Securing Mobile Devices and Applications

Dave Wichers

August, 20th – 21st (2 day)

Trainer_Dave_WichersSmart phones and tablets are everywhere these days. These small, smart devices provide as much functionality as a desktop or laptop. Chances of misplacing or losing these mobile devices are high. The risks of breaching an organization’s and/or user’s data are probable. Securing the applications and connectivity is crucial. This hands- on course will enable students to:

  • Understand how mobile devices and applications can be easily attacked.
  • Identify common vulnerabilities.
  • Be able to use state-of-the-art mobile application security testing tools.
  • Secure mobile devices across the enterprise.
  • Think like an attacker so that students can be pre-emptive

Because we believe that the best way to learn is by doing, much of the course’s content will be delivered in a lab environment. This approach enables students to have hands-on experience with attack tools and flawed applications so that they can learn how to identify vulnerabilities using real-world scenarios.

1) Mobile Devices and Applications
Section Overview: Introduction to Mobile Devices, their capabilities, and how to emulate mobile apps and use mobile testing tools.

1) Device Types and Capabilities
2) Mobile App Emulators / IDEs
3) Running the Class Apps
4) Using a Testing Proxy: Burp
5) How to get Proxying to work

2) Mobile Application Architectures and Threat Model
Section Overview: An explanation of high-level threats, attack techniques and the impacts associated with mobile computing and how different architectures affect these.

1) Different Mobile Architectures
2) OWASP Mobile Security Resources
3) Mobile Threat Model
4) Top 10 Mobile Controls
5) Risk Management
6) Mobile Threats and Attacks on Users, Devices, and Apps
7) Consequences
8) AppStore Security / Malware Threats
9) Hands On: Hacking Mobile URLs (iOS), or Intents (Android)

3) Mobile Application Architectures Deeper Dive
Section Overview: Different styles of computing in the mobile space, the core technologies involved, and
how applications are built.

1) Device Protections built into Android and iPhone
2) Data Protection
3) Encryption
4) Client Only Architecture and Recommended Controls
5) Client-Server Architecture and Recommended Controls
6) Recommendation: Standard Security Controls
7) Mobile Web Applications and Recommended Controls
8) HTML 5 Risks
9) JavaScript Framework Risks
10) Same Origin Policy

4) Securing the Device
Section Overview: We demonstrate how to harden mobile devices against attack and the issues related to managing security across an enterprise. We show students how to secure employee-owned devices.

1) Mobile Device Management (MDM) Applications
2) Password Requirements
3) Data Protection
4) Enterprise Security Management (ESM)

5) Securing Communications
Section Overview: What are all the different communications technologies used by mobile devices and what security threats do they pose?

1) Threat: Unsafe wireless access points, sniffing, tampering
2) Review mobile protocols and platforms
3) How to use SSL Securely

6) Mobile Authentication
Section Overview: We explain how the user proves their identity to the phone, how server-side applications can authenticate the user, and how the phone can authenticate the services used.

1) Threats: lost/stolen phone, remember me, sniffing
2) Strong Authentication vs. User Usability
3) Communicating credentials safely
4) Storing credentials safely

7) Mobile Registration
Section Overview: How to register a device to a person and explain the need for mobile channel authentication.

1) Threats: lost/stolen device, remember me, lost/stolen credentials
2) Benefits of Registering the Device
3) Methods for Authenticating the Device
4) Avoiding use of UDID

8) Mobile Data Protection
Section Overview: All of the different places that sensitive data can be stored on phones, and how it can be protected.

1) Identifying sensitive data
2) Where and how is data stored on devices
3) Hashing and encryption
4) Storing keys
5) Browser Caching
6) Mobile specific ‘accidental’ data storage areas
7) Where NOT to store your data on the device
8) HTML5 local storage

9) Mobile Forensics
Section Overview: Where application data and configuration information typically gets stored on the mobile device.

1) Forensics tools for Android and iPhone
2) Exploring the file system (Android / iPhone)
3) Jailbreaking grants more access
4) Interesting areas of the file system (Android / iPhone)
5) Application configuration files
6) Autocomplete records / iPhone app screen shots
7) Dumping Android Intents
8) Scrounging in Backups

10) Mobile Access Control
Section Overview: The code-access security models to use in mobile apps.

1) Threat: user attacks server
2) Example attacks
3) Documenting your access control policy
4) Mapping enforcement to server side controls
5) Presentation Layer Access Control
6) Environmental Access Control
7) Business Logic
8) Data Protection
9) Hands On: Access Other Peoples Accounts, Steal Funds

11) How to Protect Against Cross Site Scripting (XSS)
Section Overview: The threat of XSS in mobile applications is real based on heavy usage of Webkit

1) Understand XSS
2) Learn how to execute XSS
3) Be able to identify XSS flaws in code
4) XSS real world examples
5) Practical Defenses: Primarily Output Encoding

12) Protecting A User’s Privacy
Section Overview: How the phone can be used to undermine user privacy without their knowledge

1) Using location services (GPS, cell triangulation, compass, hardware device key)
2) Accessing contacts, photos, maps, and other personal data
3) Accessing calls, SMS, browser, cell usage history
4) Using camera, microphone safely

13) Secure Mobile Development Process
Section Overview: We explain how developers can ensure that their application doesn’t have security holes.

1) Defining your goals, process, and risk management mechanisms.
2) Building security in to each phase of the development lifecycle
3) Mobile security analysis techniques
4) Defect tracking and process improvement

14) Responding to Vulnerabilities
Section Overview: What to do if your application gets hacked.

1) Create security@yourdomain.com
2) Publish security information
3) Acknowledge incidents and vulnerabilities
4) Engage with researchers immediately

15) Hack It and Bring It!
Section Overview: A hands-on challenge for students to demonstrate what they have learned.

16) Wrap Up, Close and Thank You

 

Requirements

The hands on lab portion of this course requires a Mac OSX environment with XCode installed for the iOS application portion and a VMWare player such as VMPlayer or VMWorkstation for Android applications. It is preferred that students have available a Mac machine to use for hands on labs.

About the trainer

As the Chief Operating Officer (COO) of Aspect Security (www.aspectsecurity.com), a company that specializes in application security services, Mr. Wichers brings over seventeen years of experience in the information security field. Prior to Aspect, he ran the Application Security Services Group at a large data center company, Exodus Communications.
His current work involves helping customers, from small e-commerce sites to Fortune 500 corporations and the U.S. Government, secure their applications by providing application security design, architecture, and SDLC support services: including code review, application penetration testing, security policy development, security consulting services, and developer training.
Dave holds a BSE in Computer Systems Engineering from Arizona State University and a Master’s degree in Computer Science from the University of California at Davis. Dave is a CISSP and a CISM, is currently the OWASP Conferences Chair (www.owasp.org), and is a coauthor of the OWASP Top Ten.

For further information or questions please contact Dave at  dave.wichers _at_ aspectsecurity.com