Security Evaluation of Mobile Applications using 'App Report Cards'

  • Tuesday, 13 Oct 2015 10:00AM EDT (13 Oct 2015 14:00 UTC)
  • Speaker: Raul Siles

The mobile 'App Report Cards' is a scoring and reporting system, distributed as Microsoft Excel spreadsheets in the form of card templates, for a consistent and thorough security analysis and evaluation of Android and iOS mobile applications.

Mobile 'App Report Cards', specifically designed within the \SANS SEC575: Mobile Device Security and Ethical Hacking" training, provide penetration testers and mobile security analysts with a new guided security testing workflow to leverage the multiple tools and common techniques available to evaluate iOS and Android mobile applications. These techniques cover various aspects that influence the security posture of mobile apps, including storage and filesystem usage inspection, and network activity monitoring, interception and manipulation. This information is complemented with application static and automated analysis and reverse engineering techniques, combining app code and behavior analysis for effective app penetration testing. Additionally, opportunities to manipulate application behavior are identified as part of the analysis process by inspecting and modifying the app code, inspecting critical app definitions and interacting with its interfaces and components at runtime.

Complementary, mobile 'App Report Cards' provide a significant benefit to mobile application developers. The report helps them to review and apply the recommended countermeasures and protections to resolve identified flaws and meet the security expectations of each report card, while the scoring allows them to evaluate and track how the app security features progress and mature over time throughout different app versions.

This webcast will introduce the mobile 'App Report Cards' project and will provide step-by-step details on some of the analysis techniques used to scrutinize Android mobile applications when searching for security vulnerabilities and exploitation opportunities, and suggestions for developers to implement the desired security features.

Raul Siles will be teaching "SANS SEC575: Mobile Device Security and Ethical Hacking" this year in Dubai (Oct 17-22, 2015),, and London (Nov 16-21, 2015),

Note for our German attendees / Hinweis für Interessenten, die überdie Allianz für Cyber-Sicherheit teilnehmen:

Die Anmeldung und Teilnahme am Webcast ist kostenfrei, dazu istlediglich die einmalige Registrierung über einen kostenlosen SANSPortalzugang notwendig, der über den Login-Button oben rechts angelegtwerden kann. Es gelten die allgemeinen Datenschutzbestimmungen desSANS Instituts:"

SANS ist in der Allianz für Cyber-Sicherheit des BSI als Partnerengagiert und trägt in dieser Rolle den angebotenen Webcast bei.