Full Program »
M1. Mobile Security: Securing Mobile Devices & Applications
Monday, 9 December 2013
08:30 - 12:00
Orleans A
Mobile applications enable new threats and attacks which introduce significant risks to the enterprise, and many custom applications contain significant vulnerabilities that are unknown to the team that developed them. Considering the number of mobile applications available in the Google Play and Apple AppStore is nearing 1.5 million and vulnerabilities are skyrocketing it is imperative to perform typical application security practices. But, how is mobile different?
This one-day, hands-on course enables students to understand how easily mobile devices and applications can be successfully attacked. They will learn how to identify, avoid and remediate common vulnerabilities by learning critical security areas such as those identified in the OWASP Top Ten Mobile Risks and Controls. Using state-of-the-art testing tools, students will learn how to secure mobile applications across the enterprise. Students will be able to choose from iOS or Android hands-on labs throughout the course, while they learn how easily the bad guy can compromise applications and the data they contain.
Learning Objectives:
Understand how mobile devices and applications can be easily attacked.
Identify common vulnerabilities.
Be able to use state-of-the-art mobile application security testing tools.
Think like an attacker so that students can be preemptive.
Prerequisites:
For Android labs: (1) Laptop with the ability to run an Ubuntu 10.04.3 Virtual Machine (Vmware); (2) CPU and memory as required by the operating system; (3) 10 GB free disk space
For iOS labs: (1) PC running recent version of Mac OS X, with Xcode installed; (2) CPU and memory as required by the operating system
Outline:
Mobile Application Risks. Introduction to Application risks and how to emulate mobile apps and use mobile testing tools.
OWASP Mobile Security Resources.
Current state of Mobile AppSec.
Top 10 Mobile Controls.
How and Why Attackers do it.
Understanding Risk.
Consequences.
Mobile Application Architectures Deeper Dive. Different styles of computing in the mobile space, the core technologies involved, and how applications are built.
Device Protections built into Android and iPhone.
Data Protection.
Encryption.
Client Only Architecture and Recommended Controls.
Client-Server Architecture and Recommended Controls.
Recommendation: Standard Security Controls.
Mobile Web Applications and Recommended Controls.
HTML 5 Risks.
JavaScript Framework Risks.
Same Origin Policy.
Mobile Authentication. We explain how the user proves their identity to the phone, how server-side applications can authenticate the user, and how the phone can authenticate the services used.
Threats: lost/stolen phone, remember me, sniffing.
Strong Authentication vs. User Usability.
Communicating credentials safely.
Storing credentials safely.
Mobile Session Management. How to handle session management with mobile devices.
What not to do.
iOS and Android Recommendations.
Mobile Data Protection. All of the different places that sensitive data can be stored on phones, and how it can be protected.
Identifying sensitive data.
Threats: Lost or Stolen Devices, Sniffing.
Protecting data in transit.
Securing Communications.
Testing communication strength.
Protecting data at rest.
Where and how is data stored on devices.
Storing keys.
Browser Caching.
Mobile specific 'accidental' data storage areas.
Where NOT to store your data on the device.
HTML5 local storage.
Mobile Forensics. Where application data and configuration information typically gets stored on the mobile device.
Forensics tools for Android and iPhone.
Exploring the file system (Android / iPhone).
Jailbreaking grants more access.
Interesting areas of the file system (Android / iPhone).
Application configuration files.
Autocomplete records / iPhone app screen shots.
Dumping Android Intents.
Scrounging in Backups.
Mobile Access Control. The code-access security models to use in mobile apps.
Threat: user attacks server.
Example attacks.
Documenting your access control policy.
Mapping enforcement to server side controls.
Presentation Layer Access Control.
Environmental Access Control.
Business Logic.
Data Protection.
Hands On: Access Other Peoples Accounts, Steal Funds.
Other Applications. How do we treat the threat of other applications?
Risks of AppStores.
Malware.
Rooted devices and applications.
What can developers do?
Protecting A User's Privacy. How the phone can be used to undermine user privacy without their knowledge
Using location services (GPS, cell triangulation, compass, hardware device key).
Accessing contacts, photos, maps, and other personal data.
Accessing calls, SMS, browser, cell usage history.
Using camera, microphone safely.
Hack It and Bring It! A hands-on challenge for students to demonstrate what they have learned. Wrap Up, Close and Thank You About the Instructor: Mr. David Lindner is Aspect's Managing Consultant; Global Practice Manager, Mobile Application Security Services. David brings 13 years of IT experience including application development, network architecture design and support, IT security and consulting, and application security. David's focus has been in the mobile space including everything from mobile application penetration testing/code review, to analyzing MDM and BYOD solutions. David also specializes in performing application penetration tests utilizing commercial and freeware products as well as manual testing methods. David has written code in many different languages but specializes in Java/J2EE and Perl. David has supported many different clients including financial, government, automobile, healthcare, and retail. David holds an M.S. degree in Computer Engineering and Information Assurance from Iowa State University, recognized by the NSA as a National Center of Academic Excellence in Information Assurance Education. His Master's thesis was Creating Secure Web Applications and incorporating security throughout the Software Development Lifecycle. (SDLC). David completed his undergraduate work at Wartburg College in Waverly, IA where he received a B.A. with a triple major in Computer Science, Physics, and Mathematics.