Mobile Security and Exploitation training - Live Online - Instructor Led


Mobile Security and Exploitation training - Live Online - Instructor Led



Advanced Android and iOS Hands-on Exploitation is a unique training which covers security and exploitation of the two dominant mobile platforms - Android and iOS. This is a two day action packed class, full of hands-on challenges and CTF labs, for both Android and iOS environment.

The entire class will be based on a custom VM which has been prepared exclusively for the training. The training will take the attendees from the ground level upwards to be able to audit any real world applications on the platforms.

Some of the topics that will be covered are

  • Advanced Auditing of iOS and Android Applications
  • Reverse Engineering, Bypassing Obfuscations
  • Debugging Android and iOS applications 
  • Runtime manipulation based attacks
  • Automating security analysis, Exploiting and patching apps
  • ARM Exploitation
  • API Hooking and a lot more.

The 2-day class is designed in a CTF approach where each of the module is followed by a complete hands-on lab, giving the attendees a chance to apply the knowledge and skills learnt during the class in real life scenario.

Students will also be provided With slides, reference materials and handouts to be used during and after the training class, and private scripts written by the trainer for Android and iOS app security analysis.



Module 1 : Diving into Android

  • Setting up a Mobile Pentest Environment
  • Android Security Architecture
  • Permission Model Flaws
  • Getting familiar with ADB
  • Activity and Package Manager Essentials
  • API level vulnerabilities
  • Rooting in Android devices
  • ART and DVM for App Reverse Engineers  

Module 2 : Android App for Security Professionals

  • Security Analysis of AndroidManifest.xml 
  • Reverse Engineering for Android Apps
  • Smali for Android 101
  • Smali Labs for Android
  • Cracking and Patching Android apps
  • Understanding Dalvik 
  • Dex Analysis and Obfuscation
  • Android Application Hooking
  • Using JDB and Andbug
  • Dynamic Dalvik Instrumentation for App Analysis
  • Introspy for Android 
  • Creating custom Hooks

Module 3 : Application Specific Vulnerabilities

  • Static Analysis of Android Apps
  • Attack Surfaces for Android applications
  • Exploiting Side Channel Data Leakage
  • Exploiting and identifying vulnerable IPCs
  • Exploiting Backup and Debuggable apps
  • Exploiting Exported Components
  • Webview based vulnerabilities
  • Dynamic Analysis for Android Apps
  • Logging Based Vulnerabilities
  • Insecure Data Storage
  • Network Traffic Interception 
  • Analysing Network based weaknesses
  • Exploiting Secure applications
  • Analysing Proguard, DexGuard and other Obfuscation Techniques
  • OWASP Mobile Top 10
  • Using Drozer for Exploitation
  • Writing custom Modules for Drozer
  • Exploiting Android apps using Frida 
  • Analysing Android apps using Androguard
  • Analysing Native Libraries
  • Security Issues in Hybrid Apps

Module 4 : ARM for Android Exploitation

  • Getting familiar with Android ARM
  • ARM Architecture and Calling conventions
  • Debugging with GDB
  • Exploiting Overflow based vulnerabilities
  • ROP Labs for ARM 

Module 5 : Getting Started with iOS Pentesting

  • iOS security model
  • App Signing, Sandboxing and Provisioning
  • Setting up XCode
  • Changes in iOS 9,10
  • Exploring the iOS filesystem 
  • Intro to Objective-C and Swift

Module 6: Setting up the pentesting environment

  • Jailbreaking your device
  • Cydia, Mobile Substrate
  • Getting started with Damn Vulnerable iOS app
  • Binary analysis
  • Finding shared libraries
  • Checking for PIE, ARC
  • Decrypting IPA files
  • Self-signing IPA files 

Module 7: Static and Dynamic Analysis of iOS Apps

  • Static Analysis of iOS applications
  • Dumping class information
  • Insecure local data storage
  • Dumping Keychain
  • Finding URI schemes
  • Dynamic Analysis of iOS applications
  • Cycript basics
  • Advanced Runtime Manipulation using Cycript
  • Frida for iOS 
  • Method Swizzling
  • GDB basic usage 
  • GDB kung fu with iOS

Module 8: Exploiting iOS Applications

  • Broken Cryptography
  • Side channel data leakage
  • Sensitive information disclosure
  • Exploiting URL schemes
  • Client side injection
  • Bypassing jailbreak, piracy checks
  • Inspecting Network traffic
  • Traffic interception over HTTP, HTTPs
  • Manipulating network traffic
  • Bypassing SSL pinning

Module 9: Reversing iOS Apps

  • Introduction to Hopper
  • Disassembling methods
  • Modifying assembly instructions
  • Patching App Binary
  • Logify, Introspy, iNalyzer, Snoopit

Module 10: Securing iOS Apps

  • Securing iOS applications
  • Where to look for vulnerabilities in code?
  • Code obfuscation techniques
  • Piracy/Jailbreak checks
  • iMAS, Encrypted Core Data


All the above-mentioned topics are taught with extremely hands-on lab-based practical sessions. 


  • Attify's Mobile pentesting VM
  • Lab reference material and handouts
  • 400+ slides (PDF Copy)


  • Mobile Security Enthusiasts
  • Mobile application developers and Penetration Testers
  • Anyone wanting to start in mobile application security


  • Free 25GB disk space with minimum 4 GB RAM
  • Jailbroken iOS device (if you would like to perform iOS Exploitation)


      Add To Cart