AppSec USA Training
Securing Mobile Devices and Applications
September 16-17th
US $1,600
Presented by Aspect Security
About the course
Mobile applications enable new threats and attacks which introduce significant risks to the enterprise. Many custom applications contain significant vulnerabilities that are unknown to the team that developed them. Point-in-fact, we discover on average of 11.6 vulnerabilities in every mobile application we verify in our consulting practice. At the end of 2013, there were over 2 million applications in the Google Play and Apple AppStore. Unfortunately, vulnerabilities continue to skyrocket, putting organizations at risk.
This two-day, hands-on course enables students to understand how easily mobile devices and applications can be attacked. They will learn how to identify, avoid and remediate common vulnerabilities by walking through a threat analysis and learning critical security areas such as those identified in the OWASP Top Ten Mobile Risks and Controls. Using state-of-the-art testing tools, students will learn how to secure mobile devices across the enterprise. Students will be able to choose from iOS or Android hands-on labs throughout the course, while they learn how easily hackers can compromise applications and the data they contain.
Learning Objectives
- Understand how mobile devices and applications can be easily attacked.
- Identify common vulnerabilities.
- Be able to use state-of-the-art mobile application security testing tools.
- Secure mobile devices across the enterprise.
- Think like an attacker so that students can be preemptive going forward.
Outline
-
Mobile Devices and Applications
Introducing mobile devices, their capabilities, how to emulate mobile applications and use mobile testing tools.
- Device Types and Capabilities
- Mobile Application Emulators / IDEs
- Running the Class Applications
- Using a Testing Proxy: Burp
- How to get Proxying to work
-
Mobile Application Architectures and Threat Model
We explain high-level threats, attack techniques and the impacts associated with mobile computing and how different architectures affect these.
- Different Mobile Architectures
- OWASP Mobile Security Resources
- Mobile Threat Model
- Top 10 Mobile Controls
- Risk Management
- Mobile Threats and Attacks on Users, Devices and Applications
- Consequences
- AppStore Security / Malware Threats
- Hands- On Exercise: Hacking Mobile URLs (iOS), or Intents (Android)
-
Mobile Application Architectures Deeper Dive
We review the different styles of computing in the mobile space, the core technologies involved, and how applications are built.
- Device Protections built into Android and iPhone
- Data Protection
- Encryption
- Client Only Architecture and Recommended Controls
- Client-Server Architecture and Recommended Controls
- Recommendation: Standard Security Controls
- Mobile Web Applications and Recommended Controls
- HTML 5 Risks
- JavaScript Framework Risks
- Same Origin Policy
-
Securing the Device
We demonstrate how to harden mobile devices against attack and the issues related to managing security across an enterprise. Students learn how to secure employee-owned devices.
- Mobile Device Management (MDM) Applications
- Password Requirements
- Data Protection
- Enterprise Security Management (ESM)
-
Mobile Authentication
We explain how the user proves their identity to the phone, how server-side applications can authenticate the user, and how the phone can authenticate the services used.
- Threats: lost/stolen phone, remember me, sniffing
- Strong Authentication vs. User Usability
- Communicating & Storing credentials safely
-
Mobile Registration
We show you how to register a device to a person and explain the need for mobile channel authentication.
- Threats: lost/stolen device; remember me;, lost/stolen credentials
- Benefits of Registering the Device
- Methods for Authenticating the Device
- Avoiding use of UDID
-
Mobile Session Management
Handling session management with mobile devices
- What NOT to do
- iOS and Android Recommendations
-
Mobile Access Control
We discuss the code-access security models that must be used in mobile applications.
- Threat: user attacks server
- Example attacks
- Documenting your access control policy
- Mapping enforcement to server side controls
- Presentation Layer Access Control
- Environmental Access Control
- Business Logic
- Data Protection
- Hands- On Exercise: Access Other People’s Accounts, Steal Funds
-
Mobile Data Protection
We illustrate all of the different places that sensitive data can be stored on mobile phones and how it should be protected.
- Identifying sensitive data
- Threats: Lost or Stolen Devices, Sniffing
- Protecting data in transit
- Securing Communications
- Testing communication strength
- Protecting data at -rest
- Where and how is data stored on devices
- Hashing and Encryption
- Storing keys
- Browser Caching
- Mobile specific ‘accidental’ data storage areas
- Where NOT to store your data on the device
- HTML5 local storage
-
Mobile Forensics
Where application data and configuration information typically gets stored on the mobile device.
- Forensics tools for Android and iPhone
- Exploring the file system (Android / iPhone)
- Jailbreaking grants more access
- Interesting areas of the file system (Android / iPhone)
- Application configuration files
- Autocomplete records / iPhone app screen shots
- Dumping Android Intents
- Scrounging in Backups
- Dynamic Runtime and Memory Analysis
-
Cryptography
We show you how to use cryptography properly with mobile applications.
- Difference between hashing and encrypting.
- How Android and iOS handle cryptography and their key management
-
How to Protect Against Cross Site Scripting (XSS)
The threat of XSS in mobile applications is real based on heavy usage of Webkit.
- Understand XSS
- Learn how to execute XSS
- Be able to identify XSS flaws in code
- XSS real- world examples
- Practical Defenses: Output Encoding and others
-
Protecting User Privacy
We show you how the phone can be used to undermine user privacy without their knowledge.
- Using location services (GPS, cell triangulation, compass, hardware device key)
- Accessing contacts, photos, maps and other personal data
- Accessing calls, SMS, browser, cell usage history
- Using the camera and microphone safely
-
Hack It and Bring It!
A hands-on challenge for students to demonstrate what they have learned.
-
Wrap Up, Close and Thank You
Class requirements
iOS Labs
- PC running Mac OS X, with Xcode (with iOS 6 or iOS 7 simulator) installed
- CPU and memory as required by the operating system
Android Labs
- PC running Windows XP with Service Pack 2 (SP2), Windows Vista, Windows 7, or Windows 8
- CPU and memory as required by the operating system
- 16 GB free disk space
About the trainers
David Lindner, a Managing Consultant and the Global Practice Manager, Mobile Application Security Services at Aspect Security. David brings 13 years of IT experience including application development, network architecture design and support, IT security and consulting, and application security. David’s focus has been in the mobile space including everything from mobile application penetration testing/code review, to analyzing MDM and BYOD solutions. David also specializes in performing application penetration tests utilizing commercial and freeware products as well as manual testing methods. David has written code in many different languages but specializes in Java/J2EE and Perl. David has supported many different clients including financial, government, automobile, healthcare, and retail.
David holds an M.S. degree in Computer Engineering and Information Assurance from Iowa State University, recognized by the NSA as a National Center of Academic Excellence in Information Assurance Education. His Master’s thesis was Creating Secure Web Applications and incorporating security throughout the Software Development Lifecycle. (SDLC). David completed his undergraduate work at Wartburg College in Waverly, IA where he received a B.A. with a triple major in Computer Science, Physics, and Mathematics.
Dan Amodio joined Aspect in 2011 and is a core member of the mobile security team. He holds a security clearance and supports a variety of client projects, including those that are critical to national infrastructure. Dan leads security architecture reviews and performs both code reviews and penetration tests for clients in Government, educational, airline, and financial sectors. His expertise spans an array of IT disciplines including: application security, software development, systems administration, and technical support. He has over 10 years of programming experience in a variety of languages and actively participates in open source and software security communities.
In addition to maintaining a high quality work for numerous projects, Dan is actively pursuing his Computer Science degree at the University of Maryland, University College. Outside of work, Dan enjoys spending time with his wife and daughter. He is a longtime musician and exercises his attention to detail outside of Aspect’s projects through performing, recording and sound engineering.
Enroll in this training course
Training requires a separate registration from the AppSec USA conference. Registration for both conference and training offerings may be found here.