SPECIAL-OPS 3–MOBILE APPLICATION HACKING – ATTACK & DEFENSE

OVERVIEW

Mobile application hacking and its security is becoming a major concern in today’s world. In last few years we have seen range of new attack vectors and method of exploitation for these devices. Smart phones and tablets running on iPhone, Android, Windows and Blackberry have taken over the market in frenzy. In today’s world email, social networking, banking everything is possible on the go with Smart phones and derived applications. These Smart phones are now equipped with features like data, Wi-Fi, voice and GPS functions and applications can leverage these features. The sudden growth in number of applications available for these smart phones does raise a certain level of concern for the user’s security and server supporting these applications.

Mobile applications are vulnerable to various set of different attacks like local storage, user data harvesting, activity spying, unauthorized event injection, UI Jacking, Tab Jacking, Traffic redirection, Logical attacks, hard coded keys and few other. At the same time Mobile applications are talking with server side over HTTP/HTTPS, it opens up few possible attacks on Web Services and APIs. The server side applications can be attacked with Injections. Several new technology stacks are evolving over Mobile like HTML5 and Silverlight which opens up new attack surface.  In this context it is imperative for IT professional and corporate application owners to understand these attack vectors along with mechanism for securing. The class features real life cases, live demos, code scanning and defense plans. The course is designed by the author of “Web Hacking: Attacks and Defense”, “Hacking Web Services” and “Web 2.0 Security – Defending Ajax, RIA and SOA” bringing his experience in application and mobile security and research as part of curriculum to address new challenges. Following topics will be covered during the class.

COURSE OUTLINE

Mobile Application Attack Surface and Threats

• General trend of application and technology
• Recent attack and exploits used over mobile
• Evaluation of mobile applications
• Trend in mobile application Security and Exploit Patterns
• Mobile basic blocks – What, Why, How and Where
• Mobile Top 10 Attack Vectors

iPhone Application Model and Hacks

• Sand boxing
• iPhone Application Architecture
• OS Structure
• Application Architecture and Distribution
• iPhone Attacks Vectors
• Exploit Scenario and Tools
• Defense and Countermeasures

Android Application Model and Hacks

• Sand boxing and Permission Model
• Android Application Architecture
• OS Structure and Layers
• Application Architecture and Entry Points
• Android Attacks Vectors
• Exploit Scenario and Tools
• Defense and Countermeasures
• Comparing Android with other application frameworks like Blackberry and Windows
• Attack Vectors for Windows and Blackberry Applications

Environment for Attack and Penetration Testing

• Intercepting tools
• Analysis tools
• Monitoring tools
• Configuring simulators to use proxy
• Overcoming SSL traffic interception challenges
• Reverse engineering tools

Mobile Application Attacks for All Platforms

• Insecure storage
• Insecure network Communication
• Unauthorized dialing & event injections
• UI Impersonation, ClickJacking and TabJAcking
• Activity spying and data harvesting
• OS level modification via stealth calls (rootkit, APN proxy config)
• Sensitive information leakage
• Hardcoded keychains and password
• Language issues
• Timely application update
• Jail breaking/Physical device theft
• Business logic/Logical flaws
• KeyBoard cache/ClipBoard issue in iPhone
• Reading information from SQLite database
• Web/Browser Attacks
• HTML5 and Silverlight Attacks

Reverse Engineering & Code Analysis

• Reverse engineering iPhone application
• Reverse engineering Android Application
• Interesting things to look for after reverse engineering
• Secure coding for Mobile Application
• Static Code Analyzer for iOS
• Static Code Analyzer for Android

Who Should Attend?

Penetration testers, web developers, Mobile application developers, QA, Application Architect, Security researchers and one who wants to learn mobile security.

Shreeraj Shah (Founder/Director, Blueinfy)

Shreeraj Shah, (B.E., MSCS, MBA, CSSLP) is the founder of Blueinfy, a company that provides application security services. Prior to founding Blueinfy, he was founder and board member at Net Square. He also worked with Foundstone (McAfee), Chase Manhattan Bank and IBM in security space. He is also the author of popular books like Web 2.0 Security, Hacking Web Services and Web Hacking: Attacks and Defense. In addition, he has published several advisories, tools, and whitepapers, and has presented at numerous conferences including RSA, AusCERT, InfosecWorld (Misti), HackInTheBox, Blackhat, OSCON, Bellua, Syscan, ISACA etc. His articles are regularly published on Securityfocus, InformIT, DevX, O’reilly, HNS. His work has been quoted on BBC, Dark Reading, Bank Technology as an expert.

Hemil Shah (Founder/Director of eSphere Security)

Hemil Shah, CISSP, CSSLP, ACP is the founder and Director of eSphere Security, companies that provide Professional services in Security Arena. He also worked with HBO, KPMG, IL&FS and Net-Square in security space. He has published several advisories, tools, and whitepapers, and has presented at numerous conferences. Hemil is expert in Mobile Application Security, Application Security, researching new methodologies and training designs. He has performed more than 1000 security consulting assignments in the area of penetration testing, code reviews, web application assessments, security architecture reviews and Mobile application security review.