DEV531: Defending Mobile Applications Security Essentials New
Mobile application development is growing exponentially year over year. As of late 2015, over 3 million apps are deployed in the Apple and Google app stores. These apps are consumed by over 700 million users world-wide and account for 33% of the traffic on the Internet . Average users have over 100 mobile apps installed on their device, many of which provide business critical services to customers and employees.
Unfortunately, these apps are often rushed to market to gain a competitive advantage with little regard for security. As seen in web applications for the past 20 years, software vulnerabilities always exist where code is being written and mobile apps are no different. Mobile apps are vulnerable to a whole new class of vulnerabilities, as well as most traditional issues that have long plagued web and desktop applications. This problem will only continue to grow unless managers, architects, developers, and QA teams learn how to test and defend their mobile apps.
DEV531: Defending Mobile Applications Security Essentials covers the most prevalent mobile app risks, including those from the OWASP Mobile Top 10. Students will participate in numerous hands-on exercises available in both the Android and iOS platforms. Each exercise is designed to reinforce the lessons learned throughout the course, ensuring that you understand how to properly defend your organization's mobile applications.
You Will Learn To:
To maximize the benefit for a wide range of audiences, the discussions in this course cover high-level mobile app defensive strategies, as well as risks specific to both the Android and iOS mobile operating systems. Students will walk away with the knowledge and skills to:
- Understand mobile app risks and common vulnerabilities
- Find vulnerabilities in their mobile apps before an attacker does
- Apply defensive strategies to build secure mobile apps from the beginning
DEV531.1: Defending Mobile Apps, Section 1
On the first day of this course, students will examine some of the most prevalent mobile app vulnerabilities. Starting with the server side, students will quickly see how important it is to secure web APIs that communicate with a mobile app. Students will explore web service API topics including server configuration, session management, and transport layer encryption. Next, students shift their focus to the mobile device and explore all of the locations mobile apps persist data on the device. Each section ends with a hands-on exercise where you can see how a vulnerable mobile app responds to an attack and how the app responds after applying the appropriate defensive technique.
CPE/CMU Credits: 6
- Weak Server Side APIs
- Web service hardening
- Secure configuration
- API Authentication
- Injection Defenses
- Improper Session Handling
- Session Expiration
- Session Fixation
- Weak Session Tokens
- Transport Layer Protection
- Secure TLS Configuration
- Certificate Validation
- Certificate Pinning
- Insecure Device Data Storage
- File System Inspection
- Local Storage (plist, SQLite, SD cards, XML, etc.)
- iOS Hardware Security
- SQLite Encryption Extension (SEE)
- Device Data Leakage
- 3rd Party Keyboards
- URL Caching
- Application Screenshots
- Clipboard Caching
- Insecure Logging
DEV531.2: Defending Mobile Apps, Section 2
The second day continues dissecting vulnerabilities that mobile app development teams must keep in mind when writing a mobile app. More complex topics such as mobile authentication and authorization, cryptography, client side injection, inter-process communication, and binary protections are covered in detail to continue creating secure mobile apps. Each section ends with a hands-on exercise where you can see how a vulnerable mobile app responds to an attack and how the app responds after applying the appropriate defensive technique.
CPE/CMU Credits: 6
- Authentication & Authorization
- Mobile Form Factor
- Offline Authentication
- Password Management
- Broken Cryptography
- Weak Cryptographic Algorithms
- Secure Random Number Generation
- Secure Secrets Management
- Android Keystore
- iOS Keychain
- Client Side Injection
- SQL Injection
- Mobile User Session
- Binary Code Injection
- XML Injection
- Format String Injection
- Inter-Process Communication
- Android IPC
- iOS URL Schemes
- Lack of Binary Protections
- Reverse Engineering
- Binary Inspection
- Jailbreak Detection
- Checksum Controls
!!IMPORTANT - PLEASE PLAN ON ARRIVING AT CLASS AT LEAST 30 MINUTES EARLY THE FIRST MORNING TO SET UP THE VIRTUAL MACHINE BEFORE CLASS STARTS. BRING YOUR OWN LAPTOP CONFIGURED USING THESE DIRECTIONS!!
A properly configured system is required for each student participating in this course. Before coming to class, carefully read and follow these instructions exactly.
Please download and install VMware Workstation, VMware Fusion, or VMware Player on your system prior to arriving at class. If you own a licensed copy of VMware, make sure it is at least VMware Workstation 11, VMware Player 7.0, or VMware Fusion 7.0. If you do not own a licensed copy of VMware, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their web site.
VMware Player is a free download that does not need a commercial license. Most students find VMware Player adequate for the course.
Mandatory Host Hardware Requirements
- CPU: 2.5+ GHz multi-core processor or higher
- 16GB of RAM is recommended to run both the Android and iOS VMs simultaneously
- 8GB of RAM is recommended to run only 1 VM at a time
- Hard Disk: 75GB of free disk space minimum
- Working USB 2.0 or higher port
- The student should have Local Administrator access within their host operating system
Mandatory Host Software Requirements
- VMware Workstation 11+, VMware Player 7+, or VMware Fusion 7+
- Zip File Utility
Mandatory Host Operating System Requirements
- Mac OS X (Mountain Lion, Yosemite, El Capitan) *
- Windows (7, 8, or 10)
* The course exercises contain examples written for both the Android and iOS mobile operating systems. To run the iOS exercises, students must bring a laptop running Mac OS X. If a student does not have access to Mac OS X, Windows can be used to complete all of the Android exercises.
IN SUMMARY, BEFORE YOU BEGIN THE COURSE YOU SHOULD:
- Bring a laptop with the required system hardware and operating system configuration
- Install VMware (Workstation, Player, or Fusion)
- Make sure you have a working USB drive capable of mounting exFAT file partitions. The course VM files will be copied onto your laptop from a USB key provided by SANS.
If you have additional questions about the laptop specifications, please contact email@example.com.
Who Should Attend
- Mobile application developers
- Mobile app development managers
- Mobile app architects
- Quality assurance testers
- Penetration testers who are interested in mobile app defensive strategies
- Auditors who need to understand mobile app risks and defensive controls
- Application security managers
This class requires a basic understanding of mobile application technology, server side APIs, and the HTTP protocol.
Other Courses People Have Taken
- Courses that lead-in:
- DEV522: Defending Web Applications Security Essentials
- DEV534: Secure DevOps: A Practical Introduction
- Courses that are good follow-ups:
What You Will Receive
- Course books
- Lab workbook with step-by-step instructions for completing the Android and iOS exercises
- USB containing virtual machines for iOS, Android, and Ubuntu
You Will Be Able To
- Use a web application proxy to test mobile app APIs for vulnerabilities
- Sniff mobile app traffic using Wireshark
- Test a mobile app for certificate pinning protections
- Identify sensitive information stored insecure on a mobile device
- Build strong mobile security policies to protect end users
- Understand industry cryptography best practices (NIST, PCI) for encryption, hashing, and random number generation on mobile platforms
- Inspect mobile app binaries and obtain sensitive information
- Secure Android IPC and iOS URL schemes
- Understand how an attacker can disassemble and analyze mobile app binary files
- Intercept mobile app communications
- Harden server side mobile APIs
- Find sensitive information on the mobile file system
- Securely store data on the file system
- Monitor mobile app traffic
- Secure mobile app communications
- Enable certificate pinning
- Prevent mobile app data leakage
- Build strong mobile app authentication / authorization
- Implement custom app encryption
- Use the iOS Keychain
- Defend against client side injection
- Configure secure Android IPC services
- Validate URL schemes
- Perform binary analysis
Press & Reviews
"Mobile DEV security is extremely important and yet very rarely covered in other courses. Excellent course, and very valuable." - Mark Geeslin
Mobile apps are changing the way organizations do business by replacing traditional web applications. Instead of using a laptop's web browser to access sensitive resources (e.g. prescriptions, financials, sales quotes, etc.), apps that perform the same functionality are being installed on the end user's mobile device.
Mobile apps, which often rely on backend web service API's that are exposed over the Internet, require development teams to understand a new set of security issues including protecting data stored locally on the device, defending against reverse engineering, deploying secure web API's, and many more.
This course is designed to teach students how to attack their mobile applications, learn the mitigation strategies required to fix common vulnerabilities, and further their understanding through hands-on exercises. Take part in this exciting course and learn to defend your mobile applications!
- Eric Johnson & Greg Leonard
Take your learning beyond the classroom. Explore our site network for additional resources related to this course's subject matter.
*CPE/CMU credits not offered for the SelfStudy delivery method