defdeveu courses
Search…
README
secdev courses
Java
JavaScript
Android
iOS
.NET
C/C++
Webapps in general
Testing courses
Mobile testing automation
Security test automation in CI/CD pipelines
Burp for developers
DevSecOps courses
Docker security
AWS security
Control courses
Security champions boot
Assisted code-review lab
Practical personal cybersec for security auditors
S-SDLC playbook
Library
Mobile security baseline
Hacking applications
Language specific
Delivery
Main features
Agenda structure
Days and kits
Trainer formations
Course materials
Trainers
Glenn ten Cate
Zsombor Kovács
Davide Cioccia
Péter Nyilasy
Marek Zachara
Riccardo ten Cate
Timur Khrotko
Powered By GitBook
Mobile security baseline

About the course

The course provides a solid overview about how mobile applications can be viewed from a hacker's perspective. Besides introducing the audience to concepts and ideas, the participants are also provided with examples and demo applications for common hacking tools, exploiting security pitfalls, design and implementation mistakes.

Properties

title: Mobile security baseline
aka: "Secure coding and design principles for mobile"
audience: mobile applications developers, application hackers, security enthusiasts
duration: 3-6hrs education time
developed by: Zsombor Kovács and Glenn ten Cate

Prerequisites

We assume that the developers attending the preps mobile secdev course:
  • are familiar with with the mobile apps development process and technologies

Agenda

Intro to secure coding

  • OWASP MASVS topics, an introduction to the areas to protect
  • How a properly designed infrastructure architecture should be built

Secure coding principles and design

  • Explanation of the secure coding principles
  • Practical hands-on tasks of the secure coding principles
  • Security by design

Mobile architectures are secure by design, why do we care

  • API security, what will hit the server-side via a rooted mobile device
  • The attack potential of an intercepting attacker with traffic manipulation capabilities

Cryptography basics

  • Cryptography basics, TLS, ciphersuites
  • HTTP certificate pinning, Perfect forward secrecy, Certificate transparency

Practical secure development

  • Setting up the right security requirements
  • Create and train security champions S-SDLC basics, secure development as integral part of SDLC
  • Automatic tools and their values, non-automatic tools, pentests, peer code-review, assisted code-review

Testing exercises, DIY

  • Testing security in Xcode / Android Studio
  • Security testing with MobSF
  • Security testing with Drozer
  • Using vault.io for managing and protection of secrets
  • Using SonarQube in mobile development

Trainers

Control courses - Previous
S-SDLC playbook
Next - Library
Hacking applications
Last modified 3yr ago
Copy link
Contents
About the course
Properties
Prerequisites
Related courses
Agenda
Trainers