Mobile Device Security and Data Protection (MobSec)

The goal of this training is to educate the participants on the fundamental low-level security features used by modern security architectures of mobile devices. At the end of the training, the participants will understand how mobile devices are able to boot securely, are secured at runtime and assure the confidentiality of the sensitive information. Moreover, they will understand, as well as experience, the impact of: the mobile device state (e.g., BFU and AFU), usage of a Secure Element (SE), vulnerabilities in low-level code (e.g., ROM, Bootloader and TEE), the availability of signed recovery mode loaders (e.g., EDL) and the usage of a custom operating system (e.g., GrapheneOS).

The participants will analyse commercial off-the-shelf (COTS) mobile devices with Android. Although these mobile devices run Android and serve similar purposes, their low-level security architectures differ significantly, which makes it interesting to analyse solutions from different manufacturers.

The exercises are designed to provide a hands-on learning experience, during which the participants will: use various tooling, study source code, as well as reverse engineering. Even though not  mandatory, we assume that the participants already familiarized themselves with some of these type of activities on less complex devices.

The training aims to provide the foundational knowledge required to understand how information is protected on mobile devices. It does not focus on actually identifying or exploiting the type of vulnerabilities that are required to access the information. Nonetheless, the exercises position the participants in a context (i.e., reverse engineering), where vulnerabilities may be found.

Format

The training takes the participants on a journey of 4 days of 8 hours, where they perform hands-on exercises (75%) and attend relevant lectures (25%). The training is highly interactive, enabling the participants to share their past experiences in order to learn from each other. The participants will get access to a Virtual Machine (VM) that contains all the required tooling. Moreover, the participants will have access to all the required hardware, such as the target mobile devices, used throughout the training.

Level

The training level of this training is Intermediate.

Our experienced trainers, as well as the detailed instructions, will guide participants of all skill levels throughout the training. This includes participants with or without reverse engineering experience.

Agenda

The following list of topics are covered by hands-on exercises (75%) and presentations (25%), which provide context and the required information. During the hands-on exercises, the participants may, for example, perform a physical activity, analyse a document, use a specific hardware or software tool, review source code or reverse engineering.

Most of the exercises are performed on commercial off-the-shelf (COTS) mobile devices with Android. This allows the participants to get familiar with real-world security architectures that make use of the underlying hardware platform (i.e., System-on-Chip).

The list of topics shown below provide an overview of what will be discussed during the training. Their order may be scheduled differently during the actual training.

Chip Security

• Booting
• Memories (e.g., ROM, SRAM and OTP)
• Secure Boot
• Recovery Modes (e.g., Emergency Download Mode and Download Mode)
• Hardware modules / IP

Trusted Execution Environment (TEE)

• Secure Monitor (EL3)
• Operating System (S-EL1)
• Trusted Application (S-EL0)

Android Security

• • Verified Boot
  • Boot flow
  • Device State
  • DM-Verity
• SELinux
• Authentication
  • Gatekeeper
  • Fingerprint
• Keystore
  • Keymaster
  • Key protection levels (Software, TEE & SE)
• Encryption
  • File-Based Encryption (FBE)
  • Full-Disk Encryption (FDE)
• StrongBox
  • Embedded Secure Element (eSE)
  • Integrated Secure Element (iSE)
• Device states
  • Before First Unlock (BFU)
  • After First Unlock (AFU)
• Custom Operating Systems (e.g., GrapheneOS)

Exercise Examples

The hands-on exercises may include:

• Analyzing the internals of a mobile device
• Booting mobile devices in different modes
• Using the Android Debug Bridge (e.g., using adb)
• Using Bootloader mode (e.g., using fastboot)
• Using Recovery mode (e.g., using edl and mtkclient)
• Analyzing flash dumps using typical tooling (e.g., unblob)
• Analyzing the key components of a mobile device (e.g., ROM, bootloader and TEE)
• Communicating with the TEE from Linux
• Analyzing Kernel-level security features (e.g., DM-Verity, SELinux)
• Brute-forcing credentials (and decryption keys)
• Installing and analyzing a custom operating system (e.g., GrapheneOS)
• Identifying how forensic tooling is able to access information

Note: The training aims to provide the foundational knowledge required to understand how information is protected on mobile devices. It does not focus on actually identifying or exploiting the type of vulnerabilities that are required to access the information. Nonetheless, the exercises position the participants in a context (i.e., reverse engineering), where vulnerabilities may be found.

Learning Objectives

The learning objectives of this training are to:

• Understand the security architecture of mobile devices
• Understand what is required to decrypt encrypted data stored on mobile devices

Target group

Only from ENFSI-labs and/or NATO countries:

• digital police investigators
• forensic investigators in law-enforcement agencies

Prerequisites

We recommend the students are familiar with:

• Using forensic tooling (e.g., Cellebrite)

• Using Linux command line tooling
• Programming (e.g., Python, C and ARM Assembly)
• Cryptography (e.g, AES and RSA)

Optionally, we recommend the participants already to be familiar with:

• Reverse engineering (e.g., Ghidra)
• Typical software vulnerabilities (e.g., buffer overflows)
• Typical software exploitation mitigations (e.g., stack cookies)

Note: Our experienced trainers, as well as the detailed instructions, will guide participants of all skill levels throughout the training. This includes participants with or without reverse engineering experience.

Requirements

The participants are expected to bring a laptop:

• where they are allowed to install software
• with sufficient available storage (~50 GB) and memory (~16 GB)
• with at least two (2) available USB-A ports
  • Raelize will make additional USB hubs available during the training (USB-C / USB-A)
• installed with a modern browser (e.g., Google Chrome)
• installed with VMware Player/Workstation (or VirtualBox).

Dates and duration

Dates
7-10 April 2026

Duration
Four consecutive days, 9.00-17.00 h

Number of participants

5-24 participants

Costs

• 4-days MobSec training: € 4.250,- per participant. This includes lunches and coffee/tea refreshments
• Dutch Police: please fill out the registration form, ask for a quotation in the field Remarks. Selection may take place by a police coordinator.

N.B.: No VAT will be added.

Hotel and travel costs are not included.

Location

Netherlands Forensic Institute in The Hague, The Netherlands

Note

The course is taught in English.

More information and registration

For more information, please complete our contact form. Please indicate on the form you are interested in the training 'MobSec'.

For registration, please complete the registration form. If a quotation is needed, please fill out the registration form, ask for a quotation in the field Remarks.