SECURE Hands-on

The Art of Building Bulletproof Mobile Apps for Apple iOS and Google Android
1-Day Tutorial

Kenneth R. van Wyk - KRvW Associates

Uwaga! Warsztat dostępny wyłącznie w języku angielskim!

Course Description:

This class looks at the unique security problems faced by application developers writing code for today's mobile platforms. In this first class of the smart phone series, we take a close look at Apple's iOS and Google's Android. The class presents a clear and practical view of the problems, how they can be attacked, as well as remediation steps against the various attacks. It is heavily hands-on driven to not just describe but demonstrate both the problems and the solutions available.

This class starts with a pragmatic description of the security problems faced by today's mobile app developer as guided by the relevant the Open Web Application Security Project's (OWASP) Mobile Top-10 Risk effort. These defects are studied in instructor-lead sessions as well as in hands-on lab exercises in which each student learns how to actually exploit the defects to compromise the security of a real mobile application. (The labs are performed in safe test environments using the iOS iPhone Simulator and the Android Virtual Device.)

Next, the class covers the security principles that apply to smart phones, as well as illustrates them through case studies and further hands-on exercises. The iOS and Android platform architecture and application architecture are then discussed. Lastly, the class looks at common security mechanisms found within applications, and discusses how to securely implement them in applications, with code examles in both iOS Objective C as well as Android Java.

Intended Audience

This course is intended for Apple iOS app developers with hands-on experience using Apple's Xcode software development kit and/or Android's software development kit (via Ec lipse plug-in) environment. Application architects and IT Security practitioners will also benefit from the majority of the class and labs.

Requirements:

Each student will need to provide a laptop computer for the hands-on lab exercises. Recommended minimum configurations include the following:

Apple OS X Lion with current updates
Current version of Apple Xcode software development kit for iOS
Registration into Apple's iPhone development program strongly recommended but not required
Approximately 10 gigabytes of available disk space
2-4 gigabyte of RAM
Virtual Box virtual machine software (most recent version):
- A pre-configured VM will be provided, with the Android SDK installed and configured
- The VM can run on Virtual Box on Windows, Linux, or OS X with ample disk and RAM capacity

Agenda:

(Times are approximate)

09:30 Preparation phase - understanding the problem

What are the issues that result in vulnerable mobile software?
Why do smart phone software developers develop weak software?

10:00 Security principles for smart phones

Security principles that directly aplly to smart phone applications
OWASP Top-10 Mobile Risk issues that are pertinent to smart phones
Hands-on demonstrations to illustrate the problems

11:00 Morning Refreshments

11:15 Platform architecture

Discussion on iOS and Android platform security features
- Application sandboxing
- Hardware encryption
- Application signing
- App store process
testing applications using the device emulator

11:45 Security mechanisms

Building security controls for iOS and Android
- Protecting secrets at rest
- Protectiong secrets in transit
- Input validation
- Output escaping
- Authentication
- Autorization
- Server connections

12:30 Lunch

13:30 Security mechanism, continued

14:30 Afternoon Refreshments

14:45 Coding labs - OWASP iGoat and GoatDroid

Introduction to OWASP's iGoat (iOS) and GoatDroid (Android) learning tools
Coding labs to learn and remediate numerous common problems
- Safe backgrounding of an app
- Safe use of system keychain
- Securing cut-and-paste buffer data
- Building and AES-256 encrypted database (without using Apple's encryption APIs)

17:15 Questions and Answers