About the course
Mobile application development is growing exponentially year over year. As of late 2015, over 3 million apps are deployed in the Apple and Google app stores. These apps are consumed by over 700 million users world-wide and account for 33% of the traffic on the Internet [1]. Average users have over 100 mobile apps installed on their device, many of which provide business critical services to customers and employees.
Unfortunately, these apps are often rushed to market to gain a competitive advantage with little regard for security. As seen in web applications for the past 20 years, software vulnerabilities always exist where code is being written and mobile apps are no different. Mobile apps are vulnerable to a whole new class of vulnerabilities, as well as most traditional issues that have long plagued web and desktop applications. This problem will only continue to grow unless managers, architects, developers, and QA teams learn how to test and defend their mobile apps.
DEV531: Defending Mobile Applications Security Essentials covers the most prevalent mobile app risks, including those from the OWASP Mobile Top 10. Students will participate in numerous hands-on exercises available in both the Android and iOS platforms. Each exercise is designed to reinforce the lessons learned throughout the course, ensuring that you understand how to properly defend your organization's mobile applications.
Course Syllabus
DEV531.1: Defending Mobile Apps, Section 1
Overview
On the first day of this course, students will examine some of the most prevalent mobile app vulnerabilities. Starting with the device data storage, students will discover how important it is to secure web APIs that communicate with a mobile app. Students will explore web service API topics including server configuration, session management, and transport layer encryption. Next, students shift their focus to the mobile device and explore all of the locations where data persists within mobile apps. Each section ends with a hands-on exercise where you can see how a vulnerable mobile app responds to an attack and how the app responds after applying the appropriate defensive technique.
CPE/CMU Credits: 6
Topics
- Insecure Device Data Storage
- File System Inspection
- Local Storage
- Android & iOS Hardware Security
- SQLite Encryption Extension (SEE)
- Device Data Leakage
- 3rd Party Keyboards
- URL Caching
- Application Screenshots
- Clipboard Caching
- Insecure Logging
- Transport Layer Protection
- App Transport Security
- Secure TLS Configuration
- Certificate Validation
- Certificate Pinning
- Mobile Web Services
- Web service hardening
- Secure configuration
- API Authentication
- Session Expiration
- Session Fixation
- Weak Session Tokens
DEV531.2: Defending Mobile Apps, Section 2
Overview
The second day continues dissecting vulnerabilities that mobile app development teams must keep in mind when writing a mobile app. More complex topics such as mobile cryptography, authentication and authorization, client side injection, inter-process communication, and binary protections are covered in detail to continue creating secure mobile apps. Each section ends with a hands-on exercise where you can see how a vulnerable mobile app responds to an attack and how the app responds after applying the appropriate defensive technique.
CPE/CMU Credits: 6
Topics
- Broken Cryptography
- Weak Cryptographic Algorithms
- Secure Random Number Generation
- Secure Secrets Management
- Android Keystore
- iOS Keychain
- Authentication & Authorization
- Mobile Form Factor
- Enterprise Mobility Management (EMM)
- Mobile Device Management (MDM)
- Mobile App Management (MAM)
- Android Fingerprint Manager
- iOS Local Authentication
- iOS Touch ID
- Client Side Injection
- SQL Injection
- Mobile User Session
- Binary Code Injection
- XML Injection
- Format String Injection
- Inter-Process Communication
- Android IPC
- iOS URL Schemes
- iOS Universal Links
- iOS Activity Sharing
- iOS Extensions
- Lack of Binary Protections
- Binary Inspection
- Reverse Engineering
- Jailbreak Detection
- Code Obfuscation
- Checksum Controls
Who Should Attend
- Mobile application developers
- Mobile app development managers
- Mobile app architects
- Quality assurance testers
- Penetration testers who are interested in mobile app defensive strategies
- Auditors who need to understand mobile app risks and defensive controls
- Application security managers
You Will Be Able To
- Identify sensitive information stored insecure on a mobile device
- Sniff mobile app traffic using Wireshark
- Test a mobile app for certificate pinning protections
- Use a web application proxy to test mobile app APIs for vulnerabilities
- Leverage built-in fingerprint authorization APIs from your custom apps
- Understand industry cryptography best practices (NIST, PCI) for encryption, hashing, and random number generation on mobile platforms
- Secure Android IPC and iOS URL schemes
- Inspect mobile app binaries and obtain sensitive information
Hands-on Training
- Find sensitive information on the mobile file system
- Prevent mobile app data leakage
- Securely store data on the file system
- Intercept mobile app communications
- Secure mobile app communications
- Enable certificate pinning
- Test server side mobile APIs
- Implement custom app encryption
- Use the Android Keystore and iOS Keychain
- Defend against client side injection
- Configure secure Android IPC services
- Secure URL schemes and Universal Links
- Perform binary analysis
- Implement reverse engineering defenses