Choose your language:

Hong Kong
New Zealand
United Kingdom
United States

Securing Mobile Applications

Course Code



1 Day

Mobile applications enable new threats and attacks which introduce significant risks to the enterprise, and many custom applications contain significant vulnerabilities that are unknown to the team that developed them. Considering the number of mobile applications available in the Google Play and Apple AppStore is nearing 1.5 million and vulnerabilities are skyrocketing it is imperative to perform typical application security practices. But, how is mobile different?

This one-day, hands-on course enables participants to understand how easily mobile devices and applications can be successfully attacked. They will learn how to identify, avoid and remediate common vulnerabilities by learning critical security areas such as those identified in the OWASP Top Ten Mobile Risks and Controls. Using state-of-the-art testing tools, participants will learn how to secure mobile applications across the enterprise. Participants will be able to choose from iOS or Android hands-on labs throughout the course, while they learn how easily the bad guy can compromise applications and the data they contain.
This course is designed for:
  • Java EE Software Developers
  • Java EE Software Testers
  • Security Specialists
  • Application Architects
Upon completion of this course, participants will be able to:
  • Understand how mobile devices and applications can be easily attacked.
  • Identify common vulnerabilities.
  • Be able to use state-of-the-art mobile application security testing tools.
  • Think like an attacker so that participants can be preemptive.
Mobile Application Risks
Section Overview: Introduction to Application risks and how to emulate mobile apps and use mobile testing tools.
  1. OWASP Mobile Security Resources
  2. Current state of Mobile AppSec
  3. Top 10 Mobile Controls
  4. How and Why Attackers do it
  5. Understanding Risk
  6. Consequences
Mobile Application Architectures Deeper Dive
Section Overview: Different styles of computing in the mobile space, the core technologies involved, and how applications are built.
  1. Device Protections built into Android and iPhone
  2. Data Protection
  3. Encryption
  4. Client Only Architecture and Recommended Controls
  5. Client-Server Architecture and Recommended Controls
  6. Recommendation: Standard Security Controls
  7. Mobile Web Applications and Recommended Controls
  8. HTML 5 Risks
  9. JavaScript Framework Risks
  10. Same Origin Policy
Mobile Authentication
Section Overview: We explain how the user proves their identity to the phone, how server-side applications can authenticate the user, and how the phone can authenticate the services used.
  1. Threats: lost/stolen phone, remember me, sniffing
  2. Strong Authentication vs. User Usability
  3. Communicating credentials safely
  4. Storing credentials safely
Mobile Registration
Section Overview: How to register a device to a person and explain the need for mobile channel authentication.
  1. Threats: lost/stolen device, remember me, lost/stolen credentials
  2. Benefits of Registering the Device
  3. Methods for Authenticating the Device
  4. Avoiding use of UDID
Mobile Session Management
Section Overview: How to handle session management with mobile devices
  1. What not to do.
  2. iOS and Android Recommendations
Mobile Data Protection
Section Overview: All of the different places that sensitive data can be stored on phones, and how it can be protected.
  1. Identifying sensitive data
  2. Threats: Lost or Stolen Devices, Sniffing
  3. Protecting data in transit
  4. Securing Communications
  5. Testing communication strength
  6. Protecting data at rest
  7. Where and how is data stored on devices
  8. Hashing and encryption
  9. Storing keys
  10. Browser Caching
  11. Mobile specific ‘accidental’ data storage areas
  12. Where NOT to store your data on the device
  13. HTML5 local storage
Section Overview: How do we properly use cryptography with mobile applications?
  1. Difference between hashing and encrypting.
  2. How Android and iOS handle crypto and their key management
Mobile Forensics
Section Overview: Where application data and configuration information typically gets stored on the mobile device.
  1. Forensics tools for Android and iPhone
  2. Exploring the file system (Android / iPhone)
  3. Jailbreaking grants more access
  4. Interesting areas of the file system (Android / iPhone)
  5. Application configuration files
  6. Autocomplete records / iPhone app screen shots
  7. Dumping Android Intents
  8. Scrounging in Backups
Mobile Access Control
Section Overview: The code-access security models to use in mobile apps.
  1. Threat: user attacks server
  2. Example attacks
  3. Documenting your access control policy
  4. Mapping enforcement to server side controls
  5. Presentation Layer Access Control
  6. Environmental Access Control
  7. Business Logic
  8. Data Protection
  9. Hands On: Access Other Peoples Accounts, Steal Funds
How to Protect Against Cross Site Scripting (XSS)
Section Overview: The threat of XSS in mobile applications is real based on heavy usage of Webkit
  1. Understand XSS
  2. Learn how to execute XSS
  3. Be able to identify XSS flaws in code
  4. XSS real world examples
  5. Practical Defenses: Primarily Output Encoding
Other Applications
Section Overview: How do we treat the threat of other applications?
  1. Risks of AppStores
  2. Malware
  3. Rooted devices and applications
  4. What can developers do?
Protecting A User’s Privacy
Section Overview: How the phone can be used to undermine user privacy without their knowledge
  1. Using location services (GPS, cell triangulation, compass, hardware device key)
  2. Accessing calls, SMS, browser, cell usage history
  3. Using camera, microphone safely
Hack It and Bring It!
Section Overview: A hands-on challenge for participants to demonstrate what they have learned.

Wrap Up, Close and Thank You
Send Us a Message
Choose one