Hacking Android and IOT Apps by Example - Abraham Aranguren, Abhishek J M, Anirudh Anand & Amrudesh Balakrishnan - DCTLV2026

Name of Training: Hacking Android and IoT Apps by Example
Trainer(s): Abraham Aranguren, Abhishek J M, Anirudh Anand, and Amrudesh Balakrishnan
Dates: August 10-11, 2026
Time: 8:00 am to 5:00 pm 
Venue: Las Vegas Convention Center
Cost: $2,250 (USD)

Short Summary:

This course is a 100% hands-on deep dive into the OWASP Mobile Security Testing Guide (MSTG) and relevant items of the OWASP Mobile Application Security Verification Standard (MASVS). This course covers and goes beyond the OWASP Mobile Top Ten.

Course Description:

This course is the culmination of years of experience gained via practical penetration testing of mobile applications as well as countless hours spent in research. We have structured this course around the OWASP Mobile Security Testing Guide (MSTG) and relevant items of the OWASP Mobile Application Security Verification Standard (MASVS), so this course covers and goes beyond the OWASP Mobile Top Ten. This course provides participants with actionable skills that can be applied immediately from day 1.

Please note our courses are 100% hands-on, we do not lecture students with boring bullet points and theories, instead we give you practical challenges and help you solve them, teaching you how to troubleshoot common issues and get the most out of this training. As we try to keep both new and advanced students happy, the course is very comprehensive and we have not met any student able to complete all challenges during the class, therefore training continues after the course through our frequently updated training portal, for which you keep lifetime access, as well as unlimited email support.

Get a FREE taste for this training, including access to video recording, slides and vulnerable apps to play with:

4 hour workshop - https://7asecurity.com/free-workshop-mobile-practical

Each section starts with a brief introduction to the mobile platform for that section and then continues with a look at static analysis, moves on to dynamic checks finishing off with a nice CTF session to test the skills gained.

Day 1: Focused specifically on Android: We start with understanding applications and then deep dive into static and dynamic analysis of the applications at hand.
This section is packed with hands-on exercises and CTF-style challenges.

Day 2: We cover advanced instrumentation techniques using Frida, Objection, radare2, r2frida, RMS and other tools to overcome assessment challenges and take your skills to the next level. This day will give people a wealth of knowledge in dynamic instrumentation capabilities on Android.

Teaser Video: https://www.youtube.com/watch?v=Re5oqfVkgd4

Top 3 takeaways students will learn :
- Learn how to find vulnerabilities without even access to the physical device via mobile app analysis only.
- Identify and exploit mobile app security vulnerabilities as efficiently as possible
- Improve your mobile security testing process leveraging a number of open source tools, as well as lots of tips and tricks shared by the instructors after years of mobile app penetration testing.

Completing this training ensures attendees will be competent and able to:
- Intercept mobile app network communications
- Bypass certificate and public key pinning protections
- Bypass root detection
- Reverse engineer and analyze mobile apps from a blackbox perspective
- Review mobile app source code to identify security flaws
- Perform a mobile app security review

Course Outline:

Day 1: Hacking Android Apps by Example 

Part 0 - Android Security Crash Course
- The state of Android Security
- Android security architecture and its components
- Android apps and the filesystem
- Android app signing, sandboxing and provisioning
- Recommended lab setup tips

Part 1 - Static Analysis with Runtime Checks
- Tools and techniques to retrieve/decompile/reverse and review APKs
- Identification of the attack surface of Android apps and general information gathering
- Identification of common vulnerability patterns in Android apps:
     + Hardcoded secrets
     + Logic bugs
     + Access control flaws
     + Intents
     + Cool injection attacks and more
- The art of repackaging:
     + Tips to get around not having root
     + Manipulating the Android Manifest
     + Defeating SSL/TLS pinning
     + Defeating root detection
     + Dealing with apps in foreign languages and more

Part 2 - Dynamic Analysis
- Monitoring data: LogCat, Insecure file storage, Android Keystore, etc.
- The art of MitM: Intercepting Network Communications
- The art of Instrumentation: Hooking with Xposed
- App behaviour monitoring at runtime
- Defeating Certificate Pinning and root detection at runtime
- Modifying app behaviour at runtime

Part 3 - Test Your Skills
- CTF time, including finding vulnerabilities through app analysis

Day 2: Leveling Up Your Android Instrumentation Kung-fu

Part 1: Frida & Objection on Android
- Focus on Dynamic Analysis
- Practical Frida scripts and labs
- Useful Objection labs and modules

Part 2: radare2 & r2frida on Android
- Introduction to radare2 & r2frida
- Multiple scenarios with radare2, r2frida and other tools to improve your instrumentation workflows
- Multiple case studies & exercises

Part 3: RMS on Android
- Automating instrumentation with RMS on Android
- Defeating certificate pinning with instrumentation
- Root detection bypasses with instrumentation
- Multiple practical instrumentation exercises

Part 4: Test your Skills
- CTF time

Difficulty Level:

Intermediate - The student has education and some experience in the field and familiarity with the topic being presented. The student has foundational knowledge that the course will leverage to provide practical skills on the topic.

Suggested Prerequisites:

This course has no prerequisites as it is designed to accommodate students with different skills:

-Advanced students will enjoy comprehensive labs, extra miles and CTFchallenges
- Less experienced students complete what they can during the class, and can continue at their own pace from home using the training portal.

This said, the more you learn about the following ahead of the course, the more you will get out of the course:
- Linux command line basics
- Android basics

What Students Should Bring:

A laptop with the following specifications:
- Ability to connect to wireless and wired networks
- Ability to read PDF files
- Administrative rights: USB allowed, the ability to deactivate AV, firewall, install tools, etc
- Knowledge of the BIOS password, in case VT is disabled.
- Minimum 8GB of RAM (recommended: 16GB+)
- 60GB+ of free disk space (to copy a lab VM and other goodies)
- VirtualBox 6.0 or greater, including the “VirtualBox Extension Pack”
- Genymotion (can be the free version)
- A mobile phone capable of receiving text messages
- Optional but useful: One of the following BurpSuite, ZAP or Fiddler (for MitM)

What the Trainer Will Provide: 

- Lifetime access to training portal, with all course materials
 - Unlimited access to future updates and step-by-step video recordings
 - Unlimited email support, if you need help while you practice at home later
 - Government-mandated and police apps in various countries
 - Many other excitingly vulnerable real-world apps
 - IoT apps controlling Toys, Drones, etc.
 - Digital copies of all training material
 - Custom Build Lab VMs
 - Purpose Build Vulnerable Test apps
 - Source code for test apps

Trainer(s) Bio:

After 17 years in itsec and 24 in IT, Abraham Aranguren is now the CEO of 7ASecurity (7asecurity.com), a company specializing in penetration testing of web/mobile apps, infrastructure, code reviews and training. Co-Author of the Mobile, Web and Desktop (Electron) app 7ASecurity courses. Security Trainer at Blackhat USA, HITB, OWASP Global AppSec and many other events. OWASP OWTF project leader, an OWASP flagship project (owtf.org), Major degree and Diploma in Computer Science, some certs: CISSP, OSCP, GWEB, OSWP, CPTS, CEH, MCSE:Security, MCSA:Security, Security+. As a shell scripting fan trained by unix dinosaurs, Abraham wears a proud manly beard. He writes on Twitter as @7asecurity @7a_ @owtfp or https://7asecurity.com/blog. Multiple presentations, pentest reports and recordings can be found at
https://7asecurity.com/publications

Abhishek J M is a Security Trainer at 7ASecurity and a Lead Security Engineer at CRED with a primary focus on Android and Mobile Application Security. He maintains and leads well known mobile security projects such as Adhrit and EVABS and has presented this work at Black Hat Asia, Black Hat USA, Black Hat Europe, OWASP AppSec New Zealand, 44CON, ThreatCon, c0c0n, and other international events. His tool Adhrit has been covered by The Daily Swig by PortSwigger.

Over the years, Abhishek has delivered mobile security training at conferences such as OWASP AppSec New Zealand, 44CON, ThreatCon, c0c0n, Shu-ha-ri Labs, and many other events. He has also spoken at community meetups including CysInfo and Team bi0s meetups and was an assisting trainer at the International Summer School for Information Security and Protection. His current work focuses on practical bypasses for root detection, certificate pinning, and runtime protections in real world mobile applications.

Anirudh Anand is a security researcher with a primary focus on Web and Mobile Application Security. He is currently working as a Senior Security Engineer at CRED and also Security Trainer at 7asecurity. He has been submitting bugs and contributing to security tools for over 7 years. In his free time, he participates in CTF competitions along with Team bi0s (#1 security team in India according to CTFtime). His bounties involve vulnerabilities in Google, Microsoft, LinkedIn, Zendesk, Sendgrid, Gitlab, Gratipay and Flipboard.

Anirudh is an open source enthusiast and has contributed to several OWASP projects with notable contributions being in OWTF and Hackademic Challenges Project. He has presented/trained in a multitude of conferences including c0c0n 2019, BlackHat Arsenal 2019, BlackHat Europe Arsenal 2018, HITB Dubai 2018, Offzone Moscow 2018, Ground Zero Summit Delhi 2015 and Xorconf 2015.

Amrudesh Balakrishnan is a Senior Mobile Security Engineer, where he secures the mobile ecosystem of one of India’s leading fintech platforms. Coming from an Android development background rather than a pure security track, he champions a “developer-first” approach to security—designing controls that are built in, not bolted on. At CRED, he works on the Mobile Security Research team, partnering closely with engineering groups to embed security into the product lifecycle rather than treating it as an afterthought. At 7ASecurity, he constantly improves mobile security courses.

He is the creator of MORF (Mobile Reconnaissance Framework), an open-source tool designed to prevent secret leakage in CI/CD pipelines, which has gained global visibility through presentations at Black Hat Arsenal Asia, Black Hat USA, and Black Hat Europe. Amrudesh regularly delivers in-depth mobile security training at conferences including Nullcon, c0c0n, and THREAT CON, and is an active community contributor through talks at Null community events and Team bi0s meetups. He holds a Master of Computer Applications (MCA) from Amrita Vishwa Vidyapeetham, where he built his foundations in security as a CTF player with Team bi0s.

His current research focuses on the intersection of AI and product security, where he is exploring pragmatic methods to secure Generative AI systems and Large Language Models (LLMs) against modern attack patterns—work aimed at shaping how security engineering is practiced in an increasingly AI-driven landscape.

Proficiency Exam Option:

This course has the option for a proficiency certificate add-on. 

A "7CMP Android" certification will be issued to those who pass the 48 hour hacking challenge where a professional penetration test should be carried out against an Android app, student results will be verified and compared against what our own team finds in the same test and a minimum % of the issues uncovered must be met to pass. This is a very hard certification, most people who try fail, do not attempt until you have completed the course in full.

Please reach out to training@defcon.org for any questions related to the proficiency exam and certificate option.

Registration Terms and Conditions: 

Trainings are refundable before July 11, 2026, minus a non-refundable processing fee of $250.

Between July 11, 2026 and August 5, 2026 partial refunds will be granted, equal to 50% of the course fee minus a processing fee of $250.

All trainings are non-refundable after August 5, 2026.

Training tickets may be transferred to another student. Please email us at training@defcon.org for specifics.

If a training does not reach the minimum registration requirement, it may be cancelled. In the event the training you choose is cancelled, you will be provided the option of receiving a full refund or transferring to another training (subject to availability).

Failure to attend the training without prior written notification will be considered a no-show. No refund will be given.

DEF CON Training may share student contact information, including names and emails, with the course instructor(s) to facilitate sharing of pre-work and course instructions. Instructors are required to safeguard this information and provide appropriate protection so that it is kept private. Instructors may not use student information outside the delivery of this course without the permission of the student.

By purchasing this ticket you agree to abide by the DEF CON Training Code of Conduct and the registration terms and conditions listed above.

Several breaks will be included throughout the day. Please note that food is not included.

All courses come with a certificate of completion, contingent upon attendance at all course sessions. Some courses offer an option to upgrade to a certificate of proficiency, which requires an additional purchase and sufficient performance on an end-of-course evaluation.