defdeveu courses

Mobile security baseline

About the course

The course provides a solid overview about how mobile applications can be viewed from a hacker's perspective. Besides introducing the audience to concepts and ideas, the participants are also provided with examples and demo applications for common hacking tools, exploiting security pitfalls, design and implementation mistakes.


title: Mobile security baseline
aka: "Secure coding and design principles for mobile"
audience: mobile applications developers, application hackers, security enthusiasts
duration: 3-6hrs education time
developed by: Zsombor Kovács and Glenn ten Cate


We assume that the developers attending the preps mobile secdev course:
  • are familiar with with the mobile apps development process and technologies


Intro to secure coding

  • OWASP MASVS topics, an introduction to the areas to protect
  • How a properly designed infrastructure architecture should be built

Secure coding principles and design

  • Explanation of the secure coding principles
  • Practical hands-on tasks of the secure coding principles
  • Security by design

Mobile architectures are secure by design, why do we care

  • API security, what will hit the server-side via a rooted mobile device
  • The attack potential of an intercepting attacker with traffic manipulation capabilities

Cryptography basics

  • Cryptography basics, TLS, ciphersuites
  • HTTP certificate pinning, Perfect forward secrecy, Certificate transparency

Practical secure development

  • Setting up the right security requirements
  • Create and train security champions S-SDLC basics, secure development as integral part of SDLC
  • Automatic tools and their values, non-automatic tools, pentests, peer code-review, assisted code-review

Testing exercises, DIY

  • Testing security in Xcode / Android Studio
  • Security testing with MobSF
  • Security testing with Drozer
  • Using for managing and protection of secrets
  • Using SonarQube in mobile development