Organizational Systems Mobile Application Pentester™

Mobile Application Security Auditing Training Course

Course Overview:

The Organizational Systems Mobile Application Pentester™ is a

highly-intensive mobile application security auditing training course
designed to teach state-of-the-art practical technical methods and
techniques for professionally executing a mobile application security
audit or penetration test. With the proliferation of mobile devices in
today's modern environment, organizations are using more and
more mobile apps & technologies to enable and facilitate user
access to their data, systems and networks. Attending the
Organizational Systems Mobile Application Pentester™ will give
attendees the opportunity to develop the skills necessary to perform
in-depth technical security-testing of mobile applications.

Penetration testers and IT-security professionals who are already well-versed in network-layer and web-application
penetration testing will find that mobile application pentesting comes with a completely different set of challenges
which requires different approaches and skills. In line with our tradition of developing and providing cutting-edge
real-world technical IT-security-centric courses such as the Organizational Systems Security Analyst™,
Organizational Systems Wireless Auditor® and Organizational Systems Web Application Pentester®, the
Organizational Systems Mobile Application Pentester™ takes a ground-up approach to educating attendees about
all aspects of practical mobile application security-testing, beginning at understanding the code-level fundamentals
of the two most popular mobile application platforms (Android and iOS) and expounding on mobile-application-
specific protocols, mobile application dynamic analysis and mobile application exploitation techniques. Guiding the
technical teachings throughout the course are applied principles from Sun Tzu's "Art of War" which add an
additional dimension and timeless perspective to the art of mobile application pentesting.

This instructor-led, intensely practical, hands-on programme teaches a vendor-neutral and specialized approach to
practical security testing of mobile applications. By equipping attendees with the proper knowledge and technical
skillsets, the Organizational Systems Mobile Application Pentester™ is intended to arm professional penetration
testers and application developers with the proper skills, techniques and tools to conduct consistent and
comprehensive mobile application security tests.

While the programme syllabus should be used to determine if this programme is appropriate for the attendee based
on their current skills and requirements, the course aims to induct all attendees with the following:

• A solid understanding about the security postures of mobile applications deployed over the two most
commonly-used mobile operating systems used by both organizations and individuals.
• How to prepare for and conduct mobile application security testing.
• The ability to profile and analyze mobile application defenses.
• Comprehensive technical understanding of how to exploit mobile applications using a wide variety of
techniques.
• Proper selection and usage of the appropriate tool for the relevant mobile application vulnerability.
• How to recommend countermeasures based on mobile security audit results.

With a wide variety of practical classroom labwork, the Organizational Systems Mobile Application Pentester™ is
ideal for professional security testers, application security developers, internal audit teams and those who want to
know how to conduct comprehensive technical penetration testing against Android- and iOS-based mobile
applications.

Technical Pre-Requisites: Who Will Benefit From This Course :

• Required to have good understanding of how generic networking and • IT-Security Penetration-Testers and/or Technical
application protocols/standards such as TCP/IP, 802.3, HTTP, etc, work. Auditors
• Required to have existing understanding of standard IT-security principles
• IT-Security Practitioners and/or Technical Professionals
and concepts such as CIA, defence-in-depth, etc.
• Required to have strong interest in mobile application security and also to be • IT-Security Consultants
in technical and/or practitioner roles, positions or jobs. • Mobile Application Developers and Programmers
• Familiarity with Objective C or object-based coding strongly recommended. • and anyone who is looking to learn about how to
• Preferably have already attended Organizational Systems Security Analyst™ conduct a technical vendor-neutral practical security-
course or obtained Organizational Systems Security Analyst™ certification. test against mobile applications.

Page 1 of 2
The Organizational Systems Mobile Application Pentester and its logo are trademarks of THINKSECURE PTE LTD in Singapore and trademarks of THINKSECURE PTE LTD in certain other countries. All other trademarks property of their respective owners.
Course Outline:
Practical coursework is interspersed throughout the course and the
following is a brief course module outline:

Part 1: Mobile Application Auditing Part 10: File & Networking Monitoring
Proliferation of BYOD policy Sun Tzu's Guiding Principle
Apps As Data Custodian App File Monitoring
Examples Of Vulnerable Apps Dmesg / logcat
OWASP Top 10 Mobile Risks Network Monitoring
Web / Non Web Interception
Handling SSL Certificate Pinning
Part 2: iOS Device Fundamentals
Sun Tzu's Guiding Principle
iOS Device Fundamentals Part 11: Android Security Architecture
iOS Device Boot Process Sun Tzu's Guiding Principle
iOS Device Upgrade / Downgrade Application Fundamentals
About Plist Security Controls
About Sqlite Application Components
Application Internals

Part 3: iOS Device Jailbreaking

Sun Tzu's Guiding Principle Part 12: Android App Runtime Analysis & Manipulation
Jailbreaking Introduction Sun Tzu's Guiding Principle
Types Of Jailbreaks Analyzing Inter Process Communications
Jailbreaking Tools Intent Sniffing & Manipulation
Customized Payload Bundles Attacking Services
Broadcast Receivers Attack
Content Providers Attack
Part 4: iOS App File & Network Monitoring Attacking Debuggable Applications
Sun Tzu's Guiding Principle
iOS File Monitoring
iOS Network Monitoring Part 13: Android Auditing Tools
iOS Keychain Dumping Sun Tzu's Guiding Principle
Santoku-Linux CD
Introspy-Android
Part 5: Objective C Introduction
Sun Tzu's Guiding Principle
Language Introduction Part 14: Concluding The Pentest
Objective C Terminology Dealing With Unexpected Results
Objective C Inheritance Reporting
Method Invocation
Instance Variables
Model View Controller
Methodologies & Tools:
Part 6: iOS Binary Runtime Analysis & Manipulation The following are just some of the methodologies & tools covered in the
Sun Tzu's Guiding Principle Organizational Systems Mobile Application Pentester™ training course :
Runtime Analysis & Manipulation
Objc_msgSend  Plist editor for Windows  adb
Class-dump-z  Sqlite DB Browser  rooting tools
Decrypting Apps  TinyUmbrella  Dalvik Debug Monitor
Clutch  Redsn0w Server ( DDMS )
Cycript  iFunBox  Cydia Substrate for
NSLog Android
 iPhone Data Protection
 APKTool
 Jailbreak tools & Cydia
 d2j-dex2jar
 Cydia Substrate for iOS
Part 7: Session Management Stuff  keytool
 Cycript
Sun Tzu's Guiding Principle  jarsigner
 Clutch
iNalyzer  am / pm tool
 Introspy-iOS / Introspy-Analyzer
iAuditor  Drozer framework
 iOS SSL Kill Switch
Snoop It  jdb
Introspy-iOS  Snoop It
 Introspy-Android
 filemon.iOS
 Santoku-Linux CD
 Burp suite
 Xposed Framework
Part 8: Android Device Architecture  keychain_dump
 AndroGuard
Sun Tzu's Guiding Principle  keychainviewer
Android Architecture  otool ...and more!
Booting Process  class-dump
SDK & Tools  Appsync
 syslogd

Part 9: Rooting Android Device

Sun Tzu's Guiding Principle
Introduction To Rooting Android For more details regarding the availability, schedule and
Benefits To Rooting Android pricing for your country, please visit :
Methods of Obtaining Root http://osmap.securitystartshere.org

Page 2 of 2
The Organizational Systems Mobile Application Pentester and its logo are trademarks of THINKSECURE PTE LTD in Singapore and trademarks of THINKSECURE PTE LTD in certain other countries. All other trademarks property of their respective owners.