Mobile applications enable new threats and attacks which introduce significant risks to the enterprise, and many custom applications contain significant vulnerabilities that are unknown to the team that developed them. Considering the number of mobile applications available in the Google Play and Apple AppStore is nearing 1.5 million and vulnerabilities are skyrocketing it is imperative to perform typical application security practices. But, how is mobile different?
This one-day, hands-on course enables participants to understand how easily mobile devices and applications can be successfully attacked. They will learn how to identify, avoid and remediate common vulnerabilities by learning critical security areas such as those identified in the OWASP Top Ten Mobile Risks and Controls. Using state-of-the-art testing tools, participants will learn how to secure mobile applications across the enterprise. Participants will be able to choose from iOS or Android hands-on labs throughout the course, while they learn how easily the bad guy can compromise applications and the data they contain.
This course is designed for:
- Java EE Software Developers
- Java EE Software Testers
- Security Specialists
- Application Architects
Upon completion of this course, participants will be able to:
- Understand how mobile devices and applications can be easily attacked.
- Identify common vulnerabilities.
- Be able to use state-of-the-art mobile application security testing tools.
- Think like an attacker so that participants can be preemptive.
Mobile Application Risks
Section Overview: Introduction to Application risks and how to emulate mobile apps and use mobile testing tools.
Mobile Application Architectures Deeper Dive
- OWASP Mobile Security Resources
- Current state of Mobile AppSec
- Top 10 Mobile Controls
- How and Why Attackers do it
- Understanding Risk
Section Overview: Different styles of computing in the mobile space, the core technologies involved, and how applications are built.
- Device Protections built into Android and iPhone
- Data Protection
- Client Only Architecture and Recommended Controls
- Client-Server Architecture and Recommended Controls
- Recommendation: Standard Security Controls
- Mobile Web Applications and Recommended Controls
- HTML 5 Risks
- Same Origin Policy
Section Overview: We explain how the user proves their identity to the phone, how server-side applications can authenticate the user, and how the phone can authenticate the services used.
- Threats: lost/stolen phone, remember me, sniffing
- Strong Authentication vs. User Usability
- Communicating credentials safely
- Storing credentials safely
Section Overview: How to register a device to a person and explain the need for mobile channel authentication.
Mobile Session Management
- Threats: lost/stolen device, remember me, lost/stolen credentials
- Benefits of Registering the Device
- Methods for Authenticating the Device
- Avoiding use of UDID
Section Overview: How to handle session management with mobile devices
Mobile Data Protection
- What not to do.
- iOS and Android Recommendations
Section Overview: All of the different places that sensitive data can be stored on phones, and how it can be protected.
Cryptography Section Overview: How do we properly use cryptography with mobile applications?
- Identifying sensitive data
- Threats: Lost or Stolen Devices, Sniffing
- Protecting data in transit
- Securing Communications
- Testing communication strength
- Protecting data at rest
- Where and how is data stored on devices
- Hashing and encryption
- Storing keys
- Browser Caching
- Mobile specific ‘accidental’ data storage areas
- Where NOT to store your data on the device
- HTML5 local storage
- Difference between hashing and encrypting.
- How Android and iOS handle crypto and their key management
Section Overview: Where application data and configuration information typically gets stored on the mobile device.
Mobile Access Control
- Forensics tools for Android and iPhone
- Exploring the file system (Android / iPhone)
- Jailbreaking grants more access
- Interesting areas of the file system (Android / iPhone)
- Application configuration files
- Autocomplete records / iPhone app screen shots
- Dumping Android Intents
- Scrounging in Backups
Section Overview: The code-access security models to use in mobile apps.
How to Protect Against Cross Site Scripting (XSS)
- Threat: user attacks server
- Example attacks
- Documenting your access control policy
- Mapping enforcement to server side controls
- Presentation Layer Access Control
- Environmental Access Control
- Business Logic
- Data Protection
- Hands On: Access Other Peoples Accounts, Steal Funds
Section Overview: The threat of XSS in mobile applications is real based on heavy usage of Webkit
- Understand XSS
- Learn how to execute XSS
- Be able to identify XSS flaws in code
- XSS real world examples
- Practical Defenses: Primarily Output Encoding
Section Overview: How do we treat the threat of other applications?
Protecting A User’s Privacy
- Risks of AppStores
- Rooted devices and applications
- What can developers do?
Section Overview: How the phone can be used to undermine user privacy without their knowledge
Hack It and Bring It!
- Using location services (GPS, cell triangulation, compass, hardware device key)
- Accessing calls, SMS, browser, cell usage history
- Using camera, microphone safely
Section Overview: A hands-on challenge for participants to demonstrate what they have learned. Wrap Up, Close and Thank You