Hey there! This website hosts material and resources for the Mobile Systems and Smartphone Security (aka Mobile Security, aka MOBISEC) course, first taught in Fall 2018 at EURECOM. This was designed to be an hands-on course, and it covers topics such as the mobile ecosystem, the design and architecture of mobile operating systems, application analysis, reverse engineering, malware detection, vulnerability assessment, automatic static and dynamic analysis, and exploitation and mitigation techniques. It is widely regarded as the best class on the topic (according to the world-renowned survey "top mobile security classes of the French riviera").

I (Yanick Fratantonio / @reyammer) have planned this class for more than a year, and the risk of losing my job finally forced me to make it happen. This has required a crazy amount of time, but it has been extremely rewarding: students with minimal-to-zero knowledge about the topic managed to learn how to think critically about mobile security aspects, reverse engineer Android apps like ninjas, and exploit real-world vulnerabilities — and it seems they loved the show :-)

Material. In the spirit of helping more students than my EURECOM ones, I decided to put everything online. I'm starting by releasing the slides. This material is far from perfect — but hey, that's all I got for now — and it is far from being self-contained: I want to believe that a big part of the show is myself explaining things in simple ways, leading discussions, demos, etc. But, still, this should be a good starting point. Also, even though I have a set of slides on iOS, this class is mostly about Android. Note that there are several references to research papers, but they are currently unintentionally a bit biased towards my own work: I consider this as a "bug" of the current slides and I'm planning to fix it at the next round :-) In the meantime, if you have a reference it would be nice to include, ping me!

Wargame challenges. A big component of this class was to solve wargame/CTF-style challenges. I had three main homeworks (with several tasks each) focusing on: 1) low-level Android-related technical things, 2) reverse engineering, and 3) app exploitation. I plan to release all these in the upcoming weeks.

Target audience. The material targets grad-level students with none (or not much) background in mobile security (Android / iOS). If you are an experienced Android app developer, this material may cover some security-related topics that you have not seen around. For what concerns the challenges, I believe that some of them may be interesting even for above-average hackers 😇.

Want to teach this? If you are a prof / instructor / trainer and you are interesting in teaching this class, 1) you are welcome to use this material, 2) I am happy to share the "private" part of the course: source code for the assignments, the source code for the platform / infrastructure, the final exam's questions, slides related to homeworks discussion, etc. If you are interested, please reach out to me!

License. As written above, you are more than welcome to use/modify this material. However, I ask that you add a reference to this website so that students can see the challenges / updated material / etc. If in doubt, please ask me.

Tentative Timeline

  • March 4th: I published the slides.
  • ~mid March: I will release the reverse engineering homework (7 challenges).
  • TBD: release of the two other homeworks (they are trickier to release as there is an automatic analysis system that requires a running emulator...)
  • TBD: recordings + demos (if you are interested, let me know!)

Acknowledgements

There are several individuals that, in some way or another, helped me throughout the process (by writing some guest challenges, by sharing some relevant material / blog posts, by being (very) patient with me being busy, etc.). I would like to thank some of them: Andrea Possemato, Dario Nisi, Davide Quarta, Lena, Simone Aonzo, Rene Mayrhofer, Nikolay Elenkov.