Mobile Application Testing

From March 11, 2013 to March 12, 2013

This workshop will introduce mobile application security (Apps), discuss their risks for your devices and provide you with effective methodologies to test those “beasts”. After discussing threats and typical vulnerabilities of mobile applications, we will audit some iOS and Android apps.

So this workshop is all about “learning by doing” ;-) After the workshop you will be able to test iOS and Android apps before approving them in your organization.

We will provide you with some devices. Your own devices are welcome, too.

Mobile Application Testing Agenda

Basics

Threads and Vulns

Determining Testing Points

iOS

Introduction

Set up Testing Lab

Local Storage

Network Transmission

Audit of Security Features

Reverse Engineering

Android

Introduction

Set up Testing Lab

Local Storage

Network Transmission

Audit of Security Features

Reverse Engineering

Sergej Schmidt

Sergej Schmidt works at the Mobile Security Team, where he spends most of his time testing mobile apps and their backends trying to circumvent their security mechanisms. Besides pentesting he also does research in the area of iOS and Android platforms.

Michael Thumann

Michael Thumann is Chief Security Officer and head of the ERNW application security team. He has published security advisories regarding topics like ‘Cracking IKE Preshared Keys’ and Buffer Overflows in Web Servers/VPN Software/VoIP Software. Michael enjoys sharing his self-written security tools (e.g. ‘tomas – a Cisco Password Cracker’, ‘ikeprobe – IKE PSK Vulnerability Scanner’ or ‘dnsdigger – a dns information gathering tool’) and his experience with the community. Besides numerous articles and papers he wrote the first (and only) German Pen-Test Book that has become a recommended reading at german universities.

In addition to his daily pentesting tasks he is a regular conference-speaker (e.g. Blackhat, HITB and RSA Conference) and has also contributed exploit code to the Metasploit Framework. With more than 10 years of experience in computer security Michaels’ main interest is to uncover vulnerabilities and security design flaws from the network to the application level and reverse almost everything to understand the inner working.