Trainer Name: Jiska Classen

Title: Mobile Reversing and Security Analysis (iOS & Android)

Duration: 3 Days

Dates: March 6, 2023 To March 8, 2023

Training Objectives

This 3-day course will equip you with a toolbox of indispensable techniques and methods for diving into the world of hacking apps on mobile devices. After getting started with static reverse engineering and dynamic testing iOS apps using Ghidra and Frida, we’ll pivot to Android to adapt these methods to the quirks of the Java world. We’ll be using Frida to trace control flow, find interesting code paths, manipulate data, and finally collect code coverage – everything you’ll need to get started writing custom fuzzers for vulnerability discovery.

The training will include hands-on exercises on virtual iOS and Android devices. Students will be guided through using free and open-source reverse-engineering software and frameworks (such as Ghidra and Frida) to understand the internals and perform security testing of closed-source apps.

Training level: Intermediate; Basic

Training Outline

Day 1 - iOS App Fundamentals

Learning objectives:
Understand the structure of an iOS application after dumping it unencrypted from a phone. Get to know methods for static and dynamic application analysis and combine both methods, apply these tools to find interesting code paths, and automate sending input to the app.

Topic overview:
  • Download and decrypt apps from Apple’s App Store.
  • The internal structure of an iOS application, including metadata for security analysis.
  • iOS specifics: Objective-C/Swift, frameworks, DYLD shared cache, plists, entitlements,
  • Discover interesting functions and where they’re called from with dynamic analysis.
  • Combine the results of dynamic analysis with static analysis to figure out function inputs.
  • Write a basic fuzzer.
Day 2 - Advanced iOS Internals

Learning objectives:
Understand common patterns used in iOS apps such as asynchronous programming with Grand Central Dispatch and cross-process communication with XPC. Trainees will learn how to follow control and data flow across threads and processes by applying their understanding of these concepts to the methods learned on Day 1. As an outlook, the techniques learned are put into the context of how one would write a custom fuzzer.

Topic overview:
  • Threading on iOS: thread creation, Grand Central Dispatch (GCD), backtracing, and coverage across threads.
  • Data exchange between apps and daemons: observe Cross-Process Communication (XPC) during runtime.
  • Overview of further low-level communication, such as Mach messages and sockets.
  • Collect coverage with the Frida Stalker.
  • Introduction to advanced fuzzing techniques.
Day 3 - Android Security & Mobile Testing Tools

Learning objectives:
Trainees will understand fundamental differences between Android and iOS Apps from a reverse engineering perspective, adapting the methods learned on iOS to the Java ecosystem used on Android.

Topic overview:
  • The internal structure of an Android app.
  • Static analysis of applications written in Java/Kotlin.
  • Android specifics: Java virtualization, native libraries, JNI, …
  • Dynamic instrumentation of applications that mix Java and native code.
  • Android security boundaries: Intents, content providers, Binder.
  • Using existing tools to bypass TLS certificate pinning, root/jailbreak detection, and modifying SQLite databases.

Who Should Attend?

This class is aimed at anyone interested in mobile app security, including pen testers, security or vulnerability researchers, or app developers.

What to Bring?

  • Laptop with at least 8GB of RAM that can run a VirtualBox VM with an Internet connection.
  • Corellium accounts for practical exercises.
  • Optional: Your own-rooted/jailbroken devices can be used as well, but we won’t be able to provide support for this. Exercises are tested on the Corellium setup.

Training Prerequisite

  • Basic programming knowledge, ideally one or multiple of the following programming languages: Python, JavaScript, C/C++, Java/Kotlin, Objective-C/Swift.
  • Optional: Mobile app development background.

What attendees will be provided?

  • VM with various (free) tools that enable application analysis.
  • Training slides.
  • Practical exercises for iOS and Android application analysis.
  • Solutions to these exercises.

What to Expect?

  • All basics required to pentest recent iOS and Android applications.
  • Overview of iOS and Android internals that matter for application analysis.
  • Skills to improve existing tools or write your own tools to automate testing.
  • Introduction to fuzzing as a fast and simple way to find bugs.
  • Reverse engineering: The methods learned will work even without source code access, which is often the case if you’re pen-testing or hunting some bug bounties.
  • Low-level reverse engineering: Looking at Arm assembly, Smali, messing around with pointers and data structures.
  • Writing some code (mostly Python / JavaScript) will be required, but we’ll provide a cheat sheet and fill-in-the-blank style code skeletons.
  • Tools used during the training: Ghidra, jadx, apktool, Frida, Visual Studio Code with Frida Workbench, objection, adb, and a bunch of further command-line tools.

What not to expect?

  • An offensive training that covers low-level operating system internals (e.g., iOS/Android kernel exploitation).
  • An overview of common vulnerabilities such as the OWASP mobile top 10 – this training is aimed at teaching methods, not applying checklists. However, the methods learned in this training are useful if you need to apply such checklists.
  • Backend server and Web API security.
  • Application of existing tools without understanding their internals. Where existing tools are used, these are used as frameworks to build upon.
  • Programming and command line basics.

About the Trainer

Jiska Classen is a wireless and mobile security researcher. The intersection of these topics means that she digs into iOS internals, reverse engineers wireless firmware, and analyzes proprietary protocols. Her practical work on public Bluetooth security analysis tooling uncovered remote code execution and cryptographic flaws in billions of mobile devices. She also likes to work on obscure and upcoming wireless technologies, for example, she recently uncovered vulnerabilities in Ultra-wideband distance measurement and reverse-engineered Apple's AirTag communication protocol.

She has previously spoken at Black Hat USA, DEF CON, RECon, hardwear.io, Chaos Communication Congress, Chaos Communication Camp, Gulasch Programmer Nacht, MRMCDs, Easterhegg, Troopers, Pass the Salt, NotPinkCon, gave various lectures and training, and published at prestigious academic venues.