background image

Mobile Security: Securing Your Small, Smart Devices

Trainer: David Wichers (Aspect Security)

Audience Background: Technical

Audience Skill: Intermediate

Duration: 2 days – July 10-11, 2012

Training Summary:

Smart phones and tablets are everywhere these days. These small, smart devices provide as much functionality as a desktop or laptop. Chances of misplacing or losing these mobile devices are high. The risks of breaching an organization’s and/or user’s data are probable. Securing the applications and connectivity is crucial.

Because we believe that the best way to learn is by doing, much of the course’s content will be delivered in a lab

environment. This approach enables students to have hands-on experience with attack tools and flawed applications so

that they can learn how to identify vulnerabilities using real-world scenarios.

Attendee takeaways and key learning objectives:

  • Understand how mobile devices and applications can be easily attacked.
  • Identify common vulnerabilities.
  • Be able to use state-of-the-art mobile application security testing tools.
  • Secure mobile devices across the enterprise.
  • Think like an attacker so that students can be pre-emptive.

Trainer Bio:

Dave Wichers is the Chief Operating Officer (COO) of Aspect Security (www.aspectsecurity.com), a company that specializes in application security services. Mr. Wichers brings over seventeen years of experience in the information security field. Prior to Aspect, he ran the Application Security Services Group at a large data center company, Exodus Communications.

His current work involves helping customers, from small e-commerce sites to Fortune 500 corporations and the U.S. Government, secure their applications by providing application security design, architecture, and SDLC support services: including code review, application penetration testing, security policy development, security consulting services, and

developer training.

Dave holds a BSE in Computer Systems Engineering from Arizona State University and a Masters degree in Computer Science from the University of California at Davis. Dave is a CISSP and a CISM, is currently the OWASP Conferences Chair (www.owasp.org), and is a coauthor of the OWASP Top Ten.

Training Outline

1)Â Mobile Application Threat Model

Section Overview: An explanation of high-level threats, attack techniques and the impacts associated with mobile computing.

1) Introductions

2) What is a mobile device?

3)Â Â Â Â Â Architectures

4)Â Â Â Â Â Threat Model

5)Â Â Â Â Â Malware

6)Â Â Â Â Â App Store Reality Check

2)Â Mobile Application Architecture

Section Overview: Different styles of computing in the mobile space, the core technologies involved, and how applications are built.

1)Â Â Â Â Â Security technologies in the platform

2)Â Â Â Â Â Architecture Controls

3)Â Securing the Device

Section Overview: We demonstrate how to harden mobile devices against attack and the issues related to managing security across an enterprise. We show students how to secure employee-owned devices

1)Â Â Â Â Â Mobile Device Management Applications

4)Â Securing Communications

Section Overview: What are all the different communications technologies used by mobile devices and what security threats do they pose?

1)Â Â Â Â Â Threat: Unsafe wireless access points, sniffing, tampering

2)Â Â Â Â Â Review mobile protocols and platforms

3)Â Â Â Â Â Selecting data transfer protocols

5)Â Â Â Mobile Authentication

Section Overview: We explain how the user proves their identity to the phone, how server-side applications can authenticate the user, and how the phone can authenticate the services used.

1)Â Â Â Â Â Threats: lost/stolen phone, remember me, sniffing

2)Â Â Â Â Â Communicating credentials safely

3)Â Â Â Â Â Storing credentials safely

4)Â Â Â Â Â Handling sessions safely

6)Â Mobile Registration

Section Overview: How to register a device to a person and explain the need for mobile channel authentication.

1)Â Â Â Â Â Threats: lost/stolen device, remember me, lost/stolen credentials

2)Â Â Â Â Â Secondary method of authenticating the device

7)Â Mobile Data Protection

Section Overview: All of the different places that sensitive data can be stored on phones, and how it can be protected.

1)Â Â Â Â Â Where and how is data stored on devices

2)Â Â Â Â Â Hashing and encryption

3)Â Â Â Â Â Storing keys

4)Â Â Â Â Â HTML5 local storage

8)Â Mobile Access Control

Section Overview: The code-access security models in use in mobile devices, jailbreaking, etc.

1)Â Â Â Â Â Threat: app attacks phone, user attacks server

2)Â Â Â Â Â Sandbox and Security Manager, using Permissions

3)Â Â Â Â Â One client to support multiple roles

4)Â Â Â Â Â Managing entitlements on the server

5)Â Â Â Â Â Jailbreaking/rooting

9)Â How to Protect Against Cross Site Scripting

Section Overview: The threat of XSS in mobile applications is real based on heavy usage of webkit.

1)Â Â Â Â Â Understand XSS

2)Â Â Â Â Â Learn how to execute XSS

3)Â Â Â Â Â Identify XSS flaws in code

4)Â Â Â Â Â XSS Real world examples

10) Protecting A User’s Privacy

Section Overview: How the phone can be used to undermine user privacy without their knowledge

1)Â Â Â Â Â Using location services (GPS, cell triangulation, compass, hardware device key)

2)Â Â Â Â Â Accessing contacts, photos, maps, and other personal data

3)Â Â Â Â Â Accessing calls, SMS, browser, cell usage history

4)Â Â Â Â Â Using camera, microphone safely

11) Enhancing Legal Agreements

Section Overview: Device functionality can circumvent application security

1)Â Â Â Â Â Bookshelf

2)Â Â Â Â Â Screen shots

3)Â Â Â Â Â Secure storage mechanisms

12) Secure Mobile Development Process

Section Overview: We explain how the app store process works for developers and how they can

ensure that their application doesn’t have security holes.

1)Â Â Â Â Â Optimizing the acceptance process

2)Â Â Â Â Â Using In-App Purchase features safely

3)Â Â Â Â Â Using static analysis tools

4)Â Â Â Â Â Testing with multiple devices at multiple OS levels

5)Â Â Â Â Â Keeping up with jailbreak and root technologies

13) Responding to Vulnerabilities

Section Overview: What to do if your application gets hacked.

1)Â Â Â Â Â Create security@yourdomain.com

2)Â Â Â Â Â Publish security information

3)Â Â Â Â Â Acknowledge incidents and vulnerabilities

4)Â Â Â Â Â Engage with researchers immediately

14) Hack It and Bring It!

Section Overview: A hands-on challenge for students to demonstrate what they have learned.

15) Wrap Up, Close and Thank You

 

 

Requirements

  • Windows laptop capable of running VMWare player or a Mac laptop with xcode for iOS labs
  •  If students want to run Android labs on Mac, they will need VMWare fusion, but that is not required.

This site was build using Wordpress The theme was based on the Royal-Blue theme

Security Bug Disclosure Policy: Let us know privately if you find something, and we'll work with you to get it fixed. Please don't abuse the site to find bugs, though, as that runs up our hosting fees.