Course Number: 90018
Length: 3 Days
College Credits: 16
Why should you choose TONEX for your Mobile App Security Training?
Mobile App Security Training is about Mobile Applications and Device Security and it provides complete and current coverage of Mobile application and mobile platform security.
The course provides a solid foundation in basic mobile application security terminology and concepts, extended and built upon throughout the engagement. Attnedees will examine various recognized attacks against mobile applications.
This Award Winning 3-Day Mobile Application Security and Penetration Testing Boot Camp focuses on preparing students for the real Mobile App Pen Testing through exercises, thought provoking lectures led by an expert instructor.
We review of the entire body of knowledge as it pertains to mobile application pen testing through a high-energy seminar approach.
Processes and best practices are discussed and illustrated through both discussions and group activities. Attending will be led through a series of advanced topics including performance and network optimization along with advanced security topics comprised of integrated lectures, group discussions and comprehensive demonstrations.
Mobile Application security encompasses measures taken throughout the application’s life-cycle to prevent exceptions in the security policy of an application or the underlying system (vulnerabilities) through flaws in the design, development, deployment, upgrade, or maintenance of the mobile application.
Mobile Applications only control the use of resources granted to them, and not which resources are granted to them. They, in turn, determine the use of these resources by users of the mobile application through mobile application security.
TONEX brings the first mobile application security training to developers, architects, testers, managers and security professionals. Learn about:
- Mobile application security, penetration, secure coding, mobile applications security testing, application penetration testing & ethical hacking
- Mobile security strategies and mobile threat models
- How to protect mobile devices
- Mobile Device Management (MDM)
- How to mitigate the risks associated with mobile devices and applications
- How to identify potential flaws in proprietary and third-party iOS, Android and HTML5 applications
- How to perform a mobile vulnerability assessment
- Open Web Application Security Project (OWASP)
- How to create and implement an effective mobile device security strategy for your organization
- Leverage best practices for mobile app and mobile device security
- Language specific secure software development for Objective C, C/C++, Java, HTML5, ActionScript, Ruby, and CSS
- Enhancing Data Security, Digital Certificates, Digital Signatures, Keys, Trust Services, PKI, Keychain, Remote Transport Security, SSL and TLS
Workshops and Hands-on Labs
- Creating a mobile security policy an enforcement rules
- Encrypting application data on mobile devices
- Evaluating and Assessing mobile data protection mechanisms
- Methods to inspect applications for vulnerabilities
- Intercepting mobile device data
Who Should Attend
This is course designed for developers, security professionals, project stakeholders who wish to get up and running on developing well defended mobile applications on different platforms. Mobile application developers, Web application developers, Mobile application penetration testersMobile application architects, Technical managers
Objectives
Upon completion of this course, the attendees will:- Understand the concepts and terminology behind mobile application security
- Understand the basics of Cryptography, Encryption, Integrity and where they fit in the overall mobile application security picture
- Understand mobile application software vulnerabilities based on realistic threats
- Learn the entire spectrum of threats, attacks that take place against mobile applications and mobile platforms in today’s world
- Understand the vulnerabilities of mobile programming language such as Objective C and Java
- Understand the requirements and best practices for mobile applications management
- Understand how to find Vulnerabilities in Source Code
- Learn the Secrets of Mobile App Pen Testing in a totally hands-on classroom environment
- Learn how to exploit and defend real-world Mobile apps
- How to properly secure data
- Best practices on authentication, authorizations and Integrity of data
- How to avoid security pitfalls with mobile apps
- Tools and techniques to harden your applications against reverse engineering
- Complete TONEX's Innovative 100 Step Mobile App Pen Test Methodology
Outline
Mobile App Penetration Testing and Ethical Hacking- The Attacker's View of the Mobile
- Overview of the Mobile Applications from a penetration tester’s perspective
- Overview of the various mobile platform architectures
- Overview of different types of vulnerabilities
- How to define a mobile application test scope and process
- Types of mobile penetration testing
- Methodology to Improve mobile application security
- Knowing your threats
- Securing the network, host and application
- Incorporating security into your software development process
- Moobile Application Security Policy
- Asset
- Threat
- Vulnerability
- Attack (or exploit)
- Countermeasure
- Application Threats / Attacks
- Certificate Storage/Management
- Storage/Management
- Digital Signature
- PIN/password protection
- Remote applet management
- Content storage/encryption
- Identity management
- Secure data exchange
- Authentication and Integrity management
- Mobile applications security testing
- Application penetration testing & ethical hacking
- Language specific secure software development: Objective C, C/C++, Java/JEE, HTML5, ActionScript, Ruby, and CSS
- Digital Certificates, Digital Signatures, Keys, Trust Services, PKI, Keychain, Remote Transport Security, SSL and TLS
- Sensitive data unprotected at rest
- Buffer overflows and other C programming issues
- Secure communications to servers.
- Patching your application
- Security in mobile app development platforms
- Overview of iOS security architecture
- Overview of Android security architecture
- Overview of Windows Phone 7 security architecture
- Security features of iOS and Android
- Keychain Services
- Security APIs in iOS and Android
- Assets, threats, and attacks
- Security Technical
- Security Testing
- Access Applications
- VPN and Secure Storage of Data
- Protection of Downloaded and Broadcasted Content
- Mobile DRM
- Service and Content Protection for Mobile Broadcast Services
- Security Requirements
- Authentication Applications
- Extensible Authentication Protocol (EAP)
- Generic Bootstrapping Architecture (GBA)
- Public Key Infrastructure (PKI) and Certificate-based Authentication
- Identity Selection Applications
- Security and Trust Model of Identity Selector
- Mobile Applications Security Feature Requirement Matrix Overview of the infrastructure within the mobile application
- Overview of Wireless Networks: Access and Core
- Overview of Mobile Development Platforms
- Mobile platforms security architecture
- SSL/TLS/DTLS configurations and weaknesses
- Google and Facebook hacking
- Hacking to Social Networks
- Objective C
- C/C++
- Java
- HTML5
- ActionScript
- Ruby
- CSS
- Information leakage
- Username harvesting
- Command injection
- SQL injection
- Blind SQL injection
- Session issues
- Hacking the keys
- Fuzzing
- Attacking Web services
- Malicious applets and objects
- Vulnerabilities in Mobile application through discover of the client components
- Methods for attacking mobile services
- Methods to zombify browsers
- Using zombies to port scan or attack internal networks
- Explore attack frameworks
- Walk through an entire mobile attack scenario
- Exploit the various mobile app vulnerabilities
- Application Threats / Attacks
- Input Validation
- Authentication
- Authorization
- Configuration management
- Sensitive information
- Session management
- Cryptography
- Parameter manipulation
- Exception management
- Auditing and logging
- Impact on Security on Performance
- Attack Types and Methods to Prevent them
- Buffer overflow
- Cross-site scripting
- SQL injection
- Canonicalization
- Network eavesdropping
- Brute force attack
- Dictionary attacks
- Cookie replay
- Credential theft
- Elevation of privilege
- Disclosure of confidential data
- Data tampering
- Luring attacks
- Unauthorized access to administration interfaces
- Unauthorized access to configuration stores
- Retrieval of clear text configuration data
- Lack of individual accountability
- Over-privileged process and service accounts
- Access sensitive data in storage
- Network eavesdropping; data tampering
- Session hijacking; session replay
- Man in the middle
- Poor key generation or key management
- Weak or custom encryption
- Query string manipulation
- Form field manipulation
- Cookie manipulation
- HTTP header manipulation
- Information disclosure; denial of service