Mobile security baseline

About the course

The course provides a solid overview about how mobile applications can be viewed from a hacker's perspective. Besides introducing the audience to concepts and ideas, the participants are also provided with examples and demo applications for common hacking tools, exploiting security pitfalls, design and implementation mistakes.


title: Mobile security baseline

aka: "Secure coding and design principles for mobile"

audience: mobile applications developers, application hackers, security enthusiasts

duration: 3-6hrs education time

developed by: Zsombor Kovács and Glenn ten Cate


We assume that the developers attending the preps mobile secdev course:

  • are familiar with with the mobile apps development process and technologies


Intro to secure coding

  • OWASP MASVS topics, an introduction to the areas to protect

  • How a properly designed infrastructure architecture should be built

Secure coding principles and design

  • Explanation of the secure coding principles

  • Practical hands-on tasks of the secure coding principles

  • Security by design

Mobile architectures are secure by design, why do we care

  • API security, what will hit the server-side via a rooted mobile device

  • The attack potential of an intercepting attacker with traffic manipulation capabilities

Cryptography basics

  • Cryptography basics, TLS, ciphersuites

  • HTTP certificate pinning, Perfect forward secrecy, Certificate transparency

Practical secure development

  • Setting up the right security requirements

  • Create and train security champions S-SDLC basics, secure development as integral part of SDLC

  • Automatic tools and their values, non-automatic tools, pentests, peer code-review, assisted code-review

Testing exercises, DIY

  • Testing security in Xcode / Android Studio

  • Security testing with MobSF

  • Security testing with Drozer

  • Using for managing and protection of secrets

  • Using SonarQube in mobile development