Mobile Application Security
Protecting Mobile Devices and Their Applications
1st Edition
Published on 15. January 2010
415 pages
978-0-07-163357-4 (ISBN)
Description
Secure today's mobile devices and applications Implement a systematic approach to security in your mobile application development with help from this practical guide. Featuring case studies, code examples, and best practices, Mobile Application Security details how to protect against vulnerabilities in the latest smartphone and PDA platforms. Maximize isolation, lockdown internal and removable storage, work with sandboxing and signing, and encrypt sensitive user information. Safeguards against viruses, worms, malware, and buffer overflow exploits are also covered in this comprehensive resource. Design highly isolated, secure, and authenticated mobile applications Use the Google Android emulator, debugger, and third-party security tools Configure Apple iPhone APIs to prevent overflow and SQL injection attacks Employ private and public key cryptography on Windows Mobile devices Enforce fine-grained security policies using the BlackBerry Enterprise Server Plug holes in Java Mobile Edition, SymbianOS, and WebOS applications Test for XSS, CSRF, HTTP redirects, and phishing attacks on WAP/Mobile HTML applications Identify and eliminate threats from Bluetooth, SMS, and GPS services Himanshu Dwivedi is a co-founder of iSEC Partners (www.isecpartners.com), an information security firm specializing in application security. Chris Clark is a principal security consultant with iSEC Partners. David Thiel is a principal security consultant with iSEC Partners.
More details
Other editions
Additional editions
Himanshu Dwivedi | Chris Clark | David Thiel
Mobile Application Security
VS ePub for Mobile Application Security
Book
03/2010
Osborne/McGraw-Hill
€55.70
Shipment within 15-20 days
Content
- Cover Page
- Mobile Application Security
- Copyright Page
- About the Authors
- Dedication
- Contents
- Acknowledgments
- Introduction
- Part I Mobile Platforms
- Chapter 1 Top Mobile Issues and Development Strategies
- Top Issues Facing Mobile Devices
- Physical Security
- Secure Data Storage (on Disk)
- Strong Authentication with Poor Keyboards
- Multiple-User Support with Security
- Safe Browsing Environment
- Secure Operating Systems
- Application Isolation
- Information Disclosure
- Virus, Worms, Trojans, Spyware, and Malware
- Difficult Patching/Update Process
- Strict Use and Enforcement of SSL
- Phishing
- Cross-Site Request Forgery (CSRF)
- Location Privacy/Security
- Insecure Device Drivers
- Multifactor Authentication
- Tips for Secure Mobile Application Development
- Leverage TLS/SSL
- Follow Secure Programming Practices
- Validate Input
- Leverage the Permissions Model Used by the OS
- Use the Least Privilege Model for System Access
- Store Sensitive Information Properly
- Sign the Application's Code
- Figure Out a Secure and Strong Update Process
- Understand the Mobile Browser's Security Strengths and Limitations
- Zero Out the Nonthreats
- Use Secure/Intuitive Mobile URLs
- Conclusion
- Chapter 2 Android Security
- Development and Debugging on Android
- Android's Securable IPC Mechanisms
- Activities
- Broadcasts
- Services
- ContentProviders
- Binder
- Android's Security Model
- Android Permissions Review
- Creating New Manifest Permissions
- Intents
- Intent Review
- IntentFilters
- Activities
- Broadcasts
- Receiving Broadcast Intents
- Safely Sending Broadcast Intents
- Sticky Broadcasts
- Services
- ContentProviders
- Avoiding SQL Injection
- Intent Reflection
- Files and Preferences
- Mass Storage
- Binder Interfaces
- Security by Caller Permission or Identity Checking
- Binder Reference Security
- Android Security Tools
- Manifest Explorer
- Package Play
- Intent Sniffer
- Intent Fuzzer
- Conclusion
- Chapter 3 The Apple iPhone
- History
- The iPhone and OS X
- Breaking Out, Breaking In
- iPhone SDK
- Future
- Development
- Decompilation and Disassembly
- Preventing Reverse-Engineering
- Security Testing
- Buffer Overflows
- Integer Overflows
- Format String Attacks
- Double-Frees
- Static Analysis
- Application Format
- Build and Packaging
- Distribution: The Apple Store
- Code Signing
- Executing Unsigned Code
- Permissions and User Controls
- Sandboxing
- Exploit Mitigation
- Permissions
- Local Data Storage: Files, Permissions, and Encryption
- SQLite Storage
- iPhone Keychain Storage
- Shared Keychain Storage
- Adding Certificates to the Certificate Store
- Acquiring Entropy
- Networking
- The URL Loading API
- NSStreams
- Peer to Peer (P2P)
- Push Notifications, Copy/Paste, and Other IPC
- Push Notifications
- UIPasteboard
- Conclusion
- Chapter 4 Windows Mobile Security
- Introduction to the Platform
- Relation to Windows CE
- Device Architecture
- Device Storage
- Kernel Architecture
- Memory Layout
- Windows CE Processes
- Services
- Objects
- Kernel Mode and User Mode
- Development and Security Testing
- Coding Environments and SDKs
- Emulator
- Debugging
- Disassembly
- Code Security
- Application Packaging and Distribution
- Permissions and User Controls
- Privileged and Normal Mode
- Authenticode, Signatures, and Certificates
- Public Key Cryptography
- Running Applications
- Locking Devices
- Managing Device Security Policy
- Local Data Storage
- Files and Permissions
- Stolen Device Protections
- Structured Storage
- Encrypted and Device Secured Storage
- Networking
- Connection Manager
- WinSock
- IrDA
- Bluetooth
- HTTP and SSL
- Conclusion
- Chapter 5 BlackBerry Security
- Introduction to Platform
- BlackBerry Enterprise Server (BES)
- BlackBerry Internet Service (BIS)
- Device and OS Architecture
- Development and Security Testing
- Coding Environment
- Simulator
- Debugging
- Disassembly
- Code Security
- Application Packaging and Distribution
- Permissions and User Controls
- RIM Controlled APIs
- Carrier and MIDLet Signatures
- Handling Permission Errors in MIDP Applications
- Locking Devices
- Managing Application Permissions
- Local Data Storage
- Files and Permissions
- Programmatic File System Access
- Structured Storage
- Encrypted and Device Secured Storage
- Networking
- Device Firewall
- SSL and WTLS
- Conclusion
- Chapter 6 Java Mobile Edition Security
- Standards Development
- Configurations, Profiles, and JSRs
- Configurations
- Profiles
- Optional Packages
- Development and Security Testing
- Configuring a Development Environment and Installing New Platforms
- Emulator
- Emulator and Data Execution Protection
- Reverse Engineering and Debugging
- Hiding Cryptographic Secrets
- Code Security
- Application Packaging and Distribution
- Permissions and User Controls
- Data Access
- Conclusion
- Chapter 7 SymbianOS Security
- Introduction to the Platform
- Device Architecture
- Device Storage
- Development and Security Testing
- Development Environment
- Software Development Kits
- Emulator
- Debugging
- IDA Pro
- Code Security
- Symbian C++
- P.I.P.S and OpenC
- Application Packaging
- Executable Image Format
- Installation Packages
- Signatures
- Symbian Signed
- Installation
- Permissions and User Controls
- Capabilities Overview
- Executable Image Capabilities
- Process Capabilities
- Capabilities Between Processes
- Interprocess Communication
- Client/Server Sessions
- Shared Sessions
- Shared Handles
- Persistent Data Storage
- File Storage
- Structured Storage
- Encrypted Storage
- Conclusion
- Chapter 8 WebOS Security
- Introduction to the Platform
- WebOS System Architecture
- Model-View-Controller
- Stages and Scenes, Assistants and Views
- Development and Security Testing
- Developer Mode
- Accessing Linux
- Emulator
- Debugging and Disassembly
- Code Security
- Script Injection
- Direct Evaluation
- Programmatic Data Injection
- Avoiding innerHTML and update() Injections
- Template Injection
- Local Data Injection
- Application Packaging
- Permissions and User Controls
- Storage
- Networking
- Conclusion
- Part II Mobile Services
- Chapter 9 WAP and Mobile HTML Security
- WAP and Mobile HTML Basics
- Authentication on WAP/Mobile HTML Sites
- Encryption
- WAP 1.0
- SSL and WAP 2.0
- Application Attacks on Mobile HTML Sites
- Cross-Site Scripting
- SQL Injection
- Cross-Site Request Forgery
- HTTP Redirects
- Phishing
- Session Fixation
- Non-SSL Login
- WAP and Mobile Browser Weaknesses
- Lack of HTTPOnly Flag Support
- Lack of SECURE Flag Support
- Handling Browser Cache
- WAP Limitations
- Conclusion
- Chapter 10 Bluetooth Security
- Overview of the Technology
- History and Standards
- Common Uses
- Alternatives
- Future
- Bluetooth Technical Architecture
- Radio Operation and Frequency
- Bluetooth Network Topology
- Device Identification
- Modes of Operation
- Bluetooth Stack
- Bluetooth Profiles
- Bluetooth Security Features
- Pairing
- Traditional Security Services in Bluetooth
- Security "Non-Features"
- Threats to Bluetooth Devices and Networks
- Bluetooth Vulnerabilities
- Bluetooth Versions Prior to v1.2
- Bluetooth Versions Prior to v2.1
- All Versions
- Recommendations
- Chapter 11 SMS Security
- Overview of Short Message Service
- Overview of Multimedia Messaging Service
- Wireless Application Protocol (WAP)
- Protocol Attacks
- Abusing Legitimate Functionality
- Attacking Protocol Implementations
- Application Attacks
- iPhone Safari
- Windows Mobile MMS
- Motorola RAZR JPG Overflow
- Walkthroughs
- Sending PDUs
- Converting XML to WBXML
- Conclusion
- Chapter 12 Mobile Geolocation
- Geolocation Methods
- Tower Triangulation
- GPS
- 802.11
- Geolocation Implementation
- Android
- iPhone
- Windows Mobile
- Geolocation Implementation
- Symbian
- BlackBerry
- Risks of Geolocation Services
- Risks to the End User
- Risks to Service Providers
- Geolocation Best Practices
- Chapter 13 Enterprise Security on the Mobile OS
- Device Security Options
- PIN
- Remote Wipe
- Secure Local Storage
- Apple iPhone and Keychain
- Security Policy Enforcement
- Encryption
- Full Disk Encryption
- E-mail Encryption
- File Encryption
- Application Sandboxing, Signing, and Permissions
- Application Sandboxing
- Application Signing
- Permissions
- Buffer Overflow Protection
- Windows Mobile
- iPhone
- Android
- BlackBerry
- Security Feature Summary
- Conclusion
- Part III Appendixes
- Appendix A Mobile Malware
- A Tour of Important Past Malware
- Cabir
- Commwarrior
- Beselo.B
- Trojan.Redbrowser.A
- WinCE/Brador.a
- WinCE/Infojack
- SMS.Python.Flocker
- Yxes.A
- Others
- Threat Scenarios
- Fake Firmware
- Classic Trojans
- Worms
- Ransomware
- Mitigating Mobile Malware Mayhem
- For End Users
- For Developers and Platform Vendors
- Appendix B Mobile Security Penetration Testing Tools
- Mobile Platform Attack Tools and Utilities
- Manifest Explorer
- Package Play
- Intent Sniffer
- Intent Fuzzer
- pySimReader
- Browser Extensions
- WMLBrowser
- User Agent Switcher
- FoxyProxy
- TamperData
- Live HTTP Headers
- Web Developer
- Firebug
- Networking Tools
- Wireshark
- Tcpdump
- Scapy
- Web Application Tools
- WebScarab
- Gizmo
- Fuzzing Frameworks
- Peach
- Sulley
- General Utilities
- Hachoir
- VBinDiff
- Index
