HomeAgenda DetailsSpeaker RosterVenue & HotelExpo DetailsRegistration Details

Hands-On Track

Assessing and Exploiting Mobile Applications with OWASP MobiSec
Kevin Johnson, CEO, Secure Ideas, LLC
James Jardine, Principal Security Consultant, Secure Ideas, LLC

Monday, March 23 & Tuesday, March 24
Technical Level: High

How much of your corporate data is leaking out through users’ mobile devices and applications?

Mobile devices and applications are here to stay, and the industry is long past trying to keep personal—or even company-supported—devices off the network. But without access to the device itself and limited control over applications installed on the devices, security teams are at the mercy of users…or are they?

In this hands-on, lab-driven track, students will be taught the tools, techniques, and methodology to perform penetration testing of mobile devices and applications, from the inside out. This track, created by the project leads for the OWASP MobiSec project, will walk participants through how to perform an effective mobile pen test, mapping, forensic discovery, and even exploitation—so you can learn how to stop data leakage before it happens.

Monday, March 23

Mobile Applications
Penetration testing
Methodology
    oMapping
    oDiscovery
    oExploitation
OWASP MobiSec
Exercise: Set up and use MobiSec

Testing Lab
Systems
    oWindows
    oLinux
    oMac
Device OSs
    oAndroid
    oiOS
    oWindows Phone
Exercise: Lab Setup

Mapping
Obtaining applications
    oSource
    oCompiled and in an app store
Installing apps onto test devices
    oRetrieving applications and supporting files from the device
Exercise: Manipulating devices and emulators
    oAndroid
    oWindows Phone
    oiOS
Intercepting traffic
    oEmulator methods
    oDevice methods
Tools
    oFiddler
    oBurp
    oMallory
    oExercise Interception

Discovery
Analyzing Application files
    oSQLlite databases
    oBackup files
    oApplication binaries
    oExercise: Analyzing application files
• Fuzzing
    oBurp Intruder
    oBurp Repeater
    oFiddler
    oExercise: Burp Intruder and Repeater
    oSQLMap
    oPython scripts
    oWSFuzzer
    oSOAPUI
    oExercise: WSFuzzer and SOAPUI

Tuesday, March 24

Exploitation
SQL Injection
    oAbsinthe
    oSQLMap
    oExercise: SQL Injection
Cross-Site Scripting
    oBeEF
    oExercise: BeEF
Other Client-Side attacks
    oClient-Side SQL injection
Session and Wireless attacks
    oWireless MiTM
    oWireless Probe Spoofing
    oSession Hijacking
    oLogic Attacks
    oExercise: Session Hijacking and Logic Attacks

Capture the Flag
Flag-based challenges
Android
Windows phone
Back end infrastructure


Requirements:
The tutorial requires that students bring a laptop with at least 8GB of RAM and VMWare Player or Fusion.
Who should attend:
IT staff looking to understand and learn how to assess and exploit mobile applications and their infrastructure should attend.

Schedule
Monday, March 23
8:30 AM – 9:30 AM Conference Keynote
9:30 AM – 12:15 PM Hands-On Tutorial
12:15 PM – 1:30 PM Luncheon and Keynote
1:30 PM – 5:15 PM Hands-On Tutorial

Tuesday, March 24
8:30 AM – 11:00 AM Hands-On Tutorial
11:15 AM –12:15 PM Conference Keynote
12:15 PM - 2:00 PM Lunch and Expo
2:00 PM – 5:15 PM Hands-On Tutorial
Top-notch training. Compelling speakers. Meaningful interactions.
Register for the 2015 Infosec Conference
Join the conversation using #InfoSecWorld
Contact Us


Registration/General Inquiries:
Customer Service
(508) 879-7999 ext. 501
[email protected]

Speaking Opportunities:
Katherine Teitler
Director of Content Development 
[email protected] or (508) 532-3624

Exhibit Sales:
Vendors A-L
CJ Oliveri
Director of Sales, Conference Division
[email protected] or (508) 532-3609

Vendors M-Z
Howard Weinman
Director of Sales, Conference Division
[email protected] or (508) 532-3652