sans.org/sec575 • Watch a preview of this course • Discover how to take this course: Online, In-Person SEC575: iOS and Android Application Security Analysis and Penetration Testing Imagine an attack surface that is spread across your organization and in the hands of every user. It moves regularly from place to place, stores highly sensitive and critical data, and sports numerous, different wireless technologies all ripe for attack. Unfortunately, such a surface already exists today: mobile devices. These devices constitute the biggest attack surface in most organizations, yet these same organizations often don’t have the skills needed to assess them. SEC575: iOS and Android Application Security Analysis and Penetration Testing is designed to give you the skills to understand the security strengths and weaknesses of Apple iOS and Android devices, including Android 12 and iOS 15. Mobile devices are no longer a convenience technology – they are an essential tool carried or worn by users worldwide, often displacing conventional computers for everyday enterprise data needs. You can see this trend in corporations, hospitals, banks, schools, and retail stores across the world. Users rely on mobile devices today more than ever before – we know it, and the bad guys do too. SEC575 examines the full gamut of these devices. Learn How to Pen Test the Biggest Attack Surface in Your Entire Organization With the skills you acquire in SEC575, you will be able to evaluate the security weaknesses of built-in and third-party applications. You’ll learn how to bypass platform encryption and manipulate apps to circumvent client-side security techniques. You’ll leverage automated and manual mobile application analysis tools to identify deficiencies in mobile app network traffic, file system storage, and inter-app communication channels. You’ll safely work with mobile malware samples to understand the data exposure and access threats affecting Android and iOS devices, and you’ll learn how to bypass locked screens to exploit lost or stolen devices. Corellium for Android and iOS Emulation Throughout the course, students will use the innovative Corellium platform to experience iOS and Android penetration testing in a realistic environment. Corellium allows users to create virtualized iOS and Android devices with full root access even on the latest versions. By using this platform, SEC575 students can immediately test their skills right in their own browser, while still having full SSH/ADB capabilities and access to a range of powerful tools. Take a Deep Dive into Evaluating Mobile Apps and Operating Systems and Their Associated Infrastructure Understanding and identifying vulnerabilities and threats to mobile devices is a valuable skill, but it must be paired with the ability to communicate the associated risks. Throughout the course, you’ll review ways to effectively communicate threats to key stakeholders. You’ll learn how to use industry standards such as the OWASP Mobile Application Security Verification Standard (MASVS) to assess an application and understand all the risks so that you can characterize threats for managers and decision-makers. Your Mobile Devices Are Going to Come Under Attack: Help Your Organization Prepare for the Onslaught Mobile device deployments introduce new threats to organizations, including advanced malware, data leakage, and the disclosure to attackers of enterprise secrets, intellectual property, and personally identifiable information assets. Further complicating matters, there simply are not enough professionals with the security skills needed to identify and manage secure mobile phone and tablet deployments. By completing this course, you’ll be able to differentiate yourself as someone prepared to evaluate the security of mobile devices, effectively assess and identify flaws in mobile applications, and conduct a mobile device penetration test. These are all critical skills to protect and defend mobile device deployments. Who Should Attend • Penetration testers • Ethical hackers • Auditors who need to build deeper technical skills • Security personnel whose job involves assessing, deploying or securing mobile phones and tablets • Network and system administrators supporting mobile phones and tablets Author Statement The first iPhone was released in 2007, and it is considered by many to be the starting point of the smartphone era. Over the past decade, we have seen smartphones grow from rather simplistic into incredibly powerful devices with advanced features such as biometrics, facial recognition, GPS, hardware-backed encryption, and beautiful high-definition screens. While many different smartphone platforms have been developed over the years, it is quite obvious that Android and iOS have come out victorious. While smartphones provide a solid experience right out of the box, the app ecosystem is probably the most powerful aspect of any mobile operating system. Both the Google Play and Apple App stores have countless applications that increase the usefulness of their platforms and include everything from games to financial apps, navigation, movies, music, and other offerings. However, many smartphones also contain an incredible amount of data about both the personal and professional lives of people. Keeping those data secure should be a primary concern for both the operating system and the mobile application developer. Yet, many companies today have implemented a bring-your-own-device policy that allows smartphones onto their network. These devices are often not managed and thus bring a new set of security threats to the company. This course will teach you about all the different aspects of mobile security, both at a high level and down into the nitty-gritty details. You will learn how to analyze mobile applications, attack smartphone devices on the network, man-in-the-middle either yourself or others, and root/jailbreak your device. You will also learn what kind of malware may pose a threat to your company and your employees. Mobile security is a lot of fun, and I hope you will join us for this course so that we can share our enthusiasm with you! 6 Day Program 36 CPEs Laptop Required GMOB Mobile Device Security Analyst giac.org/gmob