This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "AppSecUSA 2017 Developer Summit"
(Tag: Visual edit) |
|||
Line 8: | Line 8: | ||
<br> | <br> | ||
<br> | <br> | ||
− | There is no charge to attend the Developer Summit, so come join us! We do ask that you [https://docs.google.com/spreadsheets/d/13Bcus3CXcBbBmnbFlbZN0i08tXpCJJBre026s7c1vWQ/edit#gid=0 SIGN UP] so we have an estimated headcount to be sure we have enough space and food.</div> | + | There is '''no charge''' to attend the Developer Summit, so come join us! |
+ | |||
+ | We do ask that you [https://docs.google.com/spreadsheets/d/13Bcus3CXcBbBmnbFlbZN0i08tXpCJJBre026s7c1vWQ/edit#gid=0 SIGN UP] so we have an estimated headcount to be sure we have enough space and food. | ||
+ | </div> | ||
<br> | <br> | ||
=AGENDA= | =AGENDA= |
Revision as of 12:04, 12 July 2017
If you have an interesting topic and would like to volunteer to host a training session, please SUBMIT HERE. There are limited funds available to help offset the selected presenters travel and one night hotel accommodation. The Call for Presenters will close on July 14, 2017. Individuals will be notified on or before July 21, 2017 if their session was chosen. Please note: a conference ticket is NOT included, however you may purchase one separately.
There is no charge to attend the Developer Summit, so come join us!
We do ask that you SIGN UP so we have an estimated headcount to be sure we have enough space and food.
AGENDA
Day 1: Half Day Morning Session
Date: Tuesday, September 19, 2017
Time: 9am-12pm
Location: AppSec USA 2017
Presenter:
Day 1: Half Day Afternoon Session
Date: Tuesday, September 19, 2017
Time: 1pm-4pm
Location: AppSec USA 2017
Presenter:
Day 2: Full Day Session
Date: Wednesday, September 20, 2017
Time: 9am-4pm
Location: AppSec USA 2017
Presenter: Swaroop Yermalkar
Extreme iOS App Exploitation, Defense and ARM Exploitation
Detailed training contents: https://goo.gl/swp7F8 iOS has become one of the most popular mobile operating systems with more than 1.4 million apps available in the iOS App Store. Some security weaknesses in any of these applications or on the system could mean that an attacker can get access to the device and retrieve sensitive information. This training will show you how to conduct a wide range of penetration tests on iOS applications to uncover vulnerabilities and strengthen the system from attacks. Extreme iOS App Exploitation, Defense and ARM Exploitation is a 14 hrs session which will help you conduct end to end pentesting of iOS Applications and will also help you to understand the security measures which needs to be taken. This training will also have CTF challenge where attendees will use their skills learnt in session. To attend this hands-on session, all you have to do is bring your macbook with xcode installed on it.
What will be discussed?
Module 1: Introducing iOS App Security
- iOS security model
- App Signing
- App Sandboxing
- App Provisioning
- Changes in iOS 8/9/10
Module 2: Setting up lab
- Setting up iOS Simulators
- Jailbreaking basics
- App signing
- Setting up jailbroken iDevices (we will provide you)
Module 3: Exploiting iOS Application
- Exploiting Local Data Storage Flaws
- Keychain Storage
- Data Storage in SQLite
- Data Storage in Core Data
- Data Storage in Realm database
- Data Storage in YAP database
- Data Storage in NSUserDefaults
- Attacking URL Schemes
- Broken Cryptography attacks and challenges
- Exploiting SQL Injection
- Exploiting XSS Attacks
- Sealing up side channel data leakage
Module 4: Exploiting Broken Cryptography
- Exploiting flaws in payment gateways
- Crypto challenges
Module 5: Exploiting Key Management
- Hardcoded keys
- Storing keys server side
- Generating random keys
- CTF challenge
Module 6: Runtime Analysis of iOS Application
- Runtime analysis using cycript
- Runtime analysis using gdb with ARM Basics
- Runtime analysis using lldb
- Runtime analysis using Snoop-it
- Runtime analysis using Frida
- Bypassing jailbreak detection
- Bypassing piracy detection
- CTF Challenge
Module 7: Reverse Engineering and binary analysis
- Reversing encrypted binaries
- Checking for PIE, ARC
- Reversing un-encrypted binaries
- Disassembling using Hopper
- Disassembling using IDA
- iOS App binary patching
- String analysis
- CTF Challenge
Module 8: Analyzing iOS Network traffic
- Intercepting HTTP traffic
- Intercepting HTTPS traffic
- Bypassing SSL Pinning
- Attacking Weak Server Side Controls
- CTF Challenge
Module 9: Exploring iOS Pentest automation frameworks
- Needle Framework
- IDB
Module 10: iOS Secure Coding
- 1. iOS Static Code review
- 2. Understanding best practices for
- a. Defending local data storage flaws
- b. Preventing runtime protection
- c. Key management
- d.Defending crypto attacks
- e. Defending side channel data leaks attacks
Module 11: iOS ARM Exploitation
- ARM Assembly
- Executing first ARM program on iDevice
- ROP (Return Oriented Programming) Basics
- Simple stack overflow on iDevices
- Exploiting Heap Overflow exploit
- Case studies of recent jailbreaks
What will attendees learn from attending your presentation?
- End to end iOS App Pentesting
- iOS Secure Coding
- iOS reverse engineering, runtime analysis
- Encryption key management, Defending crypto attacks
- ARM Exploitation (basics)
- Designing secure iOS applications
Items attendees will be required to bring with them
- Macbook with root permission and Xcode (8.2 or above) Installed
Questions? Please submit them here.