{"product_id":"hacking-android-apps-by-example-abraham-aranguren-abhishek-j-m-anirudh-anand-dctlv2026","title":"Hacking Android and IOT Apps by Example - Abraham Aranguren, Abhishek J M, Anirudh Anand \u0026 Amrudesh Balakrishnan - DCTLV2026","description":"\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eName of Training\u003c\/strong\u003e\u003cspan\u003e\u003cstrong\u003e:\u003c\/strong\u003e Hacking Android and IoT Apps by Example\u003cbr\u003e\u003c\/span\u003e\u003cstrong\u003eTrainer(s)\u003c\/strong\u003e\u003cspan\u003e\u003cstrong\u003e:\u003c\/strong\u003e Abraham Aranguren, Abhishek J M, Anirudh Anand, and Amrudesh Balakrishnan\u003cbr\u003e\u003c\/span\u003e\u003cstrong\u003eDates\u003c\/strong\u003e\u003cspan\u003e\u003cstrong\u003e:\u003c\/strong\u003e \u003cmeta charset=\"utf-8\"\u003eAugust 10-11, 2026\u003cbr\u003e\u003c\/span\u003e\u003cspan\u003e\u003cstrong\u003eTime:\u003c\/strong\u003e 8\u003c\/span\u003e\u003cspan\u003e:00 am to 5:00 pm \u003cbr\u003e\u003c\/span\u003e\u003cstrong\u003eVenue\u003c\/strong\u003e\u003cspan\u003e\u003cstrong\u003e:\u003c\/strong\u003e \u003cmeta charset=\"utf-8\"\u003eLas Vegas Convention Center\u003cbr\u003e\u003c\/span\u003e\u003cstrong\u003eCost\u003c\/strong\u003e\u003cspan\u003e\u003cstrong\u003e: \u003c\/strong\u003e$2,250 (USD)\u003c\/span\u003e\u003c\/p\u003e\n\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eShort Summary:\u003c\/strong\u003e\u003c\/p\u003e\n\u003cp\u003eThis course is a 100% hands-on deep dive into the OWASP Mobile Security Testing Guide (MSTG) and relevant items of the OWASP Mobile Application Security Verification Standard (MASVS). This course covers and goes beyond the OWASP Mobile Top Ten.\u003c\/p\u003e\n\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eCourse Description: \u003c\/strong\u003e\u003c\/p\u003e\n\u003cp\u003eThis course is the culmination of years of experience gained via practical penetration testing of mobile applications as well as countless hours spent in research. We have structured this course around the OWASP Mobile Security Testing Guide (MSTG) and relevant items of the OWASP Mobile Application Security Verification Standard (MASVS), so this course covers and goes beyond the OWASP Mobile Top Ten. This course provides participants with actionable skills that can be applied immediately from day 1.\u003c\/p\u003e\n\u003cp\u003ePlease note our courses are 100% hands-on, we do not lecture students with boring bullet points and theories, instead we give you practical challenges and help you solve them, teaching you how to troubleshoot common issues and get the most out of this training. As we try to keep both new and advanced students happy, the course is very comprehensive and we have not met any student able to complete all challenges during the class, therefore training continues after the course through our frequently updated training portal, for which you keep lifetime access, as well as unlimited email support.\u003c\/p\u003e\n\u003cp\u003eGet a FREE taste for this training, including access to video recording, slides and vulnerable apps to play with:\u003c\/p\u003e\n\u003cp\u003e4 hour workshop - https:\/\/7asecurity.com\/free-workshop-mobile-practical\u003c\/p\u003e\n\u003cp\u003eEach section starts with a brief introduction to the mobile platform for that section and then continues with a look at static analysis, moves on to dynamic checks finishing off with a nice CTF session to test the skills gained.\u003c\/p\u003e\n\u003cp\u003e\u003cspan style=\"text-decoration: underline;\"\u003eDay 1\u003c\/span\u003e: Focused specifically on Android: We start with understanding applications and then deep dive into static and dynamic analysis of the applications at hand.\u003cbr\u003eThis section is packed with hands-on exercises and CTF-style challenges.\u003c\/p\u003e\n\u003cp\u003e\u003cspan style=\"text-decoration: underline;\"\u003eDay 2\u003c\/span\u003e: We cover advanced instrumentation techniques using Frida, Objection, radare2, r2frida, RMS and other tools to overcome assessment challenges and take your skills to the next level. This day will give people a wealth of knowledge in dynamic instrumentation capabilities on Android.\u003c\/p\u003e\n\u003cp\u003eTeaser Video: https:\/\/www.youtube.com\/watch?v=Re5oqfVkgd4\u003c\/p\u003e\n\u003cp\u003eTop 3 takeaways students will learn :\u003cbr\u003e- Learn how to find vulnerabilities without even access to the physical device via mobile app analysis only.\u003cbr\u003e- Identify and exploit mobile app security vulnerabilities as efficiently as possible\u003cbr\u003e- Improve your mobile security testing process leveraging a number of open source tools, as well as lots of tips and tricks shared by the instructors after years of mobile app penetration testing.\u003c\/p\u003e\n\u003cp\u003eCompleting this training ensures attendees will be competent and able to:\u003cbr\u003e- Intercept mobile app network communications\u003cbr\u003e- Bypass certificate and public key pinning protections\u003cbr\u003e- Bypass root detection\u003cbr\u003e- Reverse engineer and analyze mobile apps from a blackbox perspective\u003cbr\u003e- Review mobile app source code to identify security flaws\u003cbr\u003e- Perform a mobile app security review\u003c\/p\u003e\n\u003cp\u003e\u003cspan\u003e\u003cstrong\u003eCourse Outline: \u003c\/strong\u003e\u003c\/span\u003e\u003c\/p\u003e\n\u003cp\u003e\u003cstrong\u003eDay 1: Hacking Android Apps by Example \u003c\/strong\u003e\u003c\/p\u003e\n\u003cp\u003ePart 0 - Android Security Crash Course\u003cbr\u003e- The state of Android Security\u003cbr\u003e- Android security architecture and its components\u003cbr\u003e- Android apps and the filesystem\u003cbr\u003e- Android app signing, sandboxing and provisioning\u003cbr\u003e- Recommended lab setup tips\u003c\/p\u003e\n\u003cp\u003ePart 1 - Static Analysis with Runtime Checks\u003cbr\u003e- Tools and techniques to retrieve\/decompile\/reverse and review APKs\u003cbr\u003e- Identification of the attack surface of Android apps and general information gathering\u003cbr\u003e- Identification of common vulnerability patterns in Android apps:\u003cbr\u003e     + Hardcoded secrets\u003cbr\u003e     + Logic bugs\u003cbr\u003e     + Access control flaws\u003cbr\u003e     + Intents\u003cbr\u003e     + Cool injection attacks and more\u003cbr\u003e- The art of repackaging:\u003cbr\u003e     + Tips to get around not having root\u003cbr\u003e     + Manipulating the Android Manifest\u003cbr\u003e     + Defeating SSL\/TLS pinning\u003cbr\u003e     + Defeating root detection\u003cbr\u003e     + Dealing with apps in foreign languages and more\u003c\/p\u003e\n\u003cp\u003ePart 2 - Dynamic Analysis\u003cbr\u003e- Monitoring data: LogCat, Insecure file storage, Android Keystore, etc.\u003cbr\u003e- The art of MitM: Intercepting Network Communications\u003cbr\u003e- The art of Instrumentation: Hooking with Xposed\u003cbr\u003e- App behaviour monitoring at runtime\u003cbr\u003e- Defeating Certificate Pinning and root detection at runtime\u003cbr\u003e- Modifying app behaviour at runtime\u003c\/p\u003e\n\u003cp\u003ePart 3 - Test Your Skills\u003cbr\u003e- CTF time, including finding vulnerabilities through app analysis\u003c\/p\u003e\n\u003cp\u003e\u003cstrong\u003eDay 2: Leveling Up Your Android Instrumentation Kung-fu\u003c\/strong\u003e\u003c\/p\u003e\n\u003cp\u003ePart 1: Frida \u0026amp; Objection on Android\u003cbr\u003e- Focus on Dynamic Analysis\u003cbr\u003e- Practical Frida scripts and labs\u003cbr\u003e- Useful Objection labs and modules\u003cbr\u003e\u003c\/p\u003e\n\u003cp\u003ePart 2: radare2 \u0026amp; r2frida on Android\u003cbr\u003e- Introduction to radare2 \u0026amp; r2frida\u003cbr\u003e- Multiple scenarios with radare2, r2frida and other tools to improve your instrumentation workflows\u003cbr\u003e- Multiple case studies \u0026amp; exercises\u003cbr\u003e\u003c\/p\u003e\n\u003cp\u003ePart 3: RMS on Android\u003cbr\u003e- Automating instrumentation with RMS on Android\u003cbr\u003e- Defeating certificate pinning with instrumentation\u003cbr\u003e- Root detection bypasses with instrumentation\u003cbr\u003e- Multiple practical instrumentation exercises\u003cbr\u003e\u003c\/p\u003e\n\u003cp\u003ePart 4: Test your Skills\u003cbr\u003e- CTF time\u003c\/p\u003e\n\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eDifficulty Level:\u003cmeta charset=\"utf-8\"\u003e\u003c\/strong\u003e\u003c\/p\u003e\n\u003cp\u003eIntermediate - The student has education and some experience in the field and familiarity with the topic being presented. The student has foundational knowledge that the course will leverage to provide practical skills on the topic.\u003c\/p\u003e\n\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eSuggested Prerequisites:\u003c\/strong\u003e\u003c\/p\u003e\n\u003cp dir=\"ltr\"\u003eThis course has no prerequisites as it is designed to accommodate students with different skills:\u003c\/p\u003e\n\u003cp\u003e-Advanced students will enjoy comprehensive labs, extra miles and CTFchallenges\u003cbr\u003e- Less experienced students complete what they can during the class, and can continue at their own pace from home using the training portal.\u003c\/p\u003e\n\u003cp\u003eThis said, the more you learn about the following ahead of the course, the more you will get out of the course:\u003cbr\u003e- Linux command line basics\u003cbr\u003e- Android basics\u003c\/p\u003e\n\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eWhat Students Should Bring: \u003c\/strong\u003e\u003c\/p\u003e\n\u003cp dir=\"ltr\"\u003eA laptop with the following specifications:\u003cbr\u003e- Ability to connect to wireless and wired networks\u003cbr\u003e- Ability to read PDF files\u003cbr\u003e- Administrative rights: USB allowed, the ability to deactivate AV, firewall, install tools, etc\u003cbr\u003e- Knowledge of the BIOS password, in case VT is disabled.\u003cbr\u003e- Minimum 8GB of RAM (recommended: 16GB+)\u003cbr\u003e- 60GB+ of free disk space (to copy a lab VM and other goodies)\u003cbr\u003e- VirtualBox 6.0 or greater, including the “VirtualBox Extension Pack”\u003cbr\u003e- Genymotion (can be the free version)\u003cbr\u003e- A mobile phone capable of receiving text messages\u003cbr\u003e- Optional but useful: One of the following BurpSuite, ZAP or Fiddler (for MitM)\u003c\/p\u003e\n\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eWhat the Trainer Will Provide: \u003c\/strong\u003e\u003c\/p\u003e\n\u003cp dir=\"ltr\"\u003e- Lifetime access to training portal, with all course materials\u003cbr\u003e - Unlimited access to future updates and step-by-step video recordings\u003cbr\u003e - Unlimited email support, if you need help while you practice at home later\u003cbr\u003e - Government-mandated and police apps in various countries\u003cbr\u003e - Many other excitingly vulnerable real-world apps\u003cbr\u003e - IoT apps controlling Toys, Drones, etc.\u003cbr\u003e - Digital copies of all training material\u003cbr\u003e - Custom Build Lab VMs\u003cbr\u003e - Purpose Build Vulnerable Test apps\u003cbr\u003e - Source code for test apps\u003c\/p\u003e\n\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eTrainer(s) Bio:\u003c\/strong\u003e\u003c\/p\u003e\n\u003cp dir=\"ltr\"\u003eAfter 17 years in itsec and 24 in IT, \u003cstrong\u003eAbraham Aranguren\u003c\/strong\u003e is now the CEO of 7ASecurity (7asecurity.com), a company specializing in penetration testing of web\/mobile apps, infrastructure, code reviews and training. Co-Author of the Mobile, Web and Desktop (Electron) app 7ASecurity courses. Security Trainer at Blackhat USA, HITB, OWASP Global AppSec and many other events. OWASP OWTF project leader, an OWASP flagship project (owtf.org), Major degree and Diploma in Computer Science, some certs: CISSP, OSCP, GWEB, OSWP, CPTS, CEH, MCSE:Security, MCSA:Security, Security+. As a shell scripting fan trained by unix dinosaurs, Abraham wears a proud manly beard. He writes on Twitter as @7asecurity @7a_ @owtfp or https:\/\/7asecurity.com\/blog. Multiple presentations, pentest reports and recordings can be found at\u003cbr\u003ehttps:\/\/7asecurity.com\/publications\u003cbr\u003e\u003c\/p\u003e\n\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eAbhishek J M\u003c\/strong\u003e is a Security Trainer at 7ASecurity and a Lead Security Engineer at CRED with a primary focus on Android and Mobile Application Security. He maintains and leads well known mobile security projects such as Adhrit and EVABS and has presented this work at Black Hat Asia, Black Hat USA, Black Hat Europe, OWASP AppSec New Zealand, 44CON, ThreatCon, c0c0n, and other international events. His tool Adhrit has been covered by The Daily Swig by PortSwigger.\u003c\/p\u003e\n\u003cp\u003eOver the years, Abhishek has delivered mobile security training at conferences such as OWASP AppSec New Zealand, 44CON, ThreatCon, c0c0n, Shu-ha-ri Labs, and many other events. He has also spoken at community meetups including CysInfo and Team bi0s meetups and was an assisting trainer at the International Summer School for Information Security and Protection. His current work focuses on practical bypasses for root detection, certificate pinning, and runtime protections in real world mobile applications.\u003c\/p\u003e\n\u003cp\u003e\u003cstrong\u003eAnirudh Anand\u003c\/strong\u003e is a security researcher with a primary focus on Web and Mobile Application Security. He is currently working as a Senior Security Engineer at CRED and also Security Trainer at 7asecurity. He has been submitting bugs and contributing to security tools for over 7 years. In his free time, he participates in CTF competitions along with Team bi0s (#1 security team in India according to CTFtime). His bounties involve vulnerabilities in Google, Microsoft, LinkedIn, Zendesk, Sendgrid, Gitlab, Gratipay and Flipboard.\u003c\/p\u003e\n\u003cp\u003eAnirudh is an open source enthusiast and has contributed to several OWASP projects with notable contributions being in OWTF and Hackademic Challenges Project. He has presented\/trained in a multitude of conferences including c0c0n 2019, BlackHat Arsenal 2019, BlackHat Europe Arsenal 2018, HITB Dubai 2018, Offzone Moscow 2018, Ground Zero Summit Delhi 2015 and Xorconf 2015.\u003c\/p\u003e\n\u003cp\u003e\u003cstrong\u003eAmrudesh Balakrishnan\u003c\/strong\u003e is a Senior Mobile Security Engineer, where he secures the mobile ecosystem of one of India’s leading fintech platforms. Coming from an Android development background rather than a pure security track, he champions a “developer-first” approach to security—designing controls that are built in, not bolted on. At CRED, he works on the Mobile Security Research team, partnering closely with engineering groups to embed security into the product lifecycle rather than treating it as an afterthought. At 7ASecurity, he constantly improves mobile security courses.\u003c\/p\u003e\n\u003cp\u003eHe is the creator of MORF (Mobile Reconnaissance Framework), an open-source tool designed to prevent secret leakage in CI\/CD pipelines, which has gained global visibility through presentations at Black Hat Arsenal Asia, Black Hat USA, and Black Hat Europe. Amrudesh regularly delivers in-depth mobile security training at conferences including Nullcon, c0c0n, and THREAT CON, and is an active community contributor through talks at Null community events and Team bi0s meetups. He holds a Master of Computer Applications (MCA) from Amrita Vishwa Vidyapeetham, where he built his foundations in security as a CTF player with Team bi0s.\u003c\/p\u003e\n\u003cp\u003eHis current research focuses on the intersection of AI and product security, where he is exploring pragmatic methods to secure Generative AI systems and Large Language Models (LLMs) against modern attack patterns—work aimed at shaping how security engineering is practiced in an increasingly AI-driven landscape.\u003c\/p\u003e\n\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eProficiency Exam Option:\u003c\/strong\u003e\u003c\/p\u003e\n\u003cp dir=\"ltr\"\u003eThis course has the option for a proficiency certificate add-on. \u003c\/p\u003e\n\u003cp\u003eA \"7CMP Android\" certification will be issued to those who pass the 48 hour hacking challenge where a professional penetration test should be carried out against an Android app, student results will be verified and compared against what our own team finds in the same test and a minimum % of the issues uncovered must be met to pass. This is a very hard certification, most people who try fail, do not attempt until you have completed the course in full.\u003cbr\u003e\u003c\/p\u003e\n\u003cp dir=\"ltr\"\u003ePlease reach out to training@defcon.org for any questions related to the proficiency exam and certificate option.\u003cstrong\u003e\u003c\/strong\u003e\u003c\/p\u003e\n\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eRegistration Terms and Conditions: \u003c\/strong\u003e\u003cb\u003e\u003c\/b\u003e\u003c\/p\u003e\n\u003cp dir=\"ltr\"\u003e\u003cspan\u003eTrainings are refundable before July 11, 2026, minus a non-refundable processing fee of $250.\u003c\/span\u003e\u003cspan\u003e\u003cb\u003e\u003c\/b\u003e\u003c\/span\u003e\u003c\/p\u003e\n\u003cp dir=\"ltr\"\u003e\u003cspan\u003eBetween July 11, 2026 and August 5, 2026 partial refunds will be granted, equal to 50% of the course fee minus a processing fee of $250.\u003c\/span\u003e\u003cspan\u003e\u003cb\u003e\u003c\/b\u003e\u003c\/span\u003e\u003c\/p\u003e\n\u003cp dir=\"ltr\"\u003e\u003cspan\u003eAll trainings are non-refundable after August 5, 2026.\u003c\/span\u003e\u003cspan\u003e\u003cb\u003e\u003c\/b\u003e\u003c\/span\u003e\u003c\/p\u003e\n\u003cp dir=\"ltr\"\u003e\u003cspan\u003eTraining tickets may be transferred to another student. Please email us at training@defcon.org for specifics.\u003c\/span\u003e\u003cspan\u003e\u003cb\u003e\u003c\/b\u003e\u003c\/span\u003e\u003c\/p\u003e\n\u003cp dir=\"ltr\"\u003e\u003cspan\u003eIf a training does not reach the minimum registration requirement, it may be cancelled. In the event the training you choose is cancelled, you will be provided the option of receiving a full refund or transferring to another training (subject to availability).\u003c\/span\u003e\u003cspan\u003e\u003cb\u003e\u003c\/b\u003e\u003c\/span\u003e\u003c\/p\u003e\n\u003cp dir=\"ltr\"\u003e\u003cspan\u003eFailure to attend the training without prior written notification will be considered a no-show. No refund will be given.\u003c\/span\u003e\u003c\/p\u003e\n\u003cp dir=\"ltr\"\u003e\u003cspan\u003eDEF CON Training may share student contact information, including names and emails, with the course instructor(s) to facilitate sharing of pre-work and course instructions. Instructors are required to safeguard this information and provide appropriate protection so that it is kept private. Instructors may not use student information outside the delivery of this course without the permission of the student.\u003c\/span\u003e\u003cspan\u003e\u003cb\u003e\u003c\/b\u003e\u003c\/span\u003e\u003c\/p\u003e\n\u003cp dir=\"ltr\"\u003e\u003cspan\u003eBy purchasing this ticket you agree to abide by the \u003c\/span\u003e\u003ca href=\"https:\/\/defcon.org\/html\/links\/dc-code-of-conduct.html\"\u003e\u003cspan\u003eDEF CON Training Code of Conduct\u003c\/span\u003e\u003c\/a\u003e\u003cspan\u003e and the registration terms and conditions listed above.\u003c\/span\u003e\u003cspan\u003e\u003cb\u003e\u003c\/b\u003e\u003c\/span\u003e\u003c\/p\u003e\n\u003cp dir=\"ltr\"\u003e\u003cspan\u003eSeveral breaks will be included throughout the day. Please note that food is not included.\u003c\/span\u003e\u003cspan\u003e\u003cb\u003e\u003c\/b\u003e\u003c\/span\u003e\u003c\/p\u003e\n\u003cp dir=\"ltr\"\u003e\u003cspan\u003eAll courses come with a certificate of completion, contingent upon attendance at all course sessions. Some courses offer an option to upgrade to a certificate of proficiency, which requires an additional purchase and sufficient performance on an end-of-course evaluation.\u003c\/span\u003e\u003c\/p\u003e","brand":"Las Vegas 2026","offers":[{"title":"Course only - Aug 10-11","offer_id":47691201937626,"sku":null,"price":2050.0,"currency_code":"USD","in_stock":true},{"title":"Course + Proficiency Exam - Aug 10-11","offer_id":47697610539226,"sku":null,"price":2350.0,"currency_code":"USD","in_stock":true}],"thumbnail_url":"\/\/cdn.shopify.com\/s\/files\/1\/0629\/2088\/4442\/files\/AbrahamA.png?v=1774882549","url":"https:\/\/training.defcon.org\/products\/hacking-android-apps-by-example-abraham-aranguren-abhishek-j-m-anirudh-anand-dctlv2026","provider":"defcontrainings","version":"1.0","type":"link"}