Mobile Security: Securing Your Small, Smart Devices
Trainer: David Wichers (Aspect Security)
Audience Background: Technical
Audience Skill: Intermediate
Duration: 2 days – July 10-11, 2012
Training Summary:
Smart phones and tablets are everywhere these days. These small, smart devices provide as much functionality as a desktop or laptop. Chances of misplacing or losing these mobile devices are high. The risks of breaching an organization’s and/or user’s data are probable. Securing the applications and connectivity is crucial.
Because we believe that the best way to learn is by doing, much of the course’s content will be delivered in a lab
environment. This approach enables students to have hands-on experience with attack tools and flawed applications so
that they can learn how to identify vulnerabilities using real-world scenarios.
Attendee takeaways and key learning objectives:
- Understand how mobile devices and applications can be easily attacked.
- Identify common vulnerabilities.
- Be able to use state-of-the-art mobile application security testing tools.
- Secure mobile devices across the enterprise.
- Think like an attacker so that students can be pre-emptive.
Trainer Bio:
Dave Wichers is the Chief Operating Officer (COO) of Aspect Security (www.aspectsecurity.com), a company that specializes in application security services. Mr. Wichers brings over seventeen years of experience in the information security field. Prior to Aspect, he ran the Application Security Services Group at a large data center company, Exodus Communications.
His current work involves helping customers, from small e-commerce sites to Fortune 500 corporations and the U.S. Government, secure their applications by providing application security design, architecture, and SDLC support services: including code review, application penetration testing, security policy development, security consulting services, and
developer training.
Dave holds a BSE in Computer Systems Engineering from Arizona State University and a Masters degree in Computer Science from the University of California at Davis. Dave is a CISSP and a CISM, is currently the OWASP Conferences Chair (www.owasp.org), and is a coauthor of the OWASP Top Ten.
Training Outline
1)Â Mobile Application Threat Model
Section Overview: An explanation of high-level threats, attack techniques and the impacts associated with mobile computing.
1) Introductions
2) What is a mobile device?
3)Â Â Â Â Â Architectures
4)Â Â Â Â Â Threat Model
5)Â Â Â Â Â Malware
6)Â Â Â Â Â App Store Reality Check
2)Â Mobile Application Architecture
Section Overview: Different styles of computing in the mobile space, the core technologies involved, and how applications are built.
1)Â Â Â Â Â Security technologies in the platform
2)Â Â Â Â Â Architecture Controls
3)Â Securing the Device
Section Overview: We demonstrate how to harden mobile devices against attack and the issues related to managing security across an enterprise. We show students how to secure employee-owned devices
1)Â Â Â Â Â Mobile Device Management Applications
4)Â Securing Communications
Section Overview: What are all the different communications technologies used by mobile devices and what security threats do they pose?
1)Â Â Â Â Â Threat: Unsafe wireless access points, sniffing, tampering
2)Â Â Â Â Â Review mobile protocols and platforms
3)Â Â Â Â Â Selecting data transfer protocols
5)Â Â Â Mobile Authentication
Section Overview: We explain how the user proves their identity to the phone, how server-side applications can authenticate the user, and how the phone can authenticate the services used.
1)Â Â Â Â Â Threats: lost/stolen phone, remember me, sniffing
2)Â Â Â Â Â Communicating credentials safely
3)Â Â Â Â Â Storing credentials safely
4)Â Â Â Â Â Handling sessions safely
6)Â Mobile Registration
Section Overview: How to register a device to a person and explain the need for mobile channel authentication.
1)Â Â Â Â Â Threats: lost/stolen device, remember me, lost/stolen credentials
2)Â Â Â Â Â Secondary method of authenticating the device
7)Â Mobile Data Protection
Section Overview: All of the different places that sensitive data can be stored on phones, and how it can be protected.
1)Â Â Â Â Â Where and how is data stored on devices
2)Â Â Â Â Â Hashing and encryption
3)Â Â Â Â Â Storing keys
4)Â Â Â Â Â HTML5 local storage
8)Â Mobile Access Control
Section Overview: The code-access security models in use in mobile devices, jailbreaking, etc.
1)Â Â Â Â Â Threat: app attacks phone, user attacks server
2)Â Â Â Â Â Sandbox and Security Manager, using Permissions
3)Â Â Â Â Â One client to support multiple roles
4)Â Â Â Â Â Managing entitlements on the server
5)Â Â Â Â Â Jailbreaking/rooting
9)Â How to Protect Against Cross Site Scripting
Section Overview: The threat of XSS in mobile applications is real based on heavy usage of webkit.
1)Â Â Â Â Â Understand XSS
2)Â Â Â Â Â Learn how to execute XSS
3)Â Â Â Â Â Identify XSS flaws in code
4)Â Â Â Â Â XSS Real world examples
10) Protecting A User’s Privacy
Section Overview: How the phone can be used to undermine user privacy without their knowledge
1)Â Â Â Â Â Using location services (GPS, cell triangulation, compass, hardware device key)
2)Â Â Â Â Â Accessing contacts, photos, maps, and other personal data
3)Â Â Â Â Â Accessing calls, SMS, browser, cell usage history
4)Â Â Â Â Â Using camera, microphone safely
11) Enhancing Legal Agreements
Section Overview: Device functionality can circumvent application security
1)Â Â Â Â Â Bookshelf
2)Â Â Â Â Â Screen shots
3)Â Â Â Â Â Secure storage mechanisms
12) Secure Mobile Development Process
Section Overview: We explain how the app store process works for developers and how they can
ensure that their application doesn’t have security holes.
1)Â Â Â Â Â Optimizing the acceptance process
2)Â Â Â Â Â Using In-App Purchase features safely
3)Â Â Â Â Â Using static analysis tools
4)Â Â Â Â Â Testing with multiple devices at multiple OS levels
5)Â Â Â Â Â Keeping up with jailbreak and root technologies
13) Responding to Vulnerabilities
Section Overview: What to do if your application gets hacked.
1)Â Â Â Â Â Create security@yourdomain.com
2)Â Â Â Â Â Publish security information
3)Â Â Â Â Â Acknowledge incidents and vulnerabilities
4)Â Â Â Â Â Engage with researchers immediately
14) Hack It and Bring It!
Section Overview: A hands-on challenge for students to demonstrate what they have learned.
15) Wrap Up, Close and Thank You
Requirements
- Windows laptop capable of running VMWare player or a Mac laptop with xcode for iOS labs
-  If students want to run Android labs on Mac, they will need VMWare fusion, but that is not required.