Advanced Security

Defending Mobile

Course Learning Objectives

  • Learn to communicate the business risks to developing mobile apps for any platform.
  • Discover risks for mobile apps as it relates to important security concepts of data at rest, data in transit and data at runtime
  • Describe how the threat landscape of a mobile device is different than what we've known for web applications today and the OWASP Mobile Top 10.


In this code-agnostic course, students will learn important mobile security concepts to build more secure mobile applications. We will dive into understanding what the risks are to developing insecure mobile applications and how hackers can target the app, the infrastructure and the mobile device itself. Students will learn about the current threat landscape with different mobile operating systems, un-official means of loading applications on devices and the business risk to developing insecure mobile applications. The course will deep dive into three key categories of business risk. Data at rest speaks to protecting the data stored on the mobile device by the application including preferences, databases, and more. Data in transit speaks to protecting the transmission of data from your app to your servers, including hardening your protocols. Data at runtime speaks to protecting the application and memory while it is running on the device. Each of these important security concepts will help students build stronger, more resilient mobile applications.


Mobile application developers / Mobile application architects

Time Required

Tailored learning - 60 minutes total

Course Outline

  1. Module 1 - Fundamental risks to mobile applications
    • Current state of mobile applications
    • Which platforms are major targets
    • Mobile Threat landscape
    • Newsflash: Top mobile apps put data at risk
    • How users receive apps
    • Newsflash: iOS isn’t invulnerable
    • Untrusted means of loading applications
    • Assume the user is untrusted
  2. Module 2 - The business risks to mobile applications
    • About
    • Business Risks
    • Application Security
    • Native application risks
    • End-server application risks
    • Communication application risks
    • Data handling application risks
    • A&A application risks
    • Typical Mobile architecture
    • Top mobile threats (OWASP Mobile 2013)
    • A mapping of the top threats
    • Newsflash - user information disclosure
    • Mobile risks in the context of the business
  3. Module 3 - Protecting data at rest
    • Insecurely storing data
    • The challenge of file-system security
    • Newsflash - stored plain text passwords
    • Defenses
    • Stored credential best practices
    • Request authentication
    • Delegate authorization
    • File Storage best practices
    • DonÕt store sensitive data
    • Password based key derivation function
  4. Module 4 - Protecting data in transit
    • About data in transit
    • Disclosure of traffic and protocols
    • Dissecting protocol
    • How hackers exploit mobile APIs
    • Defenses
    • Encryption
    • Hardening APIs
    • Managing authorization and sessions
  5. Module 5 - Protecting data at runtime
    • Sidestepping logic
    • Memory attacks
    • Reverse engineering
    • URI / Resource sharing attacks
    • Newsflash: iOS URI issue
    • Defenses
    • Protect your app binaries
    • Clear memory after sensitive operations
    • Enforce authorization on internal windows
  6. + Expand Course Outline

$200.00 *prices shown in USD Add to Cart or Subscribe your team