Choose from Eight InfoSec Courses at SANS Las Vegas 2018. Save $200 thru 12/27.

DEV531: Defending Mobile Applications Security Essentials New

Mobile application development is growing exponentially year over year. As of late 2015, over 3 million apps are deployed in the Apple and Google app stores. These apps are consumed by over 700 million users world-wide and account for 33% of the traffic on the Internet [1]. Average users have over 100 mobile apps installed on their device, many of which provide business critical services to customers and employees.

Unfortunately, these apps are often rushed to market to gain a competitive advantage with little regard for security. As seen in web applications for the past 20 years, software vulnerabilities always exist where code is being written and mobile apps are no different. Mobile apps are vulnerable to a whole new class of vulnerabilities, as well as most traditional issues that have long plagued web and desktop applications. This problem will only continue to grow unless managers, architects, developers, and QA teams learn how to test and defend their mobile apps.

DEV531: Defending Mobile Applications Security Essentials covers the most prevalent mobile app risks, including those from the OWASP Mobile Top 10. Students will participate in numerous hands-on exercises available in both the Android and iOS platforms. Each exercise is designed to reinforce the lessons learned throughout the course, ensuring that you understand how to properly defend your organization's mobile applications.

More

You Will Learn To:

To maximize the benefit for a wide range of audiences, the discussions in this course cover high-level mobile app defensive strategies, as well as risks specific to both the Android and iOS mobile operating systems. Students will walk away with the knowledge and skills to:

  • Understand mobile app risks and common vulnerabilities
  • Find vulnerabilities in their mobile apps before an attacker does
  • Apply defensive strategies to build secure mobile apps from the beginning

Think different. Think Secure.

[1] http://www.statista.com/markets/424/topic/538/mobile-internet-apps/

Hide

Course Syllabus

Overview

On the first day of this course, students will examine some of the most prevalent mobile app vulnerabilities. Starting with the device data storage, students will discover how important it is to secure web APIs that communicate with a mobile app. Students will explore web service API topics including server configuration, session management, and transport layer encryption. Next, students shift their focus to the mobile device and explore all of the locations where data persists within mobile apps. Each section ends with a hands-on exercise where you can see how a vulnerable mobile app responds to an attack and how the app responds after applying the appropriate defensive technique.

CPE/CMU Credits: 6

Topics
  • Insecure Device Data Storage
    • File System Inspection
    • Local Storage
    • Android & iOS Hardware Security
    • SQLite Encryption Extension (SEE)
  • Device Data Leakage
    • 3rd Party Keyboards
    • URL Caching
    • Application Screenshots
    • Clipboard Caching
    • Insecure Logging
  • Transport Layer Protection
    • App Transport Security
    • Secure TLS Configuration
    • Certificate Validation
    • Certificate Pinning
  • Mobile Web Services
    • Web service hardening
    • Secure configuration
    • API Authentication
    • Session Expiration
    • Session Fixation
    • Weak Session Tokens
Overview

The second day continues dissecting vulnerabilities that mobile app development teams must keep in mind when writing a mobile app. More complex topics such as mobile cryptography, authentication and authorization, client side injection, inter-process communication, and binary protections are covered in detail to continue creating secure mobile apps. Each section ends with a hands-on exercise where you can see how a vulnerable mobile app responds to an attack and how the app responds after applying the appropriate defensive technique.

CPE/CMU Credits: 6

Topics
  • Broken Cryptography
    • Weak Cryptographic Algorithms
    • Secure Random Number Generation
    • Secure Secrets Management
    • Android Keystore
    • iOS Keychain
  • Authentication & Authorization
    • Mobile Form Factor
    • Enterprise Mobility Management (EMM)
    • Mobile Device Management (MDM)
    • Mobile App Management (MAM)
    • Android Fingerprint Manager
    • iOS Local Authentication
    • iOS Touch ID
  • Client Side Injection
    • SQL Injection
    • Mobile User Session
    • Binary Code Injection
    • XML Injection
    • Format String Injection
  • Inter-Process Communication
    • Android IPC
    • iOS URL Schemes
    • iOS Universal Links
    • iOS Activity Sharing
    • iOS Extensions
  • Lack of Binary Protections
    • Binary Inspection
    • Reverse Engineering
    • Jailbreak Detection
    • Code Obfuscation
    • Checksum Controls

Additional Information

!!IMPORTANT - PLEASE PLAN ON ARRIVING AT CLASS AT LEAST 30 MINUTES EARLY THE FIRST MORNING TO SET UP THE VIRTUAL MACHINE BEFORE CLASS STARTS. BRING YOUR OWN LAPTOP CONFIGURED USING THESE DIRECTIONS!!

A properly configured system is required for each student participating in this course. Before coming to class, carefully read and follow these instructions exactly.

Please download and install VMware Workstation, VMware Fusion, or VMware Workstation Player on your system prior to arriving at class. If you own a licensed copy of VMware, make sure it is at least VMware Workstation 11, VMware Workstation Player 7.0, or VMware Fusion 7.0. If you do not own a licensed copy of VMware, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their web site.

VMware Workstation Player is a free download that does not need a commercial license. Most students find VMware Workstation Player adequate for the course.

Mandatory Host Hardware Requirements

  • CPU: 2.5+ GHz multi-core 64-bit processor or higher
  • Memory:
    • 16GB of RAM is recommended to run both the Android and iOS VMs simultaneously
    • 8GB of RAM is recommended to run only 1 VM at a time
  • Hard Disk: 75GB of free disk space minimum
  • Working USB 2.0 or higher port
  • The student should have Local Administrator access within their host operating system

Mandatory Host Software Requirements

  • VMware Workstation 11+, VMware Workstation Player 7+, or VMware Fusion 7+
  • Zip File Utility

Mandatory Host Operating System Requirements

  • Mac OS X (El Capitan, Sierra) *
  • Windows (7, 8, or 10)

* The course exercises contain examples written for both the Android and iOS mobile operating systems. To run the iOS exercises, students must bring a laptop running Mac OS X. If a student does not have access to Mac OS X, Windows can be used to complete all of the Android exercises.

IN SUMMARY, BEFORE YOU BEGIN THE COURSE YOU SHOULD:

  • Bring a laptop with the required system hardware and operating system configuration
  • Install VMware (Workstation, workstation Player, or Fusion)
  • Make sure you have a working USB drive capable of mounting exFAT file partitions. The course VM files will be copied onto your laptop from a USB key provided by SANS.

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

  • Mobile application developers
  • Mobile app development managers
  • Mobile app architects
  • Quality assurance testers
  • Penetration testers who are interested in mobile app defensive strategies
  • Auditors who need to understand mobile app risks and defensive controls
  • Application security managers

This class requires a basic understanding of mobile application development, server side APIs, and the HTTP protocol.

  • Course books
  • Lab workbook with step-by-step instructions for completing the Android and iOS exercises
  • USB containing virtual machines for Android and iOS
  • Identify sensitive information stored insecure on a mobile device
  • Sniff mobile app traffic using Wireshark
  • Test a mobile app for certificate pinning protections
  • Use a web application proxy to test mobile app APIs for vulnerabilities
  • Leverage built-in fingerprint authorization APIs from your custom apps
  • Understand industry cryptography best practices (NIST, PCI) for encryption, hashing, and random number generation on mobile platforms
  • Secure Android IPC and iOS URL schemes
  • Inspect mobile app binaries and obtain sensitive information
  • Find sensitive information on the mobile file system
  • Prevent mobile app data leakage
  • Securely store data on the file system
  • Intercept mobile app communications
  • Secure mobile app communications
  • Enable certificate pinning
  • Test server side mobile APIs
  • Implement custom app encryption
  • Use the Android Keystore and iOS Keychain
  • Defend against client side injection
  • Configure secure Android IPC services
  • Secure URL schemes and Universal Links
  • Perform binary analysis
  • Implement reverse engineering defenses

"Mobile DEV security is extremely important and yet very rarely covered in other courses. Excellent course, and very valuable." - Mark Geeslin

Author Statement

Mobile apps are changing the way organizations do business by replacing traditional web applications. Instead of using a laptop's web browser to access sensitive resources (e.g. prescriptions, financials, sales quotes, etc.), apps that perform the same functionality are being installed on the end user's mobile device.

Mobile apps, which often rely on backend web service API's that are exposed over the Internet, require development teams to understand a new set of security issues including protecting data stored locally on the device, defending against reverse engineering, deploying secure web API's, and many more.

This course is designed to teach students how to attack their mobile applications, learn the mitigation strategies required to fix common vulnerabilities, and further their understanding through hands-on exercises. Take part in this exciting course and learn to defend your mobile applications!

- Eric Johnson & Greg Leonard

Additional Resources

Take your learning beyond the classroom. Explore our site network for additional resources related to this course's subject matter.

*CPE/CMU credits not offered for the SelfStudy delivery method


3 Training Results
Type Topic Course / Location / Instructor Date Register

Training Event
Developer
SANS 2018
Orlando, FL
Apr 9, 2018 -
Apr 10, 2018
 

Training Event
Developer
Apr 21, 2018 -
Apr 22, 2018
 

Private Training
All Private Training Course of Your Choice Your Choice  

*Course contents may vary depending upon location, see specific event description for details.