All Trainings

Get FREE access to the slides, recording and vulnerable apps to practice after the event at 7asecurity.com/free-workshop-mobile-practical

About This Workshop

A significant amount of confusion exists about what kind of damage is possible when vulnerabilities are found in mobile apps. This workshop solves that problem with a comprehensive, entirely practical walkthrough of Android and iOS security flaws identified over multiple years of penetration testing.

Attendees get training portal access to practice attack vectors — including multiple mobile app attack surfaces, deep links, and mobile app data exfiltration with XSS — with lifetime access to vulnerable apps, guided exercise PDFs, and video recordings.

"Please come caffeinated — the audience will be challenged to spot vulnerabilities at any moment."

Topics covered include (not limited to):

Copy-paste attacks
Premium number dialing
Custom URLs & Deep Links
XSS
SQLi
RCE
MitM attacks
Path traversals
Data leaks
Persistent XSS
Data exfiltration
Mobile API attacks

Your Trainer

Abraham Aranguren
Abraham Aranguren
Founder & CEO, 7ASecurity · OWASP OWTF Project Leader · CISSP, OSCP, GWEB

Abraham is the founder and CEO of 7ASecurity, an ISO 27001 and SOC 2–certified cybersecurity consultancy and OWASP Platinum Supporter. With more than 24 years of IT experience and over 17 years in information security, he has led engagements for the Linux Foundation, Mozilla, the Tor Project, The Guardian, and many others.

He is the lead author and primary instructor for 7ASecurity's Mobile, Web, and Desktop (Electron) application security courses, delivered at:

Black Hat USA
DEF CON
OWASP Global AppSec
LASCON
BruCON
NorthSec
Nullcon
CODE BLUE Tokyo

Workshop Structure

1

Warm-up: Easy Vulnerabilities

  • Starting with relatively straightforward findings from real-world apps
  • Copy-paste attacks, premium number dialing, and insecure data storage
  • Audience challenge: spot the vulnerability before it's revealed
2

Intermediate Attack Vectors

  • Deep Links and custom URL scheme abuse
  • XSS in mobile apps: persistent and reflected
  • SQLi, path traversals, and insecure API communication
  • Case study: apps that report human rights abuse — security as life or death
3

Vulnerability Chaining & Impact Demonstration

  • Chaining multiple vulnerabilities to maximize impact: RCE via SQLi, data exfiltration via XSS
  • Why mobile findings are often downplayed — and how to demonstrate real impact
  • Case studies from high-profile open source security audits (password vaults, privacy browsers)
4

Mobile API Security

  • Attacks against the APIs behind mobile apps
  • MitM attacks against mobile API traffic
  • Common API security issues found in real-world mobile pentests
5

Hands-on Practice

  • Training portal access with vulnerable apps to practice attack vectors
  • Guided exercises with step-by-step PDFs
  • Lifetime access to all materials after the workshop

What You'll Take Home

All Action, No Fluff.

Seats are limited. Training ticket required — separate from the main conference ticket.

Book Your Seat