Countermeasure|2012 General Info Registration Program Training Location Sponsors News

Hacking and Securing Android/iOS

Trainers: Subu Ramanthan and Yuk Fai Chan

Learning Objectives

  • Perform attacks against sample mobile apps to understand the weaknesses that exist in the current device security models
  • Implement secure coding techniques into your mobile development lifecycle to protect your mobile apps from high risk attacks
  • Communicate mobile device security threats and the risks associated with mobile devices from an enterprise perspective


  • Mobile Developers
  • QA/Analysts
  • Security Testers

Course Outline


  • The mobile landscap
  1. Device Security Model
    • Mobile OS security models
    • App distribution models
    • Sandboxing and permissions structure
    • Differences from iPhone/Android platforms
    • The risk of users who trust apps too much
    • Common attack vectors in mobile security
  2. A Hacker’s Toolset
    • Android Tools
    • LAB: Setting up the emulator
    • Understanding AVD
      • ARM vs x86 Emulation
      • AVD parameters
      • Understanding ADB
      • Connecting to the emulator
      • Accessing the file system
    • iOS
    • XCode basics
      • Using the iOS simulators
      • File access with simulator
    • Jailbreaking iOS
    • Working with iOS DRM
  3. Physical Access Security
    • Android
      • Normal vs Root access
      • Unlocked bootloaders
    • iOS
      • Normal vs Jailbreak
      • DataProtection API
      • What's safe when you lock iOS?
    • LAB: Physical Access with SU
  4. Protocol Analysis
    • Proxying Android / iPhone
      • Handling SSL certificate trust
    • Emulator & simulator proxying
    • Physical device proxying
    • Tools required for intercepting traffic
    • LAB: Proxying mobile app traffic
    • LAB: Mobile traffic manipulation
  5. Device File System Analysis
    • Android file system analysis
      • Using android debugging bridge
      • Retrieving files from the device
    • iPhone file system analysis
      • SSH access to iPhone
      • SCP to retrieve files from device
    • LAB: Insecure file storage
    • Common data storage types for mobile OS'
    • Logging for developers
    • Assessing logs on Android/iPhone
    • LAB: Insecure Logging
  6. Mobile App Decompilation
    • Android APK packaging
      • Application layout
      • Android manifest and permissions
      • Disassembly and decompilation
    • LAB: Basic encryption
    • iPhone IPA packaging
      • Handling plists
      • Assessing the binary
    • LAB: Advanced encryption
  7. Mobile Run-time Analysis
    • Why runtime analysis?
    • Debugging as an attack vector
    • Rooting and Jailbreak of devices
    • Accessing Android memory at runtime
      • DDMS and MAT
    • LAB: Dumping memory
    • iPhone debugging
  8. Multi-platform Development
    • Why multiplatform?
    • How wrapper APIs work
    • HTML5 codebase concerns
      • PhoneGap example
    • Implications to JavaScript bridging
    • Native features through JS
    • JS to Native API in iOS/Android
      Dynamic loading and minification
    • LAB: HTML at Rest
  9. Mobile HTML5 Web
    • HTML5 Mobile apps
    • Clickjacking
      • Framebusting
    • Tapjacking
      • Android defenses
    • SQL Injection (Local vs Mobile)
      • Parameterized SQL
    • XSS
      • Existing XSS mobile exploits
      • JS bridging concerns
      • Safe output encoding
      • Securing WebView
    • Localstorage
      • Use of local storage
      • Securing localstorage
  10. Device API Weaknesses
    • SSL
      • Android / iOS SSL best practice
      • Weak ciphers
    • XML Parsing
      • Prevalence in Andriod/iOS
      • External entity references
    • Virtual Keyboards
      • iOS Keyboard cache
      • Android 3rd party keyboards
      • Programmed PIN entry
    • Copy and Paste
      • iOS UIPasteboard
      • Android ClipboardManager
      • Trouble with WebView
    • iOS Snapshots
      • Preventing insecure snapshots
      • Good backgrounding
    • Geolocation
      • iOS / Android Geolocation management
    • Address Book API
      • Privacy
    • URL Handlers / IPC
      • iOS URL schemes
      • Skype vulnerability
      • Android Intent Filters / IPC
    • LAB: URLs Handlers to XSS
  11. Other Mobile Topics
    • Endpoint Security
      • Weak SSL
      • Securing Cookies
    • Mobile Cryptography
      • Password based key derivation
    • LAB: Password complexity
    • Jailbreak detection
    • State of Mobile malware
    • Mobile malware defense


Subu Ramanathan

Subu Ramanathan is a security consultant with Security Compass. With his wide array of experience in the application security space, Subu plays a valuable part in Security Compass's Software and Enterprise Assessment Service practice. He is a senior application security professional with extensive experience in secure SDLC, application security assessments, framework level threat models and security source code reviews. Subu is also a secure software application development SME with experience in developing content for multiple ASP.NET secure development courses including SANS DEV544. Subu also spearheads Security Compass's mobile application security service offering.

Subu brings to the table relevant experience in rendering exceptional quality application security services to the financial, energy, consumer business and telecommunication sectors. His experience in leading various teams, both onshore and offshore, combined with his core technical background are his most valuable assets. Subu is also an integral part of Security Compass's training services. In addition to developing and teaching Security Compass's Building Secure Web Applications in ASP.NET, Subu regularly teaches courses in Exploiting and Defending Web Applications, Advanced Application Attacks and Mobile Hacking to Security Compass's client across the globe.

Yuk Fai Chan

Yuk Fai Chan is a security consultant with Security Compass. He has led, managed and performed numerous mobile application, web application, and network security assessments for some of Security Compass' largest clients. In addition, Yuk Fai brings his expertise in application security to the development of Security Compass' leading application security training courses, including instructor-led and computer-based delivery methods. Yuk Fai is also actively involved in the management of the OWASP Toronto local chapter, where he is currently the co-leader.

Minimum Class Size:

  • A minimum class size of 5 students is required to run this class.