Hey there! This website hosts material and resources for the Mobile Systems and Smartphone Security (aka Mobile Security, aka MOBISEC) course, first taught in Fall 2018 at EURECOM. This was designed to be an hands-on course, and it covers topics such as the mobile ecosystem, the design and architecture of mobile operating systems, application analysis, reverse engineering, malware detection, vulnerability assessment, automatic static and dynamic analysis, and exploitation and mitigation techniques. It is widely regarded as the best class on the topic (according to the world-renowned survey "top mobile security classes of the French riviera").

I (Yanick Fratantonio / @reyammer) have planned this class for more than a year, and the risk of losing my job finally forced me to make it happen. This has required a crazy amount of time, but it has been extremely rewarding: students with minimal-to-zero knowledge about the topic managed to learn how to think critically about mobile security aspects, reverse engineer Android apps like ninjas, and exploit real-world vulnerabilities — and it seems they loved the show :-)

Material. In the spirit of helping more students than my EURECOM ones, I decided to put everything online. I'm starting by releasing the slides. This material is far from perfect — but hey, that's all I got for now — and it is far from being self-contained: I want to believe that a big part of the show is myself explaining things in simple ways, leading discussions, demos, etc. But, still, this should be a good starting point. Also, even though I have a set of slides on iOS, this class is mostly about Android. Note that there are several references to research papers, but they are currently unintentionally a bit biased towards my own work: I consider this as a "bug" of the current slides and I'm planning to fix it at the next round :-) In the meantime, if you have a reference it would be nice to include, ping me!

Wargame challenges. A big component of this class was to solve wargame/CTF-style challenges. I had three main homeworks (with several tasks each) focusing on: 1) low-level Android-related technical things, 2) reverse engineering, and 3) app exploitation. The reversing challs are now public, the other two sets are coming soon.

Target audience. The material targets grad-level students with none (or not much) background in mobile security (Android / iOS). If you are an experienced Android app developer, this material may cover some security-related topics that you have not seen around. For what concerns the challenges, I believe that some of them may be interesting even for above-average hackers 😇.

License. If you are a prof / instructor / trainer and you are interested in teaching this class, you are welcome to use this material. The only thing I ask in exchange is: 1) include a reference to this website so that students can see the challenges / updated material; 2) (optional) I would love to hear how you plan to use this material. Knowing that this is useful is a big push to improve the material and release more challenges. About the "material for instructors": currently, the only private thing of the class is the source code for the challs. If you want to adapt the challenges, please reach out to me via this feedback form, and I'll get back to you as soon as I can.

Tentative Timeline

  • March 4th: I published the slides.
  • March 29th: the reversing challenges are out.
  • TBD: release of the two other homeworks (they are trickier to release as there is an automatic analysis system that requires a running emulator...)
  • TBD: recordings + demos (if you are interested, let me know!)

Acknowledgements

There are several individuals that, in some way or another, helped me throughout the process (by writing some guest challenges, by sharing some relevant material / blog posts, by being (very) patient with me being busy, etc.). I would like to thank some of them: Andrea Possemato, Dario Nisi, Davide Quarta, Lena, Simone Aonzo, Rene Mayrhofer, Nikolay Elenkov.