest activities, Fabrice is also a trainer for multiple courses given by SCRT and has been lecturer for Swiss universities. In addition to these activities, he is also involved in the organisation of Insomni’hack , helping to create the Capture The Flag competition.
Course outline
Day 1 Focus on Android
Module 01 – Android testing methodology
- Part 1: Creating an Android application testing environment
- Part 2: Attack surface and testing methodology
Module 02 – Exploiting vulnerabilities in Mobile Applications
- Part 1: High-level IPC issues.
- Part 2: Common permission issues.
- Part 3: Accessing Content providers.
- Part 4: Attacking Webviews.
Bonus 1: Memory corruptions bugs.
Day 2 Focus on iOS
Module 03 – iOS testing methodology
- Part 1: Creating an iOS application testing environment
- Part 2: Attack surface and testing methodology
Module 04 – Exploiting vulnerabilities in Mobile Applications
- Part 1: Local Data Storage
- Part 2: Broken Cryptography
- Part 3: Local Authentication
- Part 4: iOS Platform
Bonus 2: Mobile resilience
Course requirements
Pre-Requisites
- Basic knowledge in *nix ecosystems
- Basic reverse engineering experience (Java, ASM)
Software requirements
- A working laptop with SSH and RDP