Hemil Shah
August 20th – 21st (2 day)
Mobile application hacking and its security is becoming a major concern in today’s world. In the last few years we have seen a range of new attack vectors and methods of exploitation for these devices. Smart phones and tablets running on iPhone, Android, Windows and Blackberry have taken over the market in frenzy. With an introduction to html5 and native support on most of the mobile platforms, it really becomes interesting how security of mobile devices is shaping up. In today’s world email, social networking, banking everything is possible on the go with Smart phones and derived applications. These Smart phones are now equipped with features like data, Wi-Fi, voice and GPS functions and applications can leverage these features. The sudden growth in the number of applications available for these smart phones does raise a certain level of concern for the user’s security and server supporting these applications. Mobile applications are vulnerable to various sets of different attacks like local storage, user data harvesting, activity spying, unauthorized event injection, UI Jacking, Tab Jacking, Traffic redirection, Logical attacks, hard coded keys and a few other. At the same time Mobile applications are taken with server side over HTTP/HTTPS, it opens up few possible attacks on Web Services and APIs. The server side applications can be attacked with Injections. Several new technology stacks are evolving over Mobile like HTML5 and Silverlight which opens up new attack surface. In this context it is imperative for IT professional and corporate application owners understand these attack vectors along with a mechanism for securing. The class features real life cases, live demos, live hacking, code scanning and defense plans. The following topics will be covered during the class.
Introduction to Modern World Mobile Applications
- General Overview
- Case studies of Vulnerable and old AppStore applications
- Evaluation of Applications
- Trend in Mobile application Security
- Mobile Application Kiddos – What, Why, How and Where
- Introduction to iOS and iPhone Security
- Introduction to Android Security
- Evaluation of html5
- New features of HTML5 tags for Mobile
Understand OS structure and permission
- Sand boxing
- Mobile Application Architecture
- Understanding iPhone platforms
- iOS Structure
- Application Structure
- Application Distribution
- Permissions
- Understanding Android platforms
- Android file System/Dalvik
- Application Distribution
- Permissions
- Understanding Windows Phone platforms
- Windows file System
- Application Distribution
- Permission model
- Understanding HTML5 Applications on Mobile devices
- Common libraries used
- HTML5 tags on mobile front
Write your own Application
- Cocoa/Cocoa touch Framework
- Introduction to xCode
- Running application in iPhone simulator
- Introduction to sample android applications
- Running application in Android simulator
- Introduction to sample windows phone applications
- Running application in windows phone simulator
- Introduction to sample HTML5 applications
- Running HTML5 application on different mobile platforms
Set up Attack environment
- Intercepting tools (iPhone & Android)
- Analysis tools (iPhone & Android)
- Monitoring tools (iPhone & Android)
- Configuring simulators to use proxy (iPhone & Android)
- Overcoming SSL traffic interception challenges (iPhone & Android)
- Reverse engineering tools (iPhone & Android)
OWASP Top 10 Attacks for Mobile Application
- Insecure Data Storage
- Weak Server Side Controls
- Insufficient Transport Layer Protection
- Client Side Injection
- Poor Authorization and Authentication
- Improper Session Handling
- Security Decisions Via Untrusted Inputs
- Side Channel Data Leakage
- Broken Cryptography
- Sensitive Information Disclosure
HTML 5 Attacks
- CSRF with XHR and CORS bypass
- Jacking (Click, COR, Tab etc.)
- HTML5 driven XSS (Tags, Events and Attributes)
- Attacking storage and DOM variables
- Exploiting Browser SQL points
- Injection with Web Messaging and Workers
- DOM based XSS and issues
- Offline attacks and cross widget vectors
- Web Socket issues
- API and Protocol Attacks
Reverse Engineering & Code Analysis
- Reverse engineering iPhone application
- Reverse engineering Android Application
- Interesting things to look for after reverse engineering
- Static Code Analyzer for iOS
- Static Code Analyzer for Android
Source Code analysis for Mobile Applications
- Secure coding for Mobile Application
- How to incorporate secure design and coding principles for developing iOS & Android
applications - Safe/Unsafe APIs
- Avoiding Buffer Overflows And Underflows- Validating Input And Interprocess Communication
- Race Conditions and Secure File Operations
- Designing Secure User Interfaces
- Static Code Analyzer for iOS
- Security Development Checklists
Requirements
Participants should bring a working laptop with the following hardware (OS: Windows 7 or Server family; Please install .NET framework and Java), 4 GB RAM, 20 GB of free hard disk space). The laptop should be wi-fi enabled and you should have Administrative access on the computer.
A list of tools to be installed would be sent in private email before 1 week of the training.
About the trainer
Hemil Shah, CISSP, CSSLP, ACP is the founder and Director of eSphere Security, a company that provides Professional services in Security Arena. He has worked with HBO, KPMG, IL&FS and Net-Square in security space. He has published several advisories, tools, and Whitepapers, and has presented at numerous conferences. Hemil is expert in Mobile Application Security, Application Security, researching new methodologies and training designs. He has performed more than 1000 security consulting assignments in the area of penetration testing, code reviews, web application assessments, security architecture reviews and Mobile application security review.
For further information or questions please contact Tiago at hemil _at_ espheresecurity.net