There is no secret that times are changing and a plethora of companies have a mobile application in the Google Play Store, the Apple App Store, or both. While mobile applications are convenient, they pose a huge security risk if developed in a manner that is secure. In this talk, methodologies, tools, and potential challenges will be discussed in detail, with the goal of providing penetration testers with the under the hood knowledge required to perform security assessments of Android and iOS applications. The iOS portion of this talk will cover topics ranging from getting set up with jailbreaking, cydia, and OpenSSL, to information gathering with otool, nm, strings, and class-dump; to decryption with clutch; to debugging with gdb, lldb, and cycript. Simpler concepts, such as copying files using iExplorer, will also be explored. The Android portion of this talk will cover similar topics, including package decompilation with dex2jar and jd-gui, enabling debugging using apktool, and debugging during runtime with adb and jdb. Similar to the iOS portion of the talk, simpler concepts will also be covered, including moving files with adb push and pull. Attendees should leave this talk with a firm understanding of how some popular, higher level tools work in the background. Applications such as iRET, idb, and Androguard can be very helpful, but in the event they fail, it is critical that an analyst know how to proceed. This presentation will help provide analysts with the background knowledge they need to do just that.

Drew Branch and Billy McLaughlin are Associate Security Analysts for Independent Security Evaluators, where they are challenged with assessing security implementations for Fortune 500 companies including DRM and cryptographic systems, and secure configurations/development for mobile and web applications. Mr. Branch holds a B.S. in Electrical/Computer Engineering from Morgan State University and is actively pursuing an M.S. in Cybersecurity at the University of Maryland, Baltimore County. He is a cutting edge technology enthusiast with a passion for security in all aspects and is intrigued by how things work and how to break them. Mr. McLaughlin holds a dual B.S. in Computer Science and Computer Security and is pursuing an M.S. in Computer Science, both at East Stroudsburg University of Pennsylvania. Security was a hobby during his years as a student, and it has evolved into a profession.

Back to Derbycon 2015 video list