Mobile Security Training | Mobile Device Security Training

Mobile Security Training by Tonex

Mobile Security Training course will explore enterprise mobile security and teach you the mobile security weaknesses and threats. Learn how attackers can utilize mobile devices to abuse and attack organizations. We show you various mobile security concerns, technical issues with mobile platforms, remediation strategies, security policies, and solutions on variety of mobile devices, smart devices and platforms including iOS (iPhone and iPad), and Android.

Learn more about:

• Application Security and SDLC Fundamentals
• Mobile networks and technologies
• Mobile threat models
• Mobile Device Management (MDM) and BYOD)
• Secure Java, C# and Objectives C coding
•  iOS and Android SDK, APIs, and Security Features
• Web Service and Network Security
• Data Security and Implementing Encryption
• Application hardening and reverse engineering

Explore the techniques to protect Mobile devices and smartphones since mobile threats are different. Learn how the mobile devices and platforms operate and integrate with IT infrastructure within the enterprise. Understand the role of Mobile device security policy and how it can impact the mobile security. Learn about  mobile security and MDM solutions and how to extend protection beyond  mobile devices, apps, and data.

Mobile Security Training Topics Include:

• Mobile device overview
• Mobile device characteristics
• Weaknesses in mobile phones
• Overview of mobile networks
• LTE, LTE-Advanced, 5G, WiFi, Bluetooth and SATCOM Network and Security features and architecture
• High-Level threats and vulnerabilities
• Physical security controls
• Exploit tools and attacks againstt mobile devices
• Mobile devices and security infrastructures
• iOS, Android, Blackberry and Windows Phone environment: emulator/sdk/hardware/
• Basics concepts of reverse engineering mobile applications
• Exploiting mobile applications
• Attacking web applications, and web services
• Decompiling and reversing Apps
• Fuzzing Android Apps
• Web App/Web Service Testing
• Working with SQLite Manager
• Using (Burp/Charles Proxy)
• Device encryption support and threats
• Mobile privacy concerns and threats
• Guidelines and roadmaps for establishing mobile security policies
• Analyzing trusted networks and untrusted content
• Use of location services
• Use of Applications created by unknown parties
• Technologies for Mobile Device Management
• Security Components and Architectures
• Security for the Enterprise Mobile Device Solution Life Cycle
• Restrictions on Mobile Devices and Access Levels
• Penetration testing iOS, Android, Blackberry and Windows Phone
• Penetrating the mobile applications
• Policies on how to secure mobile devices
• Jailbreaking tools and techniques

Who Should Attend?

This class is recommended for mobile device manufacturers, application developers, mobile network operators, software companies, special ops, covert ops personnel, FBI, CIA, NSA, DoD offensive security professionals, and other professionals from the Intel community.

Course Content

Mobile Security Infrastructure

• Implement Vulnerability Assessment Tools and Techniques
• Scan for Vulnerabilities
• Mitigation and Deterrent Techniques
• Mobile Security Threats and Vulnerabilities
• Social Engineering
• Physical Threats and Vulnerabilities
• Network-Based Threats
• Wireless Threats and Vulnerabilities
• Software Based Threats

Mobile Security Fundamentals

• Information Security Cycle
• Information Security Controls
• Authentication Methods
• Cryptography Fundamentals
• Security Policy Fundamentals
• Mobile computing trends and threats
• Best practices in mobile device management (MDM)
• Mobile Device Management (MDM)
• Centralizing device administration
• Enabling BYOD in the organization
• Confronting BYOD challenges
• Fortifying device synchronization
• Modifying policies to work with each mobile OS
• Handling lost or stolen devices
• Securing the mobile application in the organization
• Open Web Application Security Project (OWASP)
• Mobile phone forensics and its implications

Mobile Network Security

• Network Devices and Technologies
• Concepts behind  LTE and LTE-Advanced and 5G Security
• SATCOM Security
• Concepts behind WiFi, Bluetooth  and NFC Security
• Mobile Security Frameworks
• Network Design Elements and Components
• Implement Networking Protocols
• Access Control, Authentication, and Account Management
• Data Security
• Apply Network Security Administration Principles
• Secure Wireless Traffic
• Managing Application, Data and Host Security
• Establish Device/Host Security

iOS SDK, APIs, and Security Features

• Code signing
•  Sandbox
•  Data at rest encryption
•  Generic native exploit mitigation features
• Non executable memory
•  Stack smashing protection

iOS Data Pprotection API

• Various levels of protection, driven by developer
•  Complete protection
•  Protected unless open
•  Protected until first user authentication
•  No protections

iOS  Security Framework

•  Common Crypto Libraries
•  Symmetric encryption
•  HMAC
•  Digests
•  Generating secure random numbers
• Security and limitations of the keychain
•  Keychain access groups
•  Managing certificates and keys

Web Service and Network Security

• Clear text transmission of data
•  Man-in-the-middle attacks
•  Cellular proxy attack (provisioning profile)
•  Insufficient validation of certificates / certificate chain
•  SSL compromise
•  DNS hijacking
• SSL session with validation
•  Validate originated from a trusted CA
•  Validate the certificate has not been revoked
•  Describe how to implement / validate client-side certificates
•  SSL pinning

Common Threats to Web Services

•  Information disclosure
•  Brute forcing
•  Fuzzing
•  SQL injection
•  Directory traversal

Implementation of Session Security

•  Highly random token
•  Expire on timeout or exit
•  Store in memory not in data
•  Avoid static user token
•  UDID deprecation

Data Security and Implementing Encryption

• Key storage and retention
• Master keys
•  Key strength
•  Cipher Specifications
•  Forensic trace
•  Storage of data in protected APIs
•  Built-in encryption vs. custom encryption
•  File permissions and using strong passwords for database security
•  How to hash sensitive data and seed of passwords
•  Storing more data externally on servers
•  Not storing data outside of the applications security
•  Do not store sensitive data, if you can avoid it
•  Protecting data at rest while the device is locked

Implementation of encryption in iOS

•  Common cryptor
• Logic in applications
•  Certificate and key exchange
•  Authentication and authorization
•  Session management
•  Decryption as authentication, not after

Data Encryption APIs

•  PIN vs. complex passphrase
•  Data protection APIs
•  Keychain and vulnerabilities
•  Demonstrate knowledge of Apple’s encrypted file system
•  Journal

Android SDK, APIs and Security Features

• System and kernel level security
•  Application sandbox
•  Application signing
•  Purpose
•  Key management
•  Permissions
•  File system
•  Application-defined
•  URI permissions

Android Permission Model

•  Protected APIs
•  Requesting permissions
•  Defining permissions
•  Use of signatures
•  Protection levels
•  Summarize the Device Administration API
•  Purpose and appropriate use
•  Letting the user control access to sensitive data
•  Start the contacts activity to let the user select a contact for use by
• the application rather than require permission to access all contacts
•  Start the camera application to let the user take a picture for use in
• the application without requiring camera permissions

Secure inter-process communication in Android

•  Public and private components
•  Protecting access to
•  Services
•  Broadcast receivers
•  Activities
•  Content providers
•  Databases
•  Securely accessing third-party components with IPC
•  Types of attacks
•  Confused deputy
•  Intent sniffing
•  Intent hijacking
•  Data disclosure

Application Hardening Principles

• Apple Digital Rights Management
•  Mach-O object format
•  Symbol table definitions
•  Class-dump
•  Dumping memory
•  Binary stripping
• Process trace checks
•  Tamper response
•  Counter-debugging techniques
•  Code obfuscations
•  Optimizations
•  Inline functions
•  Encrypted payloads

Managing Public Key Infrastructure (PKI)

• Install a Certificate Authority (CA) Hierarchy
• Back Up a CA
• Restore a CA
• Managing Certificates
• Enroll Certificates
• Renew Certificates
• Revoke Certificates
• Back Up Certificates and Private Keys
• Restore Certificates and Private Keys

Compliance and Operational Security

• Physical Security
• Legal Compliance
• Security Awareness and Training
• Managing Risk
• Risk Analysis
• Implement Risk Mitigation Strategies

Workshops

• Developing a Mobile Security Strategy
• Creating the mobile threat matrix model
• Creating a security policy framework
• Evaluating vulnerabilities
• Creating a mobile security assessment plan
• Assessing mobile network and device vulnerabilities