Mobile security baseline

About the course

The course provides a solid overview about how mobile applications can be viewed from a hacker's perspective. Besides introducing the audience to concepts and ideas, the participants are also provided with examples and demo applications for common hacking tools, exploiting security pitfalls, design and implementation mistakes.


title: Mobile security baseline
aka: "Secure coding and design principles for mobile"
audience: mobile applications developers, application hackers, security enthusiasts
duration: 3-6hrs education time
developed by: Zsombor Kovács and Glenn ten Cate


We assume that the developers attending the preps mobile secdev course:
    are familiar with with the mobile apps development process and technologies


Intro to secure coding

    OWASP MASVS topics, an introduction to the areas to protect
    How a properly designed infrastructure architecture should be built

Secure coding principles and design

    Explanation of the secure coding principles
    Practical hands-on tasks of the secure coding principles
    Security by design

Mobile architectures are secure by design, why do we care

    API security, what will hit the server-side via a rooted mobile device
    The attack potential of an intercepting attacker with traffic manipulation capabilities

Cryptography basics

    Cryptography basics, TLS, ciphersuites
    HTTP certificate pinning, Perfect forward secrecy, Certificate transparency

Practical secure development

    Setting up the right security requirements
    Create and train security champions S-SDLC basics, secure development as integral part of SDLC
    Automatic tools and their values, non-automatic tools, pentests, peer code-review, assisted code-review

Testing exercises, DIY

    Testing security in Xcode / Android Studio
    Security testing with MobSF
    Security testing with Drozer
    Using for managing and protection of secrets
    Using SonarQube in mobile development


Last modified 2yr ago