OWASP 2023 Global AppSec Washington, DC

This 2-day hands-on training teaches you how to analyse Android and iOS apps for security vulnerabilities, by going through the different phases of testing, including dynamic testing, static analysis and reverse engineering by relying on the OWASP Mobile Application Security Testing Guide (MASTG). The OWASP MASTG is a comprehensive and open source guide about mobile security testing for both iOS and Android and offers a methodology and very detailed, technical test cases for penetration testers to ensure completeness and the latest attack techniques against mobile apps.


At the beginning of the first day we start by giving an overview of the Android Platform and it’s Security Architecture. It is no longer mandatory for students to bring their own Android device, instead a cloud-based virtualized Android device will be provided for each student, by using Corellium. Topics include:

- Frida crash course to kick-start with dynamic instrumentation on Android apps

- Intercepting network traffic of apps written in mobile app frameworks such as Google’s Flutter

- Identifying and exploiting a real word Deep-link vulnerability

- Explore the differences and effectiveness of Reverse Engineering Android Apps through patching Smali, Xposed and Dynamic Instrumentation with Frida

- Analyze Local Storage of an Android App

- Usage of dynamic Instrumentation with Frida to:

  - bypass Frida detection mechanisms

  - bypass multiple root detection mechanisms




On day 2 we are focusing on iOS and will begin with an overview of the iOS Platform and Security Architecture. After explaining what an IPA container is and the iOS file system structure, we start creating an iOS testing environment with Corellium and deep dive into various topics, including:




- Analyzing iOS applications that use non-HTTP traffic including ways of intercepting the traffic

- Frida crash course to kick-start with dynamic instrumentation for iOS apps

- Bypassing SSL Pinning with SSL Kill Switch and Objection (Frida)

- Testing methodology with a non-jailbroken device by repackaging an IPA with the Frida Gadget

- Using Frida for Runtime Instrumentation of iOS Apps to bypass:

  - Anti-Jailbreaking mechanisms

  - Frida detection mechanism

  - and other client-side security controls




At the end of each day a CTF will be played to investigate two apps with the newly learned skills and you can win a prize!


Whether you are a beginner interested in learning mobile app testing from scratch or an experienced professional who would like to enhance their existing skills to perform more advanced attack techniques, or for fun, this training will help you accomplish your goals.

The course consists of many different labs developed by the trainer and the course is roughly 65% hands-on and 35% lecture.


After successful completion of this course, students will have a better understanding of how to test for vulnerabilities in mobile apps, how to propose the right mitigation techniques to developers and how to execute tests consistently.