Mobile Crackmes and Reversing Tutorials

A key goal of the OWASP Mobile Testing Project is to build the ultimate learning resource and reference guide for mobile app reversers. As hands-on hacking is by far the best way to learn, we'd like to link most of the content to practical examples.

Starting now, we'll be adding crackmes for Android and iOS to the GitHub repo that will then be used as examples throughout the guide. The goal is to collect enough resources for demonstrating the most important tools and techniques in our guide, plus additional crackmes for practicing.

For starters there are three challenges:

• Android License Validator
• Uncrackable App for iOS Level 1
• Uncrackable App for iOS Level 2

One of these three already has a documented solution in the guide. Tutorials for solving the other two still need to be added.

We Need More Authors and Contributors!

Maybe you have noticed that the reverse engineering sections in the Mobile Testing Guide are incomplete. The reason: We're still in the starting stages and don't have a lot of authors and contributors (in fact, 99% of the reversing content was produced by one guy). We'd love to welcome you as a contributor of crackmes, tutorials, writeups, or simply new ideas for this project.

What You Can Do

The OWASP MSTG is an open project and there's a lot of flexibility - it mostly depends on your skill set and willingness to commit your time. That said, the some areas that need help are:

• Solving crackmes and contributing a tutorial to the guide (preferable a technique that's not already documented).
• Writing and adding new crackmes along with solutions (should also describe something not already in the guide. Cracking white-boxes, dynamic analysis using an emulator / introspection, etc. etc.).
• General reversing write-ups to describe specific processes and techniques

• Help us figure out resiliency testing processes and obfuscation metrics The reversing part of the guide consists of the following chapters:

• Tampering and Reverse Engineering - General Overview

• Tampering and Reverse Engineering on Android
• Tampering and Reverse Engineering on iOS

How To Join

Read the Contribution Guide first, and join the OWASP Mobile Security Project Slack Channel, where you'll find all the other project members.