Unveiling the World of Mobile Exploitation: ARM Architecture and Beyond

Dinesh Shetty, Director, Security Engineering, Security Innovation

Mobile applications are the obvious target for cyber attacks, but a secure application won't faze a committed cyber adversary. They can exploit any mobile interface—an app, calls to the OS, and background operations. From there, they can easily go after anything they want.

That's why our session at Black Hat 2023—Offensive Mobile Reversing and Exploitation—is essential for mobile platform engineers, developers, and DevOps teams.

ARM Architecture and its Role in Mobile Security

Today, most mobile devices rely on ARM architecture, so understanding the connected functionalities within the platform, OS, and applications is critical to securing them. But other traditionally non-mobile systems are moving to ARM architecture for greater computing efficiency. The universe of vulnerable systems includes everything from wearable and IoT devices to auto entertainment systems, robotics, and building management systems.

In-Depth Training on Mobile Exploitation at Black Hat 2023

For four days during Black Hat 2023—August 5th-8th—we'll take attendees through a virtual top-to-bottom understanding of mobile exploitation. The course starts with a basic introduction to the ARM instruction set and calling conventions, followed by reverse engineering exercises and crafting simple exploits for the ARM64 environment. Next, we move to mobile browser security. Attendees will learn browser mitigations and how to write simple exploits for a mobile browser.

We'll then dive deep into iOS and Android security internals, discussing exploitation techniques using real-world vulnerabilities, like voucher_swap, checkm8, and more. We also discuss common vulnerabilities that are easily exploitable, like heap overflows, use-after-free, uninitialized stack variables, and race conditions.

The training then moves on to application security. Here we'll use several applications written by course authors to exploit iOS, Android, and SecurePass. Attendees will also learn a variety of mitigations deployed in real-world apps and how to bypass them. And don't miss our in-depth discussion and hands-on exercises with code signing, sandboxing, inter-process communication mechanisms, and advanced techniques to bypass anti-debugging and obfuscation.

Learn Real-World Application Security Techniques

In addition to mobile-specific operating systems and application security issues, the course covers current threats and how they affect mobile platforms and applications. Attendees will see how common threats, like phishing and malware, can start with a click and quickly root a device to gain complete access and control. By reverse-engineering malware and OS vulnerabilities, attendees will quickly see how user actions can trigger vulnerable components of an OS to create new attack surfaces.

This training is provided in partnership with the research team at 8kSec (8ksec.io). The course authors and presenters have tested a wide range of mobile applications and ARM-based systems—from 60-story elevators to blockchain voting systems—and share that knowledge with you. The trainers are experienced in running cybersecurity programs and DevOps teams for large organizations across various geographic locations.

We convert theoretical attack scenarios into practical learning so that everyone walks away with a current understanding of mobile OS and application vulnerabilities. If you're an engineer, you'll walk away with insight and tools to better evaluate the security of mobile applications and platform features. Software developers will gain an in-depth understanding of application vulnerabilities. And DevOps professionals will see how to implement security in their CI/CD pipeline.

Join us August 5-8. For more details about the course, visit Black Hat 2023 training.


About Dinesh Shetty: Mobile Security Expert and Speaker at Top Cybersecurity Conferences

Dinesh leads the Mobile Security Testing Center of Excellence at Security Innovation. His core area of expertise is Mobile and Embedded application pen-testing and exploitation. He has spoken at conferences like Black Hat, Bsides, Def Con, BruCon, AppsecUSA, POC, AppsecEU, HackFest, and many more. He maintains an open-source, intentionally vulnerable Android application named InsecureBankv2 for use by developers and security enthusiasts. He has also authored the guide to Mitigating Risk in IoT systems, covering techniques on security IoT devices and Hacking iOS Applications, which covers all of the known methods for exploiting iOS applications.