IQSOFT - John Brice Oktatóközpont
ENGEDÉLYEZETT KÉPZÉSEK

Android and iOS security

Tanfolyam célja

As a developer, your duty is to write bulletproof code. However...

What if we told you that despite all of your efforts, the code you have been writing your entire career is full of weaknesses you never knew existed? What if, as you are reading this, hackers were trying to break into your code? How likely would they be to succeed?

This advanced course will change the way you look at code. A hands-on training during which we will teach you all of the attackers’ tricks and how to mitigate them, leaving you with no other feeling than the desire to know more.

It is your choice to be ahead of the pack, and be seen as a game changer in the fight against cybercrime.

  •     Understand basic concepts of security, IT security and secure coding
  •     Learn the security solutions on Android
  •     Learn to use various security features of the Android platform
  •     Learn the security solutions on iPhone
  •     Learn to use various security features of iOS
  •     Learn about typical coding mistakes and how to avoid them
  •     Have a practical understanding of cryptography
  •     Get understanding on native code vulnerabilities on Android
  •     Realize the severe consequences of unsecure buffer handling in native code
  •     Understand the architectural protection techniques and their weaknesses
  •     Learn about denial of service attacks and protections
  •     Get practical knowledge in using security testing tools for iOS
  •     Get practical knowledge in using security testing tools for Android
  •     Get sources and further readings on secure coding practices
Tematika
  •     IT security and secure coding
  •     Android security overview
  •     Android application security
  •     Protecting Android applications
  •     iOS security overview
  •     iOS application security
  •     Common coding errors and vulnerabilities
  •     Practical cryptography
  •     Android native code security
  •     Denial of service
  •     Security testing techniques and tools
  •     Principles of security and secure coding
  •     Knowledge sources

1.IT security and secure coding

  •         Nature of security
  •         What is risk?
  •         IT security vs. secure coding
  •         From vulnerabilities to botnets and cybercrime
    •             Nature of security flaws
    •             Reasons of difficulty
    •             From an infected computer to targeted attacks
    •             The Seven Pernicious Kingdoms
    •             OWASP Top Ten 2017
    •             OWASP Mobile Top Ten 2016 (release candidate)

    Android security overview

  •         Android fragmentation challenges
  •         The Android software stack
  •         OS security features and exploit mitigation techniques
  •         The Linux kernel
    •             User and process separation
    •             Anonymous shared memory (ashmem)
    •             ANDROID_PARANOID_NETWORK kernel option
    •             SELinux Type Enforcement policies
    •             SELinux policies
    •             SELinux policy example –
    •             Adding custom policy files
    •             Exercise: compiling and using SELinux policies
    •             SELinux Role-Based Access Control
    •             SELinux Multi-Level Security
  •         Filesystem security
    •             Filesystems used for external storage
    •             Filesystem encryption
    •             Encrypting individual files and external SD cards
  •         Dalvik
    •             Dalvik VM
    •             VM Separation
    •             Zygote
    •             Bytecode verifier
  •         Android Runtime (ART)
    •             ART architecture
    •             ART backward compatibility
    •             ART security features
    •             Ahead-of-time (AOT) compilation
  •         Deploying applications
  •             Application signing
  •             No validation of developer identity
  •             Google’s review process
  •             Installing using Google Play
  •             Installing outside of Google Play
  •             Verify App

    Android application security

  •         Permissions
    •             Using permissions
    •             Exercise – using permissions
    •             Using custom permissions
    •             Exercise – using custom permissions
    •             Permissions – best practices
  •         Writing secure Android applications
    •             Activity, Fragment and Service – basics
    •             Intents
    •             Implicit intents
    •             Intent hijacking
    •             BroadcastReceiver security
    •             Activity hijacking
    •             Best practices against activity hijacking
    •             Sticky broadcasts
    •             Content provider
    •             Content provider permissions

    Protecting Android applications

  •         Digital Rights Management (DRM)
    •             DRM architecture
    •             Android DRM overview
    •             Challenges of DRM protection
    •             DRM protection without hardware support - hardening
    •             DRM protection – decrypted content
  •         Reverse engineering and debugging
    •             Reverse engineering methods and tools
    •             Getting the package name
    •             Reverse engineering exercise

2. iOS security overview

  •         iOS platform security basics
    •             Evolution of iOS security features
    •             iOS architecture
    •             iOS security architecture
  •         iOS sandboxing and app interactions
    •             Sandbox concepts
    •             The iOS application sandbox
    •             The iOS sandbox directories
    •             Inter-app communication basics
    •             Extensions and sandboxing
  •         Securing data storage
    •             Data Protection overview
    •             Key generation and storage
    •             Disk and file encryption
    •             Keybags
    •             Data Protection classes
    •             Keychain Data Protection classes
  •         Deploying applications
    •             App verification
    •             Developer registration
    •             Code signing
    •             Apple’s review process
    •             Illicit 'app store optimization'

       iOS application security

  •         iOS permissions
    •             Settings – privacy view
    •             iOS permissions – compared to Android
    •             Entitlements vs permissions
  •         Writing secure iOS applications
    •             Privilege Separation
    •             Local data storage
    •             Storing local data in the Keychain
    •             Exercise: managing local data
    •             Keychain sharing vulnerability due to Apple provisioning bug
    •             Developing secure networked applications
    •             Local file encryption
  •         Protecting applications
    •             FairPlay DRM for iOS apps
    •             Third-party DRM pitfalls
    •             Obfuscation and encryption
    •             Securing inter-app communication – URL schemes
  •         Cryptography
    •             Cryptography on iOS
  •         Digital Rights Management (DRM)
    •             iOS DRM overview

    Common coding errors and vulnerabilities

  •         Input validation
    •             Input validation concepts
  •         Injection
    •             SQL Injection on Android
    •             Typical SQL Injection attack methods
    •             SQL Injection protection methods
    •             Using parameterized queries in Android
    •             JSON Injection
  •         Cross-site scripting
    •             Mobile Web views
      •                 Dangers of UIWebView
      •                 Android WebView XSS
      •                 XSS prevention
      •                 Android WebView security best practices
      •                 iOS UIWebView security best practices
      •                 A real-world vulnerability: Skype for iOS (2011)
  •         Integer problems
    •             Representation of negative integers
    •             Integer overflow
    •             Exercise IntOverflow
    •             What is the value of Math.abs(Integer.MIN_VALUE)?
    •             Integer problem – best practices
      •                 Integer problem – best practices
      •                 Avoiding arithmetic overflow – addition
      •                 Avoiding arithmetic overflow – multiplication
  •             Java case study
    •                 A real-world integer overflow vulnerability in Java
    •                 The actual mistake in java.utils.zip.CRC32
  •             Integer problems in Objective-C
    •                 Integer overflow – Objective-C best practices
  •             Case study – Android Stagefright
    •                 Stagefright – a quick introduction
    •                 Some Stagefright code examples – spot the bugs!
  •         Other typical input validation mistakes
    •             Path traversal vulnerability
      •                 Path traversal and manipulation
      •                 Path traversal mitigation
  •             Unsafe reflection
    •                 Implementation of a command dispatcher
    •                 Unsafe reflection – spot the bug!
    •                 Mitigation of unsafe reflection
  •             Log forging
    •                 Some other typical problems with log files

3. Practical cryptography

  •         Cryptosystems
    •             Elements of a cryptosystem
  •         Symmetric-key cryptography
    •             Providing confidentiality with symmetric cryptography
    •             Symmetric encryption algorithms
    •             Block ciphers – modes of operation
  •         Other cryptographic algorithms
    •             Hash or message digest
    •             Hash algorithms
    •             SHAttered
    •             Message Authentication Code (MAC)
    •             Providing integrity and authenticity with a symmetric key
    •             Random numbers and cryptography
    •             Cryptographically-strong PRNGs
    •             Hardware-based TRNGs
  •         Asymmetric (public-key) cryptography
    •             Providing confidentiality with public-key encryption
    •             Rule of thumb – possession of private key
    •             The RSA algorithm
      •                 Introduction to RSA algorithm
      •                 Encrypting with RSA
      •                 Combining symmetric and asymmetric algorithms
      •                 Digital signing with RSA
  •         Public Key Infrastructure (PKI)
    •             Man-in-the-Middle (MitM) attack
    •             Digital certificates against MitM attack
    •             Certificate Authorities in Public Key Infrastructure
    •             X.509 digital certificate
  •         Cryptography on Android
    •             Java Cryptography Architecture / Extension (JCA/JCE)
    •             Using Cryptographic Service Providers
    •             Engine classes and algorithms

    Android native code security

  •         Buffer overflow possibilities in Android
  •         ARM machine code, memory layout and stack operations
    •             ARM Processors – main registers
    •             ARM Processors – most important instructions
    •             ARM Processors – control instructions
    •             ARM Processors – stack handling instructions
    •             ARM Processors – Condition Field
    •             ARM Processors – Condition Field cont.
    •             Understanding complex ARM instructions
    •             The function calling mechanism in ARM
    •             The local variables and the stack frame
    •             Function calls – prologue and epilogue of a function
    •             Stack frame of nested calls
    •             Stack frame of recursive functions
  •         Buffer overflow on the stack
    •             Classic buffer overflow on the stack
    •             Exercises – trying to exploit a buffer overflow
    •             Stack smashing protection in Android
    •             Effects of stack smashing protection
    •             Bypassing stack smashing protection
    •             Lack of source checking
    •             CVE-2011-1823 in vold's method – Spot the bug!
    •             Exercise – vold vulnerability
    •             Exercise – vold vulnerability exploit analysis
    •             WWW exploit with .got overwrite
    •             Exercise – overwrite .got with write-what-where
    •             Exercise – overwrite .got with WWW after Android 4.1
  •         Protection techniques – ASLR, XN, RELRO, ...
    •             Address Space Layout Randomization (ASLR)
    •             Randomization with ASLR
    •             Access Control on memory segments
    •             The Never eXecute (NX) bit
    •             Read-only relocation and immediate binding – RELRO
    •             Bypassing ASLR, XN, RELRO and stack protection
    •             Information leakage
    •             Spot the bug
    •             Exercise – exploit information leakage
    •             Use after free – Dangling pointers
    •             Use after free – Instance of a class
    •             cString class
    •             Information leakage with use after free
    •             Exercise – information leakage with use after free
    •             Exercise – control information leakage
    •             Virtual method call
    •             Code execution with use after free
    •             Return-oriented programming (ROP)
    •             Creating ROP chain
    •             Exploit using ROP
    •             Exercise – code execution with use after free
    •             App name memory corruption – caused Google Play DoS
    •             Buffer overflow in Android KeyStore

4. Common coding errors and vulnerabilities

  •             Improper use of security features
    •                 Typical problems related to the use of security features
    •                 Insecure randomness
      •                     Weak PRNGs in Java
      •                     Exercise RandomTest
      •                     Using random numbers in Java – spot the bug!
  •                 Password management
    •                     Exercise – Weakness of hashed passwords
    •                     Password management and storage
    •                     Special purpose hash algorithms for password storage
    •                     Argon2 and PBKDF2 implementations in Java
    •                     bcrypt and scrypt implementations in Java
    •                     Password hash implementations on Android
    •                     KitKat changes concerning SecretKeyFactory
    •                     Password hash implementations on iOS
    •                     Storing sensitive data on iOS
  •             Improper error and exception handling
    •                 Typical problems with error and exception handling
    •                 Errors vs exceptions
    •                 Empty catch block
    •                 Overly broad throws
    •                 Overly broad catch
    •                 Using multi-catch
    •                 Returning from finally block – spot the bug!
    •                 Catching NullPointerException
    •                 Null pointers in Objective C
    •                 Exercise – Error handling
    •                 Information leakage through logging (LogCat)
    •                 GoToMeeting vulnerability
    •                 Android best practices
    •                 Rooting based on the setuid vulnerability (RATC)
  •             Code quality problems
    •                 Dangers arising from poor code quality
    •                 Poor code quality – spot the bug!
    •                 Unreleased resources
    •                 Public method without final – object hijacking
    •                 Immutable String – spot the bug!
    •                 Immutability and security
    •                 Type mismatch – Spot the bug!

        Denial of service

  •             DoS introduction
  •             Asymmetric DoS
  •             SSL/TLS renegotiation DoS
  •             Asymmetric DOS with JSON deserialization
  •             Regular expression DoS (ReDoS)
    •                 Exercise ReDoS
    •                 ReDoS mitigation
    •                 Case Study – ReDos in Stack Exchange
  •             Hashtable collision attack
    •                 Using hashtables to store inputs
    •                 Hashtable collision
    •                 Hashtable collision in Java

        Security testing techniques and tools

  •             Testing Android code
    •                 Functional testing vs. security testing
    •                 Security vulnerabilities
    •                 Prioritization – risk analysis
    •                 Security in the SDLC
    •                 Security assessments in various SDLC phases
    •                 General testing approaches
    •                 Testing Android code
    •                 Android Lint
    •                 Android Lint – Security features
    •                 Lint exercise
    •                 PMD
    •                 PMD exercise
    •                 FindBugs
    •                 FindBugs exercise
  •             Testing on iOS
    •                 OCLint
    •                 CppCheck

        Principles of security and secure coding

  •             Matt Bishop’s principles of robust programming
  •             The security principles of Saltzer and Schroeder

        Knowledge sources

  •             Secure coding sources – a starter kit
  •             Vulnerability databases
  •             Java secure coding sources
  •             Android secure coding sources
  •             iOS secure coding sources @ Apple Developer
  •             Recommended books – Java
  •             Recommended books – Android
  •             Recommended books – iOS

 

Kinek ajánljuk
Előfeltételek

Professional

Kapcsolódó tanfolyamok