Mobile Penetration Training - Asecurity Academy

About Course

This course focuses on Android and iOS Mobile Application Penetration testing. The course will demonstrate common techniques to extract sensitive data from Android and iOS Application such as API Keys, stored secrets, and firebase databases, and provide a solid foundation for continuing a career as a Mobile Application Penetration Tester. This course will cover the common methodologies and practices you can utilize to start Bug Bounty hunting mobile applications.

How to follow the Penetration Testing and Mobile Application Penetration Testing Processes
How to setup a lab environment to analyze both iOS and Android Mobile applications that are pulled directly from the Apple and Google Play Stores
Manual analysis of Mobile Applications for sensitive information such as URLs, Storage Buckets, Firebase Databases, and other Stored Secret
Automated analysis of Mobile Applications by using tools like MobSF
How to break SSL Pinning by using Objection and Frida for both iOS and Android
The OWASP Top Ten for Mobile
How to jailbreak an iOS device

Course Content

Introduction and Course Resources

Course Introduction

00:00
Course Resources

00:00
Mobile Pentesting Certification Landscape

00:00
Device Requirements

00:00
Course Discord

00:00

Penetration Testing Process

Android Intro and Security Architecture

Android Lab Setup

Windows – JADX-GUI

00:00
Windows – adb Install

00:00
Windows – apktool install

00:00
Windows – Android Studio Install

00:00
Kali Linux – PimpMyKali (Easy Mode)

00:00
Kali Linux – adb Install

00:00
Kali Linux – apktool Install

00:00
Kali Linux – JADX-GUI Install

00:00
Kali Linux – Android Studio Install

00:00
Mac – Brew

00:00
Mac – JADX-GUI

00:00
Mac – apktool

00:00
Mac – Android Studio

00:00
Emulator Setup & Recommendations (All Platforms)

00:00
Accessing ADB Shell from a VM/Networked Device

00:00
Additional Emulator Options Android (Optional)

00:00
Physical Device Setup (Optional)

00:00
Common Issue: No Extended Controls

00:00

Android Static Analysis

Pulling an APK From the Google Play Store

00:00
Intro to Injured Android

00:00
Enumerating AWS Storage Buckets via Static Analysis

00:00
Android Manifest.xml

00:00
Manual Static Analysis

00:00
How to Find Hardcoded Strings

00:00
Injured Android Static Analysis (Flags 1-4)

00:00
Enumerating Firebase Databases via Static Analysis

00:00
Automated Analysis using MobSF

00:00

Android Dynamic Analysis

Intro to SSL Pinning/Dynamic Analysis

00:00
Dynamic Analysis using MobSF

00:00
Burp Suite Install and Overview

00:00
Burp Suite Setup/Intercept

00:00
Proxyman Install & Usage

00:00
Patching Applications Automatically using Objection

00:00
Patching Applications Manually

00:00
Dynamic Analysis – Final Notes and Vectors

00:00
The Frida Codeshare

00:00
Using Frida Codeshare & Startup Scripts

00:00
Common Issue: Can’t Decode Resources

00:00

About Course

What Will You Learn?

Course Content

Introduction and Course Resources

Course Introduction

Course Resources

Mobile Pentesting Certification Landscape

Device Requirements

Course Discord

Penetration Testing Process

The Penetration Testing Process

The Mobile Application Penetration Testing Process

Android Intro and Security Architecture

Android Security Architecture

Application Security and Signing Process

Android Lab Setup

Windows – JADX-GUI

Windows – adb Install

Windows – apktool install

Windows – Android Studio Install

Kali Linux – PimpMyKali (Easy Mode)

Kali Linux – adb Install

Kali Linux – apktool Install

Kali Linux – JADX-GUI Install

Kali Linux – Android Studio Install

Mac – Brew

Mac – JADX-GUI

Mac – apktool

Mac – Android Studio

Emulator Setup & Recommendations (All Platforms)

Accessing ADB Shell from a VM/Networked Device

Additional Emulator Options Android (Optional)

Physical Device Setup (Optional)

Common Issue: No Extended Controls

Android Static Analysis

Pulling an APK From the Google Play Store

Intro to Injured Android

Enumerating AWS Storage Buckets via Static Analysis

Android Manifest.xml

Manual Static Analysis

How to Find Hardcoded Strings

Injured Android Static Analysis (Flags 1-4)

Enumerating Firebase Databases via Static Analysis

Automated Analysis using MobSF

Android Dynamic Analysis

Intro to SSL Pinning/Dynamic Analysis

Dynamic Analysis using MobSF

Burp Suite Install and Overview

Burp Suite Setup/Intercept

Proxyman Install & Usage

Patching Applications Automatically using Objection

Patching Applications Manually

Dynamic Analysis – Final Notes and Vectors

The Frida Codeshare

Using Frida Codeshare & Startup Scripts

Common Issue: Can’t Decode Resources

Android Bug Bounty Hunt

Bounty Hunt 1 – Joann Fabrics

Bounty Hunt 2 – Sam’s Club App

BONUS – Android Red Teaming

In-Line Attacks

Creating a Generic APK with Metasploit Shell

Injecting Play Store App with Metasploit Shell

The Ghost Framework

iOS Introduction and Architecture

Intro to iOS

iOS Lab Setup

xCode Setup/Install

Using xCode

Developer License Setup

AnyTrans (Pull IPA from App Store)

Additional Emulator Options iOS (Optional)

iOS Static Analysis

Manual Static Analysis

Automated Analysis with MobSF

iOS Dynamic Analysis/Jailbreaking

Burp Suite Setup & Usage

Proxyman – iOS

SSL Pinning iOS

Using Objection for iOS