Hey there! This website hosts material and resources for the Mobile Systems and Smartphone Security (aka Mobile Security, aka MOBISEC) course, first taught in Fall 2018 at EURECOM (Note: the material reflects the last edition, MOBISEC 2020). This was designed to be an hands-on course, and it covers topics such as the mobile ecosystem, the design and architecture of mobile operating systems, application analysis, reverse engineering, malware detection, vulnerability assessment, automatic static and dynamic analysis, and exploitation and mitigation techniques.

It is widely regarded as the best class on the topic.*
(*according to the world-renowned survey "top mobile security classes of the French riviera 2020")

I (Yanick Fratantonio / @reyammer) have planned this class for more than a year, and the risk of losing my job finally forced me to make it happen. This has required a crazy amount of time, but it has been extremely rewarding.

Students with minimal-to-zero knowledge about the topic managed to learn how to think critically about mobile security aspects, reverse engineer Android apps like ninjas, and exploit real-world vulnerabilities. If you put the work in, you can also become a mobile security researcher! Several MOBISEC students managed to find related jobs in big companies; and I have been told that at least one of the FAANG companies is actually asking interviewees "hey, did you solve the MOBISEC challs?" (Warning: It is very possible that they are asking this question to then discard candidates who lost time with this :-))

Slides & Recordings. In the spirit of helping more students than my EURECOM ones, everything is online and for free. I have finally released all slides & recordings. This material is far from perfect — but hey, that's all I got — and it is far from being self-contained. Still, this should be a good starting point, and there are many pointers. Also, even though I have a set of slides on iOS, this class is mostly about Android. Note also that there are several references to research papers, and they are currently unintentionally a bit biased towards my own work: I consider this as a "bug" of the current slides. :-)

Wargame challenges. A big component of this class was to solve wargame/CTF-style challenges. I had three main homeworks (with several tasks each) focusing on: 1) low-level Android-related technical things, 2) reverse engineering, and 3) app exploitation. All the challenges are public!

Target audience. The material targets grad-level students with none (or not much) background in mobile security (Android / iOS). If you are an experienced Android app developer, this material may cover some security-related topics that you have not seen around. For what concerns the challenges, I believe that some of them may be interesting even for above-average hackers 😇.

License. If you are a prof / instructor / trainer and you are interested in teaching this class, you are welcome to use this material. The only thing I ask in exchange is: 1) include an appropriate reference to this website so that students can see the challenges / updated material; 2) (optional) I would love to hear how you plan to use this material. Knowing that this is useful is a big push to improve the material and release more challenges. Please reach out to me via twitter/email for any question.

Acknowledgements

There are several individuals that, in some way or another, helped me throughout the process (by writing some guest challenges, by sharing some relevant material / blog posts, by being (very) patient with me being busy, etc.). I would like to thank some of them: Andrea Possemato, Dario Nisi, Davide Quarta, Lena, Simone Aonzo, Rene Mayrhofer, Nikolay Elenkov.