Mobile Application Security

Mobile Application Security

by David Thiel, Chris Clark, Himanshu Dwivedi
Released February 2010
Publisher(s): McGraw-Hill
ISBN: 9780071633574

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

Secure today's mobile devices and applications

Implement a systematic approach to security in your mobile application development with help from this practical guide. Featuring case studies, code examples, and best practices, Mobile Application Security details how to protect against vulnerabilities in the latest smartphone and PDA platforms. Maximize isolation, lockdown internal and removable storage, work with sandboxing and signing, and encrypt sensitive user information. Safeguards against viruses, worms, malware, and buffer overflow exploits are also covered in this comprehensive resource.

  • Design highly isolated, secure, and authenticated mobile applications
  • Use the Google Android emulator, debugger, and third-party security tools
  • Configure Apple iPhone APIs to prevent overflow and SQL injection attacks
  • Employ private and public key cryptography on Windows Mobile devices
  • Enforce fine-grained security policies using the BlackBerry Enterprise Server
  • Plug holes in Java Mobile Edition, SymbianOS, and WebOS applications
  • Test for XSS, CSRF, HTTP redirects, and phishing attacks on WAP/Mobile HTML applications
  • Identify and eliminate threats from Bluetooth, SMS, and GPS services

Himanshu Dwivedi is a co-founder of iSEC Partners (www.isecpartners.com), an information security firm specializing in application security. Chris Clark is a principal security consultant with iSEC Partners. David Thiel is a principal security consultant with iSEC Partners.

Table of contents

  1. Cover Page
  2. Mobile Application Security
  3. Copyright Page
  4. About the Authors
  5. Dedication
  6. Contents
  7. Acknowledgments
  8. Introduction
  9. Part I Mobile Platforms
    1. Chapter 1 Top Mobile Issues and Development Strategies
      1. Top Issues Facing Mobile Devices
        1. Physical Security
        2. Secure Data Storage (on Disk)
        3. Strong Authentication with Poor Keyboards
        4. Multiple-User Support with Security
        5. Safe Browsing Environment
        6. Secure Operating Systems
        7. Application Isolation
        8. Information Disclosure
        9. Virus, Worms, Trojans, Spyware, and Malware
        10. Difficult Patching/Update Process
        11. Strict Use and Enforcement of SSL
        12. Phishing
        13. Cross-Site Request Forgery (CSRF)
        14. Location Privacy/Security
        15. Insecure Device Drivers
        16. Multifactor Authentication
      2. Tips for Secure Mobile Application Development
        1. Leverage TLS/SSL
        2. Follow Secure Programming Practices
        3. Validate Input
        4. Leverage the Permissions Model Used by the OS
        5. Use the Least Privilege Model for System Access
        6. Store Sensitive Information Properly
        7. Sign the Application’s Code
        8. Figure Out a Secure and Strong Update Process
        9. Understand the Mobile Browser’s Security Strengths and Limitations
        10. Zero Out the Nonthreats
        11. Use Secure/Intuitive Mobile URLs
      3. Conclusion
    2. Chapter 2 Android Security
      1. Development and Debugging on Android
      2. Android’s Securable IPC Mechanisms
        1. Activities
        2. Broadcasts
        3. Services
        4. ContentProviders
        5. Binder
      3. Android’s Security Model
      4. Android Permissions Review
      5. Creating New Manifest Permissions
      6. Intents
        1. Intent Review
        2. IntentFilters
      7. Activities
      8. Broadcasts
        1. Receiving Broadcast Intents
        2. Safely Sending Broadcast Intents
        3. Sticky Broadcasts
      9. Services
      10. ContentProviders
      11. Avoiding SQL Injection
      12. Intent Reflection
      13. Files and Preferences
      14. Mass Storage
      15. Binder Interfaces
        1. Security by Caller Permission or Identity Checking
        2. Binder Reference Security
      16. Android Security Tools
        1. Manifest Explorer
        2. Package Play
        3. Intent Sniffer
        4. Intent Fuzzer
      17. Conclusion
    3. Chapter 3 The Apple iPhone
      1. History
        1. The iPhone and OS X
        2. Breaking Out, Breaking In
        3. iPhone SDK
        4. Future
      2. Development
        1. Decompilation and Disassembly
        2. Preventing Reverse-Engineering
      3. Security Testing
        1. Buffer Overflows
        2. Integer Overflows
        3. Format String Attacks
        4. Double-Frees
        5. Static Analysis
      4. Application Format
        1. Build and Packaging
        2. Distribution: The Apple Store
        3. Code Signing
        4. Executing Unsigned Code
      5. Permissions and User Controls
        1. Sandboxing
        2. Exploit Mitigation
        3. Permissions
      6. Local Data Storage: Files, Permissions, and Encryption
        1. SQLite Storage
        2. iPhone Keychain Storage
        3. Shared Keychain Storage
        4. Adding Certificates to the Certificate Store
        5. Acquiring Entropy
      7. Networking
        1. The URL Loading API
        2. NSStreams
        3. Peer to Peer (P2P)
      8. Push Notifications, Copy/Paste, and Other IPC
        1. Push Notifications
        2. UIPasteboard
      9. Conclusion
    4. Chapter 4 Windows Mobile Security
      1. Introduction to the Platform
        1. Relation to Windows CE
        2. Device Architecture
        3. Device Storage
      2. Kernel Architecture
        1. Memory Layout
        2. Windows CE Processes
        3. Services
        4. Objects
        5. Kernel Mode and User Mode
      3. Development and Security Testing
        1. Coding Environments and SDKs
        2. Emulator
        3. Debugging
        4. Disassembly
        5. Code Security
        6. Application Packaging and Distribution
      4. Permissions and User Controls
        1. Privileged and Normal Mode
        2. Authenticode, Signatures, and Certificates
        3. Public Key Cryptography
        4. Running Applications
        5. Locking Devices
        6. Managing Device Security Policy
      5. Local Data Storage
        1. Files and Permissions
        2. Stolen Device Protections
        3. Structured Storage
        4. Encrypted and Device Secured Storage
      6. Networking
        1. Connection Manager
        2. WinSock
        3. IrDA
        4. Bluetooth
        5. HTTP and SSL
      7. Conclusion
    5. Chapter 5 BlackBerry Security
      1. Introduction to Platform
        1. BlackBerry Enterprise Server (BES)
        2. BlackBerry Internet Service (BIS)
      2. Device and OS Architecture
      3. Development and Security Testing
        1. Coding Environment
        2. Simulator
        3. Debugging
        4. Disassembly
        5. Code Security
        6. Application Packaging and Distribution
      4. Permissions and User Controls
        1. RIM Controlled APIs
        2. Carrier and MIDLet Signatures
        3. Handling Permission Errors in MIDP Applications
        4. Locking Devices
        5. Managing Application Permissions
      5. Local Data Storage
        1. Files and Permissions
        2. Programmatic File System Access
        3. Structured Storage
        4. Encrypted and Device Secured Storage
      6. Networking
        1. Device Firewall
        2. SSL and WTLS
      7. Conclusion
    6. Chapter 6 Java Mobile Edition Security
      1. Standards Development
      2. Configurations, Profiles, and JSRs
        1. Configurations
        2. Profiles
        3. Optional Packages
      3. Development and Security Testing
        1. Configuring a Development Environment and Installing New Platforms
        2. Emulator
        3. Emulator and Data Execution Protection
        4. Reverse Engineering and Debugging
        5. Hiding Cryptographic Secrets
        6. Code Security
        7. Application Packaging and Distribution
      4. Permissions and User Controls
        1. Data Access
      5. Conclusion
    7. Chapter 7 SymbianOS Security
      1. Introduction to the Platform
        1. Device Architecture
        2. Device Storage
      2. Development and Security Testing
        1. Development Environment
        2. Software Development Kits
        3. Emulator
        4. Debugging
        5. IDA Pro
      3. Code Security
        1. Symbian C++
        2. P.I.P.S and OpenC
      4. Application Packaging
        1. Executable Image Format
        2. Installation Packages
        3. Signatures
        4. Symbian Signed
        5. Installation
      5. Permissions and User Controls
        1. Capabilities Overview
        2. Executable Image Capabilities
        3. Process Capabilities
        4. Capabilities Between Processes
      6. Interprocess Communication
        1. Client/Server Sessions
        2. Shared Sessions
        3. Shared Handles
      7. Persistent Data Storage
        1. File Storage
        2. Structured Storage
        3. Encrypted Storage
      8. Conclusion
    8. Chapter 8 WebOS Security
      1. Introduction to the Platform
        1. WebOS System Architecture
        2. Model-View-Controller
        3. Stages and Scenes, Assistants and Views
      2. Development and Security Testing
        1. Developer Mode
        2. Accessing Linux
        3. Emulator
        4. Debugging and Disassembly
      3. Code Security
        1. Script Injection
        2. Direct Evaluation
        3. Programmatic Data Injection
        4. Avoiding innerHTML and update() Injections
        5. Template Injection
        6. Local Data Injection
        7. Application Packaging
      4. Permissions and User Controls
        1. Storage
        2. Networking
      5. Conclusion
  10. Part II Mobile Services
    1. Chapter 9 WAP and Mobile HTML Security
      1. WAP and Mobile HTML Basics
      2. Authentication on WAP/Mobile HTML Sites
      3. Encryption
        1. WAP 1.0
        2. SSL and WAP 2.0
      4. Application Attacks on Mobile HTML Sites
        1. Cross-Site Scripting
        2. SQL Injection
        3. Cross-Site Request Forgery
        4. HTTP Redirects
        5. Phishing
        6. Session Fixation
        7. Non-SSL Login
      5. WAP and Mobile Browser Weaknesses
        1. Lack of HTTPOnly Flag Support
        2. Lack of SECURE Flag Support
        3. Handling Browser Cache
        4. WAP Limitations
      6. Conclusion
    2. Chapter 10 Bluetooth Security
      1. Overview of the Technology
        1. History and Standards
        2. Common Uses
        3. Alternatives
        4. Future
      2. Bluetooth Technical Architecture
        1. Radio Operation and Frequency
        2. Bluetooth Network Topology
        3. Device Identification
        4. Modes of Operation
        5. Bluetooth Stack
        6. Bluetooth Profiles
      3. Bluetooth Security Features
        1. Pairing
        2. Traditional Security Services in Bluetooth
        3. Security “Non-Features”
      4. Threats to Bluetooth Devices and Networks
      5. Bluetooth Vulnerabilities
        1. Bluetooth Versions Prior to v1.2
        2. Bluetooth Versions Prior to v2.1
        3. All Versions
      6. Recommendations
    3. Chapter 11 SMS Security
      1. Overview of Short Message Service
      2. Overview of Multimedia Messaging Service
        1. Wireless Application Protocol (WAP)
      3. Protocol Attacks
        1. Abusing Legitimate Functionality
        2. Attacking Protocol Implementations
      4. Application Attacks
        1. iPhone Safari
        2. Windows Mobile MMS
        3. Motorola RAZR JPG Overflow
      5. Walkthroughs
        1. Sending PDUs
        2. Converting XML to WBXML
      6. Conclusion
    4. Chapter 12 Mobile Geolocation
      1. Geolocation Methods
        1. Tower Triangulation
        2. GPS
        3. 802.11
      2. Geolocation Implementation
        1. Android
        2. iPhone
        3. Windows Mobile
      3. Geolocation Implementation
        1. Symbian
        2. BlackBerry
      4. Risks of Geolocation Services
        1. Risks to the End User
        2. Risks to Service Providers
      5. Geolocation Best Practices
    5. Chapter 13 Enterprise Security on the Mobile OS
      1. Device Security Options
        1. PIN
        2. Remote Wipe
      2. Secure Local Storage
        1. Apple iPhone and Keychain
      3. Security Policy Enforcement
      4. Encryption
        1. Full Disk Encryption
        2. E-mail Encryption
        3. File Encryption
      5. Application Sandboxing, Signing, and Permissions
        1. Application Sandboxing
        2. Application Signing
        3. Permissions
      6. Buffer Overflow Protection
        1. Windows Mobile
        2. iPhone
        3. Android
        4. BlackBerry
      7. Security Feature Summary
      8. Conclusion
  11. Part III Appendixes
    1. Appendix A Mobile Malware
      1. A Tour of Important Past Malware
        1. Cabir
        2. Commwarrior
        3. Beselo.B
        4. Trojan.Redbrowser.A
        5. WinCE/Brador.a
        6. WinCE/Infojack
        7. SMS.Python.Flocker
        8. Yxes.A
        9. Others
      2. Threat Scenarios
        1. Fake Firmware
        2. Classic Trojans
        3. Worms
        4. Ransomware
      3. Mitigating Mobile Malware Mayhem
        1. For End Users
      4. For Developers and Platform Vendors
    2. Appendix B Mobile Security Penetration Testing Tools
      1. Mobile Platform Attack Tools and Utilities
        1. Manifest Explorer
        2. Package Play
        3. Intent Sniffer
        4. Intent Fuzzer
        5. pySimReader
      2. Browser Extensions
        1. WMLBrowser
        2. User Agent Switcher
        3. FoxyProxy
        4. TamperData
        5. Live HTTP Headers
        6. Web Developer
        7. Firebug
      3. Networking Tools
        1. Wireshark
        2. Tcpdump
        3. Scapy
      4. Web Application Tools
        1. WebScarab
        2. Gizmo
      5. Fuzzing Frameworks
        1. Peach
        2. Sulley
      6. General Utilities
        1. Hachoir
      7. VBinDiff
  12. Index

Product information

  • Title: Mobile Application Security
  • Author(s): David Thiel, Chris Clark, Himanshu Dwivedi
  • Release date: February 2010
  • Publisher(s): McGraw-Hill
  • ISBN: 9780071633574