Presented at
AppSec USA 2013,
Nov. 19, 2013, 9 a.m.
(480 minutes)
2 Day Class running Monday Nov 18 and Tuesday Nov 19
Overview:
Mobile applications enable new threats and attacks which introduce significant risks to the enterprise, and many custom applications contain significant vulnerabilities that are unknown to the team that developed them. Considering the number of mobile applications available in the Google Play and Apple AppStore is nearing 1.5 million and vulnerabilities are skyrocketing it is imperative to perform typical application security practices. But, how is mobile different?
This two-day, hands-on course enables students to understand how easily mobile devices and applications can be successfully attacked. They will learn how to identify, avoid and remediate common vulnerabilities by walking through a threat analysis and learning critical security areas such as those identified in the OWASP Top Ten Mobile Risks and Controls. Using state-of-the-art testing tools, students will learn how to secure mobile devices across the enterprise. Students will be able to choose from iOS or Android hands-on labs throughout the course, while they learn how easily the bad guy can compromise applications and the data they contain.
Outline:
1) Mobile Devices and Applications
Section Overview: Introduction to Mobile Devices, their capabilities, and how to emulate mobile apps and use mobile testing tools.
1) Device Types and Capabilities
2) Mobile App Emulators / IDEs
3) Running the Class Apps
4) Using a Testing Proxy: Burp
5) How to get Proxying to work
2) Mobile Application Architectures and Threat Model
Section Overview: An explanation of high-level threats, attack techniques and the impacts associated with mobile computing and how different architectures affect these.
1) Different Mobile Architectures
2) OWASP Mobile Security Resources
3) Mobile Threat Model
4) Top 10 Mobile Controls
5) Risk Management
6) Mobile Threats and Attacks on Users, Devices, and Apps
7) Consequences
8) AppStore Security / Malware Threats
9) Hands On: Hacking Mobile URLs (iOS), or Intents (Android)
3) Mobile Application Architectures Deeper Dive
Section Overview: Different styles of computing in the mobile space, the core technologies involved, and how applications are built.
1) Device Protections built into Android and iPhone
2) Data Protection
3) Encryption
4) Client Only Architecture and Recommended Controls
5) Client-Server Architecture and Recommended Controls
6) Recommendation: Standard Security Controls
7) Mobile Web Applications and Recommended Controls
8) HTML 5 Risks
9) JavaScript Framework Risks
10) Same Origin Policy
4) Securing the Device
Section Overview: We demonstrate how to harden mobile devices against attack and the issues related to managing security across an enterprise. We show students how to secure employee-owned devices.
1) Mobile Device Management (MDM) Applications
2) Password Requirements
3) Data Protection
4) Enterprise Security Management (ESM)
5) Securing Communications
Section Overview: What are all the different communications technologies used by mobile devices and what security threats do they pose?
1) Threat: Unsafe wireless access points, sniffing, tampering
2) Review mobile protocols and platforms
3) How to use SSL Securely
6) Mobile Authentication
Section Overview: We explain how the user proves their identity to the phone, how server-side applications can authenticate the user, and how the phone can authenticate the services used.
1) Threats: lost/stolen phone, remember me, sniffing
2) Strong Authentication vs. User Usability
3) Communicating credentials safely
4) Storing credentials safely
7) Mobile Registration
Section Overview: How to register a device to a person and explain the need for mobile channel authentication.
1) Threats: lost/stolen device, remember me, lost/stolen credentials
2) Benefits of Registering the Device
3) Methods for Authenticating the Device
4) Avoiding use of UDID
8) Mobile Data Protection
Section Overview: All of the different places that sensitive data can be stored on phones, and how it can be protected.
1) Identifying sensitive data
2) Where and how is data stored on devices
3) Hashing and encryption
4) Storing keys
5) Browser Caching
6) Mobile specific ‘accidental' data storage areas
7) Where NOT to store your data on the device
8) HTML5 local storage
9) Mobile Forensics
Section Overview:Where application data and configuration information typically gets stored on the mobile device.
1) Forensics tools for Android and iPhone
2) Exploring the file system (Android / iPhone)
3) Jailbreaking grants more access
4) Interesting areas of the file system (Android / iPhone)
5) Application configuration files
6) Autocomplete records / iPhone app screen shots
7) Dumping Android Intents
8) Scrounging in Backups
10) Mobile Access Control
Section Overview: The code-access security models to use in mobile apps.
1) Threat: user attacks server
2) Example attacks
3) Documenting your access control policy
4) Mapping enforcement to server side controls
5) Presentation Layer Access Control
6) Environmental Access Control
7) Business Logic
8) Data Protection
9) Hands On: Access Other Peoples Accounts, Steal Funds
11) How to Protect Against Cross Site Scri
Presenters:
-
David Lindner
- Managing Consultant and Global Practice Manager - Aspect Security
David Lindner, a Managing Consultant and Global Practice Manager, Mobile Application Security Services at Aspect Security. David brings 15 years of IT experience including application development, network architecture design and support, IT security and consulting, and application security. David's focus has been in the mobile space including everything from mobile application penetration testing/code review, to analyzing MDM and BYOD solutions. David also specializes in performing application penetration tests utilizing commercial and freeware products as well as manual testing methods. David has written code in many different languages but specializes in Java/J2EE and Perl. David has supported many different clients including financial, government, automobile, healthcare, and retail. David holds an M.S. degree in Computer Engineering and Information Assurance from Iowa State University, recognized by the NSA as a National Center of Academic Excellence in Information Assurance Education. His Master's thesis was Creating Secure Web Applications and incorporating security throughout the Software Development Lifecycle. (SDLC). David completed his undergraduate work at Wartburg College in Waverly, IA where he received a B.A. with a triple major in Computer Science, Physics, and Mathematics.
-
Dan Amodio
- Principal Consultant - Aspect Security
As a Principal Consultant, Dan manages and defines Aspect Security's line of Assessment Services-- helping organizations quantify their security risks from design to implementation. He works with staff and clients to develop the team members and deliverables.
Dan holds a security clearance and directly supports a variety of client projects. He leads mobile security efforts, security architecture and design reviews, code reviews, and penetration testing for clients in Government, educational, airline, and financial sectors. His expertise spans an array of IT disciplines including: application security, software development, systems administration, and technical support. He has over 10 years of programming experience in a variety of languages and actively participates in open source and software security communities.
Outside of work, Dan enjoys spending time with his wife and daughter. He is a longtime musician, and does performing, recording and sound engineering.
Links:
Similar Presentations: