CNIT 128: Hacking Mobile Devices

36895 Weds 06:10-09:00 pm SCIE 100

Spring 2015 Sam Bowne

Schedule · Powerpoints · Projects · Links · Home Page


Catalog Description

Mobile devices such as smartphones and tablets are now used for making purchases, emails, social networking, and many other risky activities. These devices run specialized operating systems have many security problems. This class will cover how mobile operating systems and apps work, how to find and exploit vulnerabilities in them, and how to defend them. Topics will include phone call, voicemail, and SMS intrusion, jailbreaking, rooting, NFC attacks, malware, browser exploitation, and application vulnerabilities. Hands-on projects will include as many of these activities as are practical and legal.

Advisory: CNIT 113 and 123, or equivalent familiarity with hacking computers and operating mobile devices

Upon successful completion of this course, the student will be able to:
  1. Describe the risks of using mobile devices for common activities such as making phone calls, emailing, and shopping
  2. Explain cellular network functions, attacks, anbd countermeasures for voice calls, voicemail, and SMS
  3. Perform and analyze jailbreaks for iOS devices
  4. Analyze the Android security model and rooting
  5. Recognize types of mobile malware and anti-malware options
  6. Identify Web browser services and attacks on mobile platforms and recommend countermeasures
  7. Configure and defeat locking, remote location and wiping services
  8. Explain common mobile app risks and make intelligent decisions when installing and using them
  9. Evaluate the functions and risks of mobile payment services, such as Google Wallet


"Hacking Exposed Mobile: Security Secrets & Solutions", by Bergman, Stanfield, Rouse, Scambray, Geethakumar, Deshmukh, Matsumoto, Steven and Price, McGraw-Hill Osborne Media; 1 edition (July 9, 2013) ISBN-10: 0071817018 Buy from Amazon

Schedule (may be revised)

DateQuiz & ProjTopic
Wed 1-14  1: The mobile risk ecosystem
Wed 1-21  2: Hacking the cellular network
Wed 1-28 3: iOS
Fri 1-30 Last Day to Add Classes
Wed 2-4Quiz: Ch 1 & 2
Proj 1 due
3: iOS
Wed 2-11Quiz: Ch 3
Proj 2-4 due
4: Android
Wed 2-18No Quiz
Proj 5 due
4: Android
Wed 2-25Quiz: Ch 4
Proj 6 due
5: Mobile malware
Wed 3-4No Quiz
Proj 7 due
6: Mobile services and mobile Web
Wed 3-11No Quiz 6: Mobile services and mobile Web
Wed 3-18Quiz: Ch 5 & 6 7: Mobile Device Management
Wed 3-25No Quiz
Proj 8 and 9 due
8: Mobile development security
Wed 3-25 Mid-Term Grades Due
Wed 4-1 Holiday - No Class

Wed 4-8 No Quiz
Proj 10 and 11 due
Guest speaker: Adam Ely from BlueBox

Wed 4-15 No Quiz
No Proj due
Guest speaker: Sam Harwin from Salesforce
"Mobile Wi-Fi Risks"


Thu 4-16 Last Day to Withdraw
Wed 4-22Quiz: Ch 7 and 8 9: Mobile payments


Wed 5-6No Quiz
Guest speaker: Claire Medeiros from

Wed 5-13Last class
No Quiz
All Extra Credit Projects Due
Guest speaker: Irfan Asrar from appthority
Wed 5-20  Final Exam



1: The mobile risk ecosystem
2: Hacking the cellular network
3: iOS
4: Android
5: Mobile malware
6: Mobile services and mobile Web (part 1)
6: Mobile services and mobile Web (part 2)
7: Mobile Device Management
8: Mobile development security
9: Mobile payments

If you do not have PowerPoint you can use Open Office.

Back to Top

Projects (in development)

Project 1: Preparing an Android Virtual Machine (25 pts.)
Project 2: Rooting Your Android Virtual Machine (10 pts.)
Project 3: Android Studio (20 pts.)

Troubleshooting Android Emulator Problems

Ubuntu Prep for Android Security Auditing

Project 4: ExploitMe Mobile Lab 1: Sniffing Insecure Connections with Burp (15 points)
Project 5: ExploitMe Mobile Lab 2: Parameter Manipulation (15 points)
Project 6: ExploitMe Mobile Lab 3: Insecure File Storage (20 points)
Project 7: ExploitMe Mobile Lab 4: Secure Logging (10 points)
Project 8: ExploitMe Mobile Lab 7: Scraping Data from RAM (15 points)
Project 9: Decompiling and Trojaning an Android App with Smali Code (15 points)
Project 10: Obfuscating an Android App with ProGuard (10 points)
Project 11: MaaS360 (15 points)

Extra Credit Projects

Project 1x: Android Security Auditing with Genymotion and Burp (20 pts. extra credit)
Project 2x: Security Audit of the NFL Android App (15 pts. extra credit)
Project 3x: Security Audit of Another Android App (20 pts. extra credit)
Project 4x: BlueStacks Android Emulator on Windows (15 pts. extra credit)
Project 5x: Trojaning an Android App and Posting Credentials on the Web (15 pts. extra credit)
Project 6x: Obfuscating Android Source Code with DashO (15 pts. extra credit)
Project 7x: Making an iPhone App with Xcode (15 pts. extra credit)
Project 8x: Security Audit of ExploitMe Mobile in Xcode (25 pts. extra credit)
Project 9x: Making a Data-Stealing Android Trojan (15 pts. extra credit)
Project 10x: Find an Android Vulnerability and Report it Correctly (40 pts. extra credit)
Project 11x: Stealing Credentials from an Android App with a SSL MITM Attack (15 pts.)

More projects are coming later

References for Projects

ExploitMe Mobile Android Labs from Security Compass
ExploitMe Mobile iPhone Labs from Security Compass
Android Assessments with GenyMotion + Burp
Back to Top


Cybercompetion Results: Bay Area Regional · WRCCDC
Register for CyberCamp 2019 (Grades 9-12)

Back to Top
Last Updated: 4-30-15 8:47 pm