c0c0n 2026

c0c0n is a 19 years old platform that is aimed at providing opportunities to showcase, educate, understand and spread awareness on Information Security, data protection, and privacy...

Venue & Date

Contact Us

  • Home
  • Trainings
  • Hacking Android, iOS and IoT apps by Example - 2026 Edition

Hacking Android, iOS and IoT apps by Example - 2026 Edition

c0c0n 3-Day Professional Training

Hacking Android, iOS and IoT apps by Example - 2026 Edition

Course Objective:

This course will take any student and ensure that:
Their overall proficiency in mobile security is significantly higher than when they arrived. The skills acquired can be immediately applied to Android, iOS, and IoT security assessments.

Their skills can be continuously sharpened via ongoing, free access to the training portal and updated 2026 Edition content.

They are equipped to defeat common mobile assessment challenges such as root/jailbreak detection, certificate/public key pinning, lack of source code, and limited device access.

Students new to mobile security gain a solid, practical foundation in Android and iOS security testing.

Advanced students leave with enhanced workflows and deeper insights into cross‐platform and IoT‐centric assessments.

All skills taught are practical, field‐tested, and directly applicable to real‐world penetration tests and code reviews.

Training Abstract

This course is the culmination of years of hands-on penetration testing of Android, iOS, and IoT ecosystems, plus countless hours of focused research by the 7ASecurity team. It is structured around the OWASP Mobile Security Testing Guide (MSTG) and relevant items of the OWASP Mobile Application Security Verification Standard (MASVS). As a result, it not only covers the OWASP Mobile Top Ten but also the attack vectors that actually show up in modern production environments.

The 2026 Edition updates all labs, examples, and case studies with findings from recent 7ASecurity engagements: VPN clients, secure messaging apps, censorship‐circumvention tools, connected toys, mobile‐controlled devices, and government‐mandated apps, among others. The material is drawn from real issues in real apps, not artificial lab‐only vulnerabilities.

7ASecurity is an ISO 27001 and SOC 2–certified cybersecurity consultancy and OWASP Platinum Supporter that focuses on researcher‐led, heavily manual penetration tests and secure code audits. Lessons learned from these engagements—performed for organizations such as the Linux Foundation, Mozilla, the Tor Project, and others—feed directly into the course material, labs, and case studies.

Our courses are 100% hands-on. Instead of long slide decks, you get practical challenges and guidance to solve them, learning how to troubleshoot common problems and build efficient workflows. To keep both new and advanced students engaged, the content is intentionally comprehensive. In practice, no student has completed every challenge during the live class—which is why training continues after the event through our frequently updated training portal, for which you receive lifetime access and unlimited email support.

Day 1 – Android & IoT : We start with Android security architecture, then deep‐dive into static and dynamic analysis of Android apps, with a strong emphasis on finding IoT vulnerabilities via app and API analysis. The day ends with an Android & IoT‐focused CTF.

Day 1 – iOS & IoT: : We cover iOS architecture and defenses before performing static and dynamic analysis of iOS apps, including jailbreak detection and pinning bypasses and iOS‐specific secure storage issues. The day closes with an iOS & IoT CTF.

Day 3 – Cross‐platform Instrumentation: We focus on advanced dynamic instrumentation on both Android and iOS, mainly using Frida and Objection along with Xposed and related tooling. You will learn how to overcome common challenges and build powerful runtime hooks and automation, culminating in a cross‐platform instrumentation CTF.

Teaser Video: :

video


Get a free taste of this training, including access to video recordings, slides, and vulnerable apps to play with:

https://7asecurity.com/free-workshop-mobile-practical, https://7asecurity.com/free-workshop-mobile-deeplinks-xss

Attendees will be provided with

  • Lifetime access to the training portal, containing all course materials.
  • Unlimited access to future updates and step‐by‐step video recordings, including new labs for the 2026 Edition and beyond.
  • Unlimited email support for questions while you practice at home or on the job.
  • Access to government‐mandated and police apps from various countries (where legally shareable).
  • Many other real‐world inspired vulnerable apps for both Android and iOS.
  • IoT controller apps for toys, drones, and other devices, designed for remote‐only analysis.
  • Digital copies of all training material (slides, lab guides, references).
  • Custom‐built lab virtual machines to minimize setup time.
  • Purpose‐built vulnerable test apps.
  • Source code for test apps (where applicable) to support code review exercises.

Topics Included

  • Review of common flaws in Android and iOS apps, and IoT ecosystems, both in source code and at runtime.
  • Modification of app behavior through code changes, repackaging, patching, and configuration changes.
  • Interception and analysis of network communications (MitM) for mobile and IoT applications.
  • Jailbreak/Root detection bypasses and app review from a privileged standpoint.
  • Instrumentation and runtime tampering (review and modification of app behavior) using modern tooling.
  • CTF challenges across both days that allow attendees to test and reinforce what they have learned.

Why should you take this course?

This is more than a typical “physical attendance” course. You receive the full 2‐day live intensive plus lifetime access to a training portal with step‐by‐step video recordings, slides, and lab exercises—including all future updates to the 2026 Edition at no additional cost.

Students can learn at their own pace during and after the course. Portal access ensures that topics can be reviewed on demand, for example right before a new engagement or when facing a tricky Android/iOS/IoT issue.

The training is built entirely from real vulnerabilities observed in real applications, not fabricated lab vulnerabilities that never appear in practice. You will see patterns from actual 7ASecurity penetration tests and code audits across multiple industries and countries.

The goal is to start from core concepts and ensure that each student leaves with a much higher level of proficiency in mobile penetration testing. You will learn how to: Identify the attack surface of Android, iOS, and IoT apps. Exploit interesting vulnerabilities and misconfigurations. Communicate and validate effective fixes.

From defeating root/jailbreak detection and certificate pinning, to modifying app behavior at runtime and inspecting what apps are really doing, this course emphasizes effective, repeatable techniques you can take back to your day job.

Because the course has been written and refined by professional mobile app penetration testers over many years, it includes practical tips on where to focus, how to leverage automation safely, and how to make your testing both faster and more thorough.

Top 3 takeaways students will learn
Finding IoT vulnerabilities without the device

Learn how to uncover IoT vulnerabilities using only the Android and iOS apps and their APIs, even when you never have physical access to the hardware.

Efficiently identifying and exploiting mobile app security vulnerabilities

Build a repeatable, MSTG‐aligned workflow for finding and exploiting vulnerabilities in Android and iOS apps, from static analysis and repackaging to dynamic analysis and runtime instrumentation.

Leveling up your mobile security testing process with modern tooling

Improve your Android and iOS testing process by leveraging open source tools and frameworks and by applying battle‐tested tips and tricks shared by instructors with years of mobile app penetration testing experience.

Upon Completion of this training, attendees will know

Completing this training ensures attendees will be competent and able to:

  • Intercept and analyze mobile app network communications for Android, iOS, and IoT use cases.
  • Bypass certificate and public key pinning protections in mobile apps.
  • Bypass jailbreak and root detection using both static (patching/repackaging) and dynamic (instrumentation) techniques.
  • Reverse engineer and analyze mobile apps from a black‐box perspective, including APK/IPA extraction, decompilation, and static review.
  • Review mobile app source code (where available) to identify and confirm security flaws.
  • Plan and perform a mobile app security review aligned with OWASP MSTG/MASVS, covering Android, iOS, and IoT attack surfaces.


Day 1: Hacking Android & IoT Apps by Example
Part 0 – Android Security Crash Course
  • The state of Android security in 2026.
  • Android security architecture and its core components (permissions, sandboxing, SELinux basics, UID/GID isolation).
  • Android apps and the filesystem: where apps store data and how it is protected (or not).
  • Android app signing, sandboxing, and provisioning basics.
  • Recommended lab setup tips to get the most out of the course.
Part 1 – Static Analysis with Runtime Checks
  • Tools and techniques to retrieve, decompile, reverse, and review APKs.
  • Identification of the attack surface of Android apps and general information gathering.
  • Identification of common vulnerability patterns in Android apps, including:
  • Hardcoded secrets and API keys
  • Logic bugs and insecure workflows
  • Access control flaws (client‐side and server‐side manifestations)
  • Intent handling and abuse (implicit intents, exported components)
  • Injection opportunities and other common pitfalls
  • The art of repackaging: Tips to get around not having root, Manipulating the Android Manifest (permissions, exported components, debuggable flags, etc.), defeating SSL/TLS pinning statically (patching checks, instrumentation hooks), defeating root detection via code modification, dealing with apps in foreign languages using code and resource analysis.
Part 2 – Dynamic Analysis
  • Monitoring data at rest and at runtime:
  • Logcat usage and log leakage.
  • Insecure file storage patterns.
  • Android Keystore pitfalls and misuse.
  • The art of MitM: intercepting network communications from Android and IoT apps.
  • The art of instrumentation with Xposed and related frameworks.
  • App behavior monitoring at runtime (API calls, sensitive flows, trust decisions).
  • Defeating certificate pinning and root detection at runtime.
  • Modifying app behavior at runtime to unlock hidden functionality, bypass checks, or simulate edge cases.
Part 3 – Test Your Skills (Day 1 CTF)
  • CTF time, including:
  • Finding vulnerabilities in Android apps through static and dynamic analysis.
  • Identifying IoT vulnerabilities through Android app analysis alone (no device required).
Day 2: Hacking iOS & IoT Apps by Example
Part 0 – iOS & IoT Security Crash Course
  • The state of iOS and IoT security in 2026.
  • iOS security architecture and its components (sandboxing, entitlements, keychain, secure enclave basics).
  • iOS app signing, provisioning profiles, and sandboxing.
  • How iOS apps interact with the filesystem, keychain, and hardware.
  • Typical iOS + IoT communication patterns (Bluetooth, Wi‐Fi, cloud APIs, push‐based control).
  • Recommended lab setup tips to get the most out of the 1‐day course.
Part 1 – Static Analysis with Runtime‐Aware Thinking
  • Tools and techniques to retrieve, decompile, reverse, and review IPA files.
  • Identifying the attack surface of iOS apps and performing effective information gathering.
  • Identifying common vulnerability patterns in iOS apps, including:
  • Hardcoded secrets and API keys
  • Logic bugs and authorization flaws
  • Insecure URL schemes / URL handlers and deeplinks
  • Access control flaws at the API and UI layers
  • Injection opportunities (JavaScript bridges, URL handlers, etc.)
  • Patching and re‐signing iOS binaries to alter app behavior.
  • Tips to test without a jailbreak when devices are locked‐down.
Part 2 – Dynamic Analysis & Instrumentation
  • Monitoring data at rest and in use:
  • Caching and logs
  • App files and insecure file storage
  • iOS keychain misuse and leakage
  • Crypto flaws in iOS and IoT apps (home‐rolled crypto, weak storage, predictable keys).
  • The art of MitM: intercepting network communications for iOS and IoT devices.
  • Defeating certificate pinning and jailbreak detection at runtime.
  • Instrumentation with Frida and Objection to:
  • Monitor app behavior at runtime
  • Bypass security checks with minimal friction
  • Modify app behavior (e.g., forcing hidden debug options, bypassing logic checks)
Part 3 – Test Your Skills (CTF)
  • CTF‐style challenges where attendees:
  • Chain static and dynamic analysis techniques learned throughout the day.
  • Find and exploit vulnerabilities in iOS apps controlling IoT devices.
  • Demonstrate how to discover IoT flaws using only the mobile app and APIs.
Day 3: Leveling up your Android & iOS Instrumentation Kung-fu
Part 1 – In‐Depth Instrumentation on Android
  • Focus on Dynamic Analysis for Android.
  • Useful Xposed modules and labs for rapidly hooking target apps.
  • Practical Frida scripts and labs for the most common tasks (bypasses, tracing, patching).
  • Useful Objection labs and modules to quickly assess Android apps.
  • Defeating certificate pinning using instrumentation.
  • Root detection bypasses with instrumentation.
  • Multiple practical instrumentation exercises building reusable workflows.
Part 2 – In‐Depth Instrumentation on iOS
  • Focus on Dynamic Analysis for iOS.
  • Hooking with Frida on iOS (common patterns and gotchas).
  • Practical Frida scripts and labs tailored to iOS apps.
  • Useful Objection labs and modules for iOS assessment.
  • Defeating certificate pinning with instrumentation.
  • Jailbreak detection bypasses with instrumentation.
  • Multiple practical instrumentation exercises demonstrating cross‐app and cross‐platform techniques.
Part 3 – Test Your Skills (Instrumentation CTF)
  • Cross‐platform instrumentation challenges on both Android and iOS.
  • Combining static analysis, dynamic analysis and automation to break hardened mobile apps and uncover IoT issues.
Hardware & Software: Attendees should bring

A laptop with the following specifications:

  • Ability to connect to wireless and wired networks.
  • Ability to read PDF files
  • Administrative rights: USB allowed, the ability to deactivate AV, firewall, install tools, etc
  • Knowledge of the BIOS password, in case VT is disabled.
  • Minimum 8GB of RAM (recommended: 16GB+)
  • 60GB+ of free disk space (to copy a lab VM and other goodies)
  • VirtualBox 6.0 or greater, including the “VirtualBox Extension Pack”
  • Genymotion (can be the free version)
  • A mobile phone capable of receiving text messages
  • A jailbroken iPhone / iDevice with iOS >=12 (ideally: iOS 14+) for the iOS labs
  • NOTE: For physical training sessions the instructor will bring some jailbroken phones for testing, however, you are encouraged to bring your own for the best possible experience.
  • Optional but useful: One of the following BurpSuite, ZAP or Fiddler (for MitM)
  • Optional but useful: A Mac/Hackintosh with the latest XCode installed, for iOS code review & labs

Student / Prerequisites for attendees

  • This course has no strict prerequisites and is designed to accommodate students with different skill levels:
  • Advanced students will enjoy comprehensive labs, extra‐mile challenges, and CTF tasks that push beyond the basics.
  • Less experienced students complete what they can during the class and continue at their own pace from home using the training portal and recordings.
  • That said, the more you are familiar with the following ahead of time, the more you will get out of the course:
  • Basic Linux command‐line usage.
  • Basic understanding of Android/iOS and mobile app concepts (not mandatory, but helpful).

Who should attend

  • Any mobile developer, penetration tester, red teamer, security engineer, or person interested in iOS and IoT security will benefit from attending this training, regardless of initial skill level.
  • The course is suitable for beginners, intermediate, and advanced students: Beginners are introduced to mobile and IoT app security from the ground up.
  • Intermediate and advanced learners deepen and refine their skills with realistic labs and extra‐mile challenges.
  • The course is structured so that every attendee significantly improves their Android, iOS and IoT security auditing skills:
  • If you are new and cannot complete all labs during the class, that is completely fine. You keep full access to the training portal and can continue at your own pace after the event.
  • If you are more advanced, you can aim to complete all labs in class and then move on to CTF challenges and additional exercises available on the portal.

What to expect:

  • Lifetime access to the training portal (including all future updates), unlimited email support, and access to private groups to communicate with other students.
  • Access to a range of interesting Android, iOS and IoT apps from various countries and sectors, including government‐mandated, police, and consumer IoT controller apps.
  • A fully practical class that will significantly improve your Android, iOS and IoT application security knowledge and skills, regardless of your starting point.
  • Battle‐tested tips and techniques that you can apply immediately in your daily work, making security testing of mobile and IoT apps as efficient and effective as possible.
  • Intensive hands‐on exercises, guided by instructors who regularly perform production‐grade penetration tests and code audits in this domain.

What not to expect:

This is more than a typical one‐day course: you receive lifetime access to a training portal with step‐by‐step video recordings, slides, and lab exercises, including all future updates at no additional cost—but the live session is focused on hands‐on work, not slide‐driven lectures.

    The course does not cover:
  • Android/iOS 0‐day research
  • Kernel‐level exploits for Android/iOS or other platforms
  • ARM exploit writing
  • Developing buffer or heap overflows from scratch

Do not expect instructors to talk through slides most of the time. This class is practical, not theoretical: you’ll spend the majority of your time working on exercises while instructors help you solve the challenges you encounter.

Trainer(s)

Abhishek J M

Abhishek J M

Security Trainer at 7ASecurity
Security Engineer at CRED

Amrudesh Balakrishnan

Amrudesh Balakrishnan

Senior Mobile Security Engineer | Developer | Researcher
Security Trainer at 7ASecurity, Security Engineer at CRED

Training Information

  • Duration 3 Day Training
  • Dates 6th Oct, 2026 to 8th Oct, 2026
  • Time 09:30 IST - 17:30 IST
  • Venue Grand Hyatt, Bolgatty, Kochi, Kerala

Register Now