O'Reilly logo

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

The Mobile Application Hacker's Handbook

Book Description

See your app through a hacker's eyes to find the real sources of vulnerability

The Mobile Application Hacker's Handbook is a comprehensive guide to securing all mobile applications by approaching the issue from a hacker's point of view. Heavily practical, this book provides expert guidance toward discovering and exploiting flaws in mobile applications on the iOS, Android, Blackberry, and Windows Phone platforms. You will learn a proven methodology for approaching mobile application assessments, and the techniques used to prevent, disrupt, and remediate the various types of attacks. Coverage includes data storage, cryptography, transport layers, data leakage, injection attacks, runtime manipulation, security controls, and cross-platform apps, with vulnerabilities highlighted and detailed information on the methods hackers use to get around standard security.

Mobile applications are widely used in the consumer and enterprise markets to process and/or store sensitive data. There is currently little published on the topic of mobile security, but with over a million apps in the Apple App Store alone, the attack surface is significant. This book helps you secure mobile apps by demonstrating the ways in which hackers exploit weak points and flaws to gain access to data.

  • Understand the ways data can be stored, and how cryptography is defeated

  • Set up an environment for identifying insecurities and the data leakages that arise

  • Develop extensions to bypass security controls and perform injection attacks

  • Learn the different attacks that apply specifically to cross-platform apps

  • IT security breaches have made big headlines, with millions of consumers vulnerable as major corporations come under attack. Learning the tricks of the hacker's trade allows security professionals to lock the app up tight. For better mobile security and less vulnerable data, The Mobile Application Hacker's Handbook is a practical, comprehensive guide.

    Table of Contents

    1. Introduction
      1. Overview of This Book
      2. How This Book Is Organized
      3. Who Should Read This Book
      4. Tools You Will Need
      5. What's on the Website
    2. Chapter 1 Mobile Application (In)security
      1. The Evolution of Mobile Applications
      2. Mobile Application Security
      3. Summary
    3. Chapter 2 Analyzing iOS Applications
      1. Understanding the Security Model
      2. Understanding iOS Applications
      3. Jailbreaking Explained
      4. Understanding the Data Protection API
      5. Understanding the iOS Keychain
      6. Understanding Touch ID
      7. Reverse Engineering iOS Binaries
      8. Summary
    4. Chapter 3 Attacking iOS Applications
      1. Introduction to Transport Security
      2. Identifying Insecure Storage
      3. Patching iOS Applications with Hopper
      4. Attacking the iOS Runtime
      5. Understanding Interprocess Communication
      6. Attacking Using Injection
      7. Summary
    5. Chapter 4 Identifying iOS Implementation Insecurities
      1. Disclosing Personally Identifiable Information
      2. Identifying Data Leaks
      3. Memory Corruption in iOS Applications
      4. Summary
    6. Chapter 5 Writing Secure iOS Applications
      1. Protecting Data in Your Application
      2. Avoiding Injection Vulnerabilities
      3. Securing Your Application with Binary Protections
      4. Summary
    7. Chapter 6 Analyzing Android Applications
      1. Creating Your First Android Environment
      2. Understanding Android Applications
      3. Understanding the Security Model
      4. Reverse-Engineering Applications
      5. Summary
    8. Chapter 7 Attacking Android Applications
      1. Exposing Security Model Quirks
      2. Attacking Application Components
      3. Accessing Storage and Logging
      4. Misusing Insecure Communications
      5. Exploiting Other Vectors
      6. Additional Testing Techniques
      7. Summary
    9. Chapter 8 Identifying and Exploiting Android Implementation Issues
      1. Reviewing Pre-Installed Applications
      2. Exploiting Devices
      3. Infiltrating User Data
      4. Summary
    10. Chapter 9 Writing Secure Android Applications
      1. Principle of Least Exposure
      2. Essential Security Mechanisms
      3. Advanced Security Mechanisms
      4. Slowing Down a Reverse Engineer
      5. Summary
    11. Chapter 10 Analyzing Windows Phone Applications
      1. Understanding the Security Model
      2. Understanding Windows Phone 8.x Applications
      3. Building a Test Environment
      4. Analyzing Application Binaries
      5. Summary
    12. Chapter 11 Attacking Windows Phone Applications
      1. Analyzing for Data Entry Points
      2. Attacking Transport Security
      3. Attacking WebBrowser and WebView Controls
      4. Identifying Interprocess Communication Vulnerabilities
      5. Attacking XML Parsing
      6. Attacking Databases
      7. Attacking File Handling
      8. Patching .NET Assemblies
      9. Summary
    13. Chapter 12 Identifying Windows Phone Implementation Issues
      1. Identifying Insecure Application Settings Storage
      2. Identifying Data Leaks
      3. Identifying Insecure Data Storage
      4. Insecure Random Number Generation
      5. Insecure Cryptography and Password Use
      6. Identifying Native Code Vulnerabilities
      7. Summary
    14. Chapter 13 Writing Secure Windows Phone Applications
      1. General Security Design Considerations
      2. Storing and Encrypting Data Securely
      3. Secure Random Number Generation
      4. Securing Data in Memory and Wiping Memory
      5. Avoiding SQLite Injection
      6. Implementing Secure Communications
      7. Avoiding Cross-Site Scripting in WebViews and WebBrowser Components
      8. Secure XML Parsing
      9. Clearing Web Cache and Web Cookies
      10. Avoiding Native Code Bugs
      11. Using Exploit Mitigation Features
      12. Summary
    15. Chapter 14 Analyzing BlackBerry Applications
      1. Understanding BlackBerry Legacy
      2. Understanding BlackBerry 10
      3. Understanding the BlackBerry 10 Security Model
      4. BlackBerry 10 Jailbreaking
      5. Using Developer Mode
      6. The BlackBerry 10 Device Simulator
      7. Accessing App Data from a Device
      8. Accessing BAR Files
      9. Looking at Applications
      10. Summary
    16. Chapter 15 Attacking BlackBerry Applications
      1. Traversing Trust Boundaries
      2. Summary
    17. Chapter 16 Identifying BlackBerry Application Issues
      1. Limiting Excessive Permissions
      2. Resolving Data Storage Issues
      3. Checking Data Transmission
      4. Handling Personally Identifiable Information and Privacy
      5. Ensuring Secure Development
      6. Summary
    18. Chapter 17 Writing Secure BlackBerry Applications
      1. Securing BlackBerry OS 7.x and Earlier Legacy Java Applications
      2. Securing BlackBerry 10 Native Applications
      3. Securing BlackBerry 10 Cascades Applications
      4. Securing BlackBerry 10 HTML5 and JavaScript (WebWorks) Applications
      5. Securing Android Applications on BlackBerry 10
      6. Summary
    19. Chapter 18 Cross-Platform Mobile Applications
      1. Introduction to Cross-Platform Mobile Applications
      2. Bridging Native Functionality
      3. Exploring PhoneGap and Apache Cordova
      4. Summary
    20. Title page
    21. Copyright
    22. Dedication
    23. About the Authors
    24. About the Technical Editor
    25. Credits
    26. Acknowledgments
    27. EULA