SANS Penetration Testing: Category - Mobile

Mining Android Secrets (Decoding Android App Resources)

By Jeff McJinkin As a pen tester and avid Android user, I'm keenly interested in the security of Android applications. Even without looking at the code, we can gain a tremendous understanding of what happens in the deep, dark corners of an application. All we need to do is dig away at the Android resources. … Continue reading Mining Android Secrets (Decoding Android App Resources)


Ghost in the Droid: Reverse Engineering Android Apps

By Joshua Wright For the past few years I've been invited to speak at the SANS HackFest conference. This is a great opportunity for me to present new research and useful pen testing techniques to a hungry audience. It's also a highly competitive event among speakers. Each year my stuff needs to be bigger and … Continue reading Ghost in the Droid: Reverse Engineering Android Apps


iOS 10 is Apple's Gift to Android Users

How the latest update to iOS 10 will dramatically improve Android security At the Apple WWDC conference in June, Ivan Krstic, Apple Head of Security Engineering & Architecture, made a bold declaration: "At the end of 2016, Apple will make ATS mandatory for all developers who hope to submit their apps to the App Store." … Continue reading iOS 10 is Apple's Gift to Android Users


Mobile Device Security Checklist

By Lee Neely & Joshua Wright We often get asked for things we can do to help users keep their mobile devices secure. Here's a quick list of some simple things you can do to ensure that your mobile devices are running with at leastsomesecurity. All of these steps are free and raise the bar … Continue reading Mobile Device Security Checklist


TLS/SSL Failures and Some Thoughts on Cert Pinning (Part 1)

By Chris Crowley It's going to happen sooner or later...sooner probably. You're going to be asked about your company's mobile app or a mobile app your company wants to install across all mobile devices. They'll put the request in the "yet another duty as assigned" (YADAA) category/bucket. You look at the network traffic; it's using … Continue reading TLS/SSL Failures and Some Thoughts on Cert Pinning (Part 1)