iOS Security Training Outline

In today’s increasingly digitized world, cybersecurity has become a top priority for organizations of all sizes and sectors. With the constant evolution of cyber threats, it is imperative for businesses to stay ahead of the curve and ensure the security of their sensitive information and assets. One of the most effective ways to achieve this is through cybersecurity training programs that educate employees on the best practices and strategies for identifying and mitigating potential cyber risks.

Arrownex Information Technology (hereafter referred to as “Arrownex” or “Vendor”) is a leading provider of cybersecurity services and training programs, specializing in equipping organizations with the knowledge and skills needed to defend against cyber threats. Through our comprehensive training programs, we aim to empower employees to identify potential security risks, respond to incidents promptly and effectively, and maintain a proactive approach to cybersecurity. Our experienced trainers bring a wealth of knowledge and expertise to the table, drawing on their industry experience and up-to- date knowledge of the latest threats and trends to provide relevant and actionable training content. We work closely with your organization to understand your unique security needs and develop a training program that addresses your specific pain points and vulnerabilities.

Arrownex would like to thank (hereafter referred to as “” or
“Client”) for giving us the opportunity through this training outline document to present our offering for conducting training for the employees of . In this
training outline document, we outline our approach to delivering high-quality cybersecurity training to your organization, including the scope of the engagement, assumptions and exclusions, estimated timelines, and associated commercials. Our goal is to work collaboratively with your team to develop a tailored training program that meets the unique needs of your organization and equips your employees with the knowledge and skills they need to keep your business safe and secure in today’s ever- changing digital landscape.

Course Outline

Module 1: Overview

  • The state of iOS Security
  • iOS security architecture and its components
  • iOS app signing, sandboxing and provisioning
  • iOS app and app lifecycle
  • Recommended lab setup tips

Module 2: Static Analysis

  • Tools and techniques to retrieve/decompile/reverse and review IPA files
  • File Structure of IPA file
  • Instruction Set Architecture and Mach-O format
  • Identification of the attack surface of iOS apps and general information gathering
  • Identification of common vulnerability patterns in iOS apps:
    • Hard-coded secrets
    • Logic bugs
    • Access control flaws
    • URL handlers
    • Injection attacks
  • Patching and Resigning iOS binaries to alter app behavior
  • Tips to test without a jailbreak

Module 3: Dynamic Analysis

  • Monitoring data
  • Caching
  • Logs
  • App files
  • Insecure file storage
  • iOS keychain
    • Cryptographic flaws
    • The art of MITM: intercepting network communications
    • Defeating certificate pinning
    • Bypassing jailbreak detection
    • The art of instrumentation
    • Frida
    • Objection
    • Cydia Tweaks
    • Cycript
    • PassionFruit
    • App behavior monitoring at runtime
    • Modifying app behavior at runtime

    CTF

    • Participants will be provided with multiple iOS apps containing vulnerabilities.
    • Participant should write specific exploit, perform successful attack and grab the flag

2.Training Approach

Arrownex CyberLabs’ cybersecurity training approach is based on the latest industry best practices and research, as well as our extensive experience in providing effective cybersecurity training programs for various organizations.

Our approach to training includes the following components:

2.1.Training Delivery Methods

We offer a range of training delivery methods to meet the needs of different learners and organizations, including online modules, classroom-style instruction, and hands-on workshops. We can also customize the delivery method based on the specific needs of your organization.

Training Content and Structure

Our training content and structure is designed to be engaging, informative, and practical. We use real-world examples and scenarios to illustrate key concepts and best practices, and we encourage active participation and feedback from participants. Our training content covers a range of topics, including security awareness, password hygiene, email security, social engineering, phishing and malware, incident response, and network security.

Customization Options

We recognize that each organization has unique needs and challenges when it comes to cybersecurity, and we offer customization options to ensure that our training program meets your specific requirements. We can tailor the training content and delivery methods to align with your organization’s policies, procedures, and security framework.

Overall, our goal is to empower your employees to take an active role in maintaining the security of your organization and to foster a culture of cybersecurity awareness and best practices. We believe that by investing in cybersecurity training, your organization cannot only mitigate the risk of cyber threats but also gain a competitive edge by demonstrating a commitment to security and trust to your clients and stakeholders.

3.Training Syllabus

3.1 iOS Application Penetration Testing

Course Description

The training will prepare you to evaluate effectively and assess the security weaknesses of iOS applications. You’ll learn to assess an application and understand all the risks so that you can characterize threats basing on industry standards such as OWASP MASVS.

Understanding and identifying vulnerabilities and threats to mobile devices is a valuable skill as mobile device applications introduce new threats to organizations, including data leakage, and the disclosure of enterprise secrets, intellectual property, and personally identifiable information assets.

Training starts with the overview of iOS security architecture and it’s components. We look into industry adopted analysis techniques, including static and dynamic analysis. We use tools such as objection, MobSF, Frida etc. Finally, we make use of a vulnerable iOS application for penetration testing and develop exploits.

4.Estimated Time Required

Malware Analysis

5.Assumptions and Exclusions

5.1Assumptions

  • It is assumed that all trainees will be available and participate actively during the scheduled training sessions. The client is responsible for the attendance of the participants.
  • The Client will provide a suitable training environment, including any necessary equipment, software, and internet access.
  • The Client will ensure that the training material shared by Arrownex will be used only for internal training propose only.
  • The Client will designate specific points of contact for the coordination and administration of the training.
  • It is assumed that participants will complete any post-training evaluations or assessments required to measure the effectiveness of the training.

5.2Exclusions

  • The provision of hardware, software, or licenses required for the training is not included, unless otherwise specified.
  • On-site travel and accommodation expenses are not included in the commercials. For Onsite training, the travel, accommodation will be billed separately on actuals.
  • At the discretion of the trainer, the trainer may decide to stay back for any clarification of doubt clearing of the participants.
  • Training on topics not explicitly covered in the proposal or agreed-upon training curriculum is excluded.
  • Training sessions outside of standard business hours or on weekends are not included, unless otherwise specified.

5.3 Deliverables

The following will be considered as part of the deliverables:

  1. Training Course – delivered Onsite/Online
  2. Slide Deck and Reference materials (if any)
  3. Hands-on Lab Assessment Report

6.Contact Details

For any further clarifications or concerns, feel free to write an email to info@arrownex.com