OWASP AppSec USA 2013

2 Day Class running Monday Nov 18 and Tuesday Nov 19

Overview: 
Mobile applications enable new threats and attacks which introduce significant risks to the enterprise, and many custom applications contain significant vulnerabilities that are unknown to the team that developed them. Considering the number of mobile applications available in the Google Play and Apple AppStore is nearing 1.5 million and vulnerabilities are skyrocketing it is imperative to perform typical application security practices. But, how is mobile different?
This two-day, hands-on course enables students to understand how easily mobile devices and applications can be successfully attacked. They will learn how to identify, avoid and remediate common vulnerabilities by walking through a threat analysis and learning critical security areas such as those identified in the OWASP Top Ten Mobile Risks and Controls. Using state-of-the-art testing tools, students will learn how to secure mobile devices across the enterprise. Students will be able to choose from iOS or Android hands-on labs throughout the course, while they learn how easily the bad guy can compromise applications and the data they contain.

Outline: 
1)  Mobile Devices and Applications
Section Overview: Introduction to Mobile Devices, their capabilities, and how to emulate mobile apps and use mobile testing tools.
1)     Device Types and Capabilities
2)     Mobile App Emulators / IDEs
3)     Running the Class Apps
4)     Using a Testing Proxy: Burp
5)     How to get Proxying to work
2)  Mobile Application Architectures and Threat Model
Section Overview: An explanation of high-level threats, attack techniques and the impacts associated with mobile computing and how different architectures affect these.
1)     Different Mobile Architectures
2)     OWASP Mobile Security Resources
3)     Mobile Threat Model
4)     Top 10 Mobile Controls
5)     Risk Management                                      
6)     Mobile Threats and Attacks on Users, Devices, and Apps
7)     Consequences
8)     AppStore Security / Malware Threats
9)     Hands On: Hacking Mobile URLs (iOS), or Intents (Android)
3)  Mobile Application Architectures Deeper Dive
Section Overview: Different styles of computing in the mobile space, the core technologies involved, and how applications are built.                                                     
1)     Device Protections built into Android and iPhone
2)     Data Protection
3)     Encryption
4)     Client Only Architecture and Recommended Controls
5)     Client-Server Architecture and Recommended Controls
6)     Recommendation: Standard Security Controls
7)     Mobile Web Applications and Recommended Controls
8)     HTML 5 Risks
9)     JavaScript Framework Risks
10)  Same Origin Policy                         
4) Securing the Device                                           
Section Overview: We demonstrate how to harden mobile devices against attack and the issues related to managing security across an enterprise.  We show students how to secure employee-owned devices.
1)     Mobile Device Management (MDM) Applications
2)     Password Requirements
3)     Data Protection
4)     Enterprise Security Management (ESM)
5) Securing Communications
Section Overview: What are all the different communications technologies used by mobile devices and what security threats do they pose?
1)     Threat: Unsafe wireless access points, sniffing, tampering
2)     Review mobile protocols and platforms
3)     How to use SSL Securely
6)  Mobile Authentication
Section Overview: We explain how the user proves their identity to the phone, how server-side applications can authenticate the user, and how the phone can authenticate the services used.
1)     Threats: lost/stolen phone, remember me, sniffing
2)     Strong Authentication vs. User Usability
3)     Communicating credentials safely
4)     Storing credentials safely
7)  Mobile Registration
Section Overview: How to register a device to a person and explain the need for mobile channel authentication.
1)     Threats: lost/stolen device, remember me, lost/stolen credentials
2)     Benefits of Registering the Device
3)     Methods for Authenticating the Device
4)     Avoiding use of UDID
8)  Mobile Data Protection           
Section Overview: All of the different places that sensitive data can be stored on phones, and how it can be protected.
1)     Identifying sensitive data
2)     Where and how is data stored on devices
3)     Hashing and encryption
4)     Storing keys
5)     Browser Caching
6)     Mobile specific ‘accidental’ data storage areas
7)     Where NOT to store your data on the device
8)     HTML5 local storage
9)  Mobile Forensics
Section Overview:Where application data and configuration information typically gets stored on the mobile device.
1)     Forensics tools for Android and iPhone
2)     Exploring the file system (Android / iPhone)
3)     Jailbreaking grants more access
4)     Interesting areas of the file system (Android / iPhone)
5)     Application configuration files
6)     Autocomplete records / iPhone app screen shots
7)     Dumping Android Intents
8)     Scrounging in Backups
10)  Mobile Access Control
Section Overview: The code-access security models to use in mobile apps.
1)     Threat: user attacks server
2)     Example attacks
3)     Documenting your access control policy
4)     Mapping enforcement to server side controls
5)     Presentation Layer Access Control
6)     Environmental Access Control
7)     Business Logic
8)     Data Protection
9)     Hands On: Access Other Peoples Accounts, Steal Funds
11)  How to Protect Against Cross Site Scri