Securing Mobile Devices and Applications

September 16-17th
US $1,600

Presented by Aspect Security

About the course

Mobile applications enable new threats and attacks which introduce significant risks to the enterprise. Many custom applications contain significant vulnerabilities that are unknown to the team that developed them. Point-in-fact, we discover on average of 11.6 vulnerabilities in every mobile application we verify in our consulting practice. At the end of 2013, there were over 2 million applications in the Google Play and Apple AppStore. Unfortunately, vulnerabilities continue to skyrocket, putting organizations at risk.

This two-day, hands-on course enables students to understand how easily mobile devices and applications can be attacked. They will learn how to identify, avoid and remediate common vulnerabilities by walking through a threat analysis and learning critical security areas such as those identified in the OWASP Top Ten Mobile Risks and Controls. Using state-of-the-art testing tools, students will learn how to secure mobile devices across the enterprise. Students will be able to choose from iOS or Android hands-on labs throughout the course, while they learn how easily hackers can compromise applications and the data they contain.

Learning Objectives

• Understand how mobile devices and applications can be easily attacked.
• Identify common vulnerabilities.
• Be able to use state-of-the-art mobile application security testing tools.
• Secure mobile devices across the enterprise.
• Think like an attacker so that students can be preemptive going forward.

Outline

1. Mobile Devices and Applications

   Introducing mobile devices, their capabilities, how to emulate mobile applications and use mobile testing tools.

   1. Device Types and Capabilities
   2. Mobile Application Emulators / IDEs
   3. Running the Class Applications
   4. Using a Testing Proxy: Burp
   5. How to get Proxying to work

2. Mobile Application Architectures and Threat Model

   We explain high-level threats, attack techniques and the impacts associated with mobile computing and how different architectures affect these.

   1. Different Mobile Architectures
   2. OWASP Mobile Security Resources
   3. Mobile Threat Model
   4. Top 10 Mobile Controls
   5. Risk Management
   6. Mobile Threats and Attacks on Users, Devices and Applications
   7. Consequences
   8. AppStore Security / Malware Threats
   9. Hands- On Exercise: Hacking Mobile URLs (iOS), or Intents (Android)

3. Mobile Application Architectures Deeper Dive

   We review the different styles of computing in the mobile space, the core technologies involved, and how applications are built.

   1. Device Protections built into Android and iPhone
   2. Data Protection
   3. Encryption
   4. Client Only Architecture and Recommended Controls
   5. Client-Server Architecture and Recommended Controls
   6. Recommendation: Standard Security Controls
   7. Mobile Web Applications and Recommended Controls
   8. HTML 5 Risks
   9. JavaScript Framework Risks
   10. Same Origin Policy

4. Securing the Device

   We demonstrate how to harden mobile devices against attack and the issues related to managing security across an enterprise. Students learn how to secure employee-owned devices.

   1. Mobile Device Management (MDM) Applications
   2. Password Requirements
   3. Data Protection
   4. Enterprise Security Management (ESM)

5. Mobile Authentication

   We explain how the user proves their identity to the phone, how server-side applications can authenticate the user, and how the phone can authenticate the services used.

   1. Threats: lost/stolen phone, remember me, sniffing
   2. Strong Authentication vs. User Usability
   3. Communicating & Storing credentials safely

6. Mobile Registration

   We show you how to register a device to a person and explain the need for mobile channel authentication.

   1. Threats: lost/stolen device; remember me;, lost/stolen credentials
   2. Benefits of Registering the Device
   3. Methods for Authenticating the Device
   4. Avoiding use of UDID

7. Mobile Session Management

   Handling session management with mobile devices

   1. What NOT to do
   2. iOS and Android Recommendations

8. Mobile Access Control

   We discuss the code-access security models that must be used in mobile applications.

   1. Threat: user attacks server
   2. Example attacks
   3. Documenting your access control policy
   4. Mapping enforcement to server side controls
   5. Presentation Layer Access Control
   6. Environmental Access Control
   7. Business Logic
   8. Data Protection
   9. Hands- On Exercise: Access Other People’s Accounts, Steal Funds

9. Mobile Data Protection

   We illustrate all of the different places that sensitive data can be stored on mobile phones and how it should be protected.

   1. Identifying sensitive data
   2. Threats: Lost or Stolen Devices, Sniffing
   3. Protecting data in transit
   4. Securing Communications
   5. Testing communication strength
   6. Protecting data at -rest
   7. Where and how is data stored on devices
   8. Hashing and Encryption
   9. Storing keys
   10. Browser Caching
   11. Mobile specific ‘accidental’ data storage areas
   12. Where NOT to store your data on the device
   13. HTML5 local storage

10. Mobile Forensics

    Where application data and configuration information typically gets stored on the mobile device.

    1. Forensics tools for Android and iPhone
    2. Exploring the file system (Android / iPhone)
    3. Jailbreaking grants more access
    4. Interesting areas of the file system (Android / iPhone)
    5. Application configuration files
    6. Autocomplete records / iPhone app screen shots
    7. Dumping Android Intents
    8. Scrounging in Backups
    9. Dynamic Runtime and Memory Analysis

11. Cryptography

    We show you how to use cryptography properly with mobile applications.

    1. Difference between hashing and encrypting.
    2. How Android and iOS handle cryptography and their key management

12. How to Protect Against Cross Site Scripting (XSS)

    The threat of XSS in mobile applications is real based on heavy usage of Webkit.

    1. Understand XSS
    2. Learn how to execute XSS
    3. Be able to identify XSS flaws in code
    4. XSS real- world examples
    5. Practical Defenses: Output Encoding and others

13. Protecting User Privacy

    We show you how the phone can be used to undermine user privacy without their knowledge.

    1. Using location services (GPS, cell triangulation, compass, hardware device key)
    2. Accessing contacts, photos, maps and other personal data
    3. Accessing calls, SMS, browser, cell usage history
    4. Using the camera and microphone safely

14. Hack It and Bring It!

    A hands-on challenge for students to demonstrate what they have learned.

15. Wrap Up, Close and Thank You

Class requirements

iOS Labs

1. PC running Mac OS X, with Xcode (with iOS 6 or iOS 7 simulator) installed
2. CPU and memory as required by the operating system

Android Labs

1. PC running Windows XP with Service Pack 2 (SP2), Windows Vista, Windows 7, or Windows 8
2. CPU and memory as required by the operating system
3. 16 GB free disk space

About the trainers

David Lindner, a Managing Consultant and the Global Practice Manager, Mobile Application Security Services at Aspect Security. David brings 13 years of IT experience including application development, network architecture design and support, IT security and consulting, and application security. David’s focus has been in the mobile space including everything from mobile application penetration testing/code review, to analyzing MDM and BYOD solutions. David also specializes in performing application penetration tests utilizing commercial and freeware products as well as manual testing methods. David has written code in many different languages but specializes in Java/J2EE and Perl. David has supported many different clients including financial, government, automobile, healthcare, and retail.

David holds an M.S. degree in Computer Engineering and Information Assurance from Iowa State University, recognized by the NSA as a National Center of Academic Excellence in Information Assurance Education. His Master’s thesis was Creating Secure Web Applications and incorporating security throughout the Software Development Lifecycle. (SDLC). David completed his undergraduate work at Wartburg College in Waverly, IA where he received a B.A. with a triple major in Computer Science, Physics, and Mathematics.

Dan Amodio joined Aspect in 2011 and is a core member of the mobile security team. He holds a security clearance and supports a variety of client projects, including those that are critical to national infrastructure. Dan leads security architecture reviews and performs both code reviews and penetration tests for clients in Government, educational, airline, and financial sectors. His expertise spans an array of IT disciplines including: application security, software development, systems administration, and technical support. He has over 10 years of programming experience in a variety of languages and actively participates in open source and software security communities.

In addition to maintaining a high quality work for numerous projects, Dan is actively pursuing his Computer Science degree at the University of Maryland, University College. Outside of work, Dan enjoys spending time with his wife and daughter. He is a longtime musician and exercises his attention to detail outside of Aspect’s projects through performing, recording and sound engineering.

Enroll in this training course

Training requires a separate registration from the AppSec USA conference. Registration for both conference and training offerings may be found here.