The Art of Building Bulletproof Mobile Apps for Apple iOS and Google Android
Kenneth R. van Wyk - KRvW Associates
Uwaga! Warsztat dostępny wyłącznie w języku angielskim!
This class looks at the unique security problems faced by application developers writing code for today's mobile platforms. In this first class of the smart phone series, we take a close look at Apple's iOS and Google's Android. The class presents a clear and practical view of the problems, how they can be attacked, as well as remediation steps against the various attacks. It is heavily hands-on driven to not just describe but demonstrate both the problems and the solutions available.
This class starts with a pragmatic description of the security problems faced by today's mobile app developer as guided by the relevant the Open Web Application Security Project's (OWASP) Mobile Top-10 Risk effort. These defects are studied in instructor-lead sessions as well as in hands-on lab exercises in which each student learns how to actually exploit the defects to compromise the security of a real mobile application. (The labs are performed in safe test environments using the iOS iPhone Simulator and the Android Virtual Device.)
Next, the class covers the security principles that apply to smart phones, as well as illustrates them through case studies and further hands-on exercises. The iOS and Android platform architecture and application architecture are then discussed. Lastly, the class looks at common security mechanisms found within applications, and discusses how to securely implement them in applications, with code examles in both iOS Objective C as well as Android Java.
This course is intended for Apple iOS app developers with hands-on experience using Apple's Xcode software development kit and/or Android's software development kit (via Ec lipse plug-in) environment. Application architects and IT Security practitioners will also benefit from the majority of the class and labs.
Each student will need to provide a laptop computer for the hands-on lab exercises. Recommended minimum configurations include the following:
- Apple OS X Lion with current updates
- Current version of Apple Xcode software development kit for iOS
- Registration into Apple's iPhone development program strongly recommended but not required
- Approximately 10 gigabytes of available disk space
- 2-4 gigabyte of RAM
- Virtual Box virtual machine software (most recent version):
- A pre-configured VM will be provided, with the Android SDK installed and configured
- The VM can run on Virtual Box on Windows, Linux, or OS X with ample disk and RAM capacity
(Times are approximate)
09:30 Preparation phase - understanding the problem
- What are the issues that result in vulnerable mobile software?
- Why do smart phone software developers develop weak software?
10:00 Security principles for smart phones
- Security principles that directly aplly to smart phone applications
- OWASP Top-10 Mobile Risk issues that are pertinent to smart phones
- Hands-on demonstrations to illustrate the problems
11:00 Morning Refreshments
11:15 Platform architecture
- Discussion on iOS and Android platform security features
- Application sandboxing
- Hardware encryption
- Application signing
- App store process
- testing applications using the device emulator
11:45 Security mechanisms
- Building security controls for iOS and Android
- Protecting secrets at rest
- Protectiong secrets in transit
- Input validation
- Output escaping
- Server connections
13:30 Security mechanism, continued
14:30 Afternoon Refreshments
14:45 Coding labs - OWASP iGoat and GoatDroid
- Introduction to OWASP's iGoat (iOS) and GoatDroid (Android) learning tools
- Coding labs to learn and remediate numerous common problems
- Safe backgrounding of an app
- Safe use of system keychain
- Securing cut-and-paste buffer data
- Building and AES-256 encrypted database (without using Apple's encryption APIs)
17:15 Questions and Answers