Details

<p>Introduction xxxi</p> <p><b>Chapter 1 Mobile Application (In)security 1</b></p> <p>The Evolution of Mobile Applications 2</p> <p>Mobile Application Security 4</p> <p>Summary 15</p> <p><b>Chapter 2 Analyzing iOS Applications 17</b></p> <p>Understanding the Security Model 17</p> <p>Understanding iOS Applications 22</p> <p>Jailbreaking Explained 29</p> <p>Understanding the Data Protection API 43</p> <p>Understanding the iOS Keychain 46</p> <p>Understanding Touch ID 51</p> <p>Reverse Engineering iOS Binaries 53</p> <p>Summary 67</p> <p><b>Chapter 3 Attacking iOS Applications 69</b></p> <p>Introduction to Transport Security 69</p> <p>Identifying Insecure Storage 81</p> <p>Patching iOS Applications with Hopper 85</p> <p>Attacking the iOS Runtime 92</p> <p>Understanding Interprocess Communication 118</p> <p>Attacking Using Injection 123</p> <p>Summary 131</p> <p><b>Chapter 4 Identifying iOS Implementation Insecurities 133</b></p> <p>Disclosing Personally Identifi able Information 133</p> <p>Identifying Data Leaks 136</p> <p>Memory Corruption in iOS Applications 142</p> <p>Summary 146</p> <p><b>Chapter 5 Writing Secure iOS Applications 149</b></p> <p>Protecting Data in Your Application 149</p> <p>Avoiding Injection Vulnerabilities 156</p> <p>Securing Your Application with Binary Protections 158</p> <p>Summary 170</p> <p><b>Chapter 6 Analyzing Android Applications 173</b></p> <p>Creating Your First Android Environment 174</p> <p>Understanding Android Applications 179</p> <p>Understanding the Security Model 206</p> <p>Reverse‐Engineering Applications 233</p> <p>Summary 246</p> <p><b>Chapter 7 Attacking Android Applications 247</b></p> <p>Exposing Security Model Quirks 248</p> <p>Attacking Application Components 255</p> <p>Accessing Storage and Logging 304</p> <p>Misusing Insecure Communications 312</p> <p>Exploiting Other Vectors 326</p> <p>Additional Testing Techniques 341</p> <p>Summary 351</p> <p><b>Chapter 8 Identifying and Exploiting Android Implementation Issues 353</b></p> <p>Reviewing Pre‐Installed Applications 353</p> <p>Exploiting Devices 365</p> <p>Infiltrating User Data 416</p> <p>Summary 426</p> <p><b>Chapter 9 Writing Secure Android Applications 427</b></p> <p>Principle of Least Exposure 427</p> <p>Essential Security Mechanisms 429</p> <p>Advanced Security Mechanisms 450</p> <p>Slowing Down a Reverse Engineer 451</p> <p>Summary 455</p> <p><b>Chapter 10 Analyzing Windows Phone Applications 459</b></p> <p>Understanding the Security Model 460</p> <p>Understanding Windows Phone 8.x Applications 473</p> <p>Developer Sideloading 483</p> <p>Building a Test Environment 484</p> <p>Analyzing Application Binaries 506</p> <p>Summary 509</p> <p><b>Chapter 11 Attacking Windows Phone Applications 511</b></p> <p>Analyzing for Data Entry Points 511</p> <p>Attacking Transport Security 525</p> <p>Attacking WebBrowser and WebView Controls 534</p> <p>Identifying Interprocess Communication Vulnerabilities 542</p> <p>Attacking XML Parsing 560</p> <p>Attacking Databases 568</p> <p>Attacking File Handling 573</p> <p>Patching .NET Assemblies 578</p> <p>Summary 585</p> <p><b>Chapter 12 Identifying Windows Phone Implementation Issues 587</b></p> <p>Identifying Insecure Application Settings Storage 588</p> <p>Identifying Data Leaks 591</p> <p>Identifying Insecure Data Storage 593</p> <p>Insecure Random Number Generation 601</p> <p>Insecure Cryptography and Password Use 605</p> <p>Identifying Native Code Vulnerabilities 616</p> <p>Summary 626</p> <p><b>Chapter 13 Writing Secure Windows Phone Applications 629</b></p> <p>General Security Design Considerations 629</p> <p>Storing and Encrypting Data Securely 630</p> <p>Secure Random Number Generation 634</p> <p>Securing Data in Memory and Wiping Memory 635</p> <p>Avoiding SQLite Injection 636</p> <p>Implementing Secure Communications 638</p> <p>Avoiding Cross‐Site Scripting in WebViews and WebBrowser Components 640</p> <p>Secure XML Parsing 642</p> <p>Clearing Web Cache and Web Cookies 642</p> <p>Avoiding Native Code Bugs 644</p> <p>Using Exploit Mitigation Features 644</p> <p>Summary 645</p> <p><b>Chapter 14 Analyzing BlackBerry Applications 647</b></p> <p>Understanding BlackBerry Legacy 647</p> <p>Understanding BlackBerry 10 652</p> <p>Understanding the BlackBerry 10 Security Model 660</p> <p>BlackBerry 10 Jailbreaking 665</p> <p>Using Developer Mode 666</p> <p>The BlackBerry 10 Device Simulator 667</p> <p>Accessing App Data from a Device 668</p> <p>Accessing BAR Files 669</p> <p>Looking at Applications 670</p> <p>Summary 678</p> <p><b>Chapter 15 Attacking BlackBerry Applications 681</b></p> <p>Traversing Trust Boundaries 682</p> <p>Summary 691</p> <p><b>Chapter 16 Identifying BlackBerry Application Issues 693</b></p> <p>Limiting Excessive Permissions 694</p> <p>Resolving Data Storage Issues 695</p> <p>Checking Data Transmission 696</p> <p>Handling Personally Identifiable Information and Privacy 698</p> <p>Ensuring Secure Development 700</p> <p>Summary 704</p> <p><b>Chapter 17 Writing Secure BlackBerry Applications 705</b></p> <p>Securing BlackBerry OS 7.x and Earlier Legacy Java Applications 706</p> <p>General Java Secure Development Principals 706</p> <p>Making Apps Work with the Application Control Policies 706</p> <p>Memory Cleaning 707</p> <p>Controlling File Access and Encryption 709</p> <p>SQLite Database Encryption 710</p> <p>Persistent Store Access Control and Encryption 711</p> <p>Securing BlackBerry 10 Native Applications 716</p> <p>Securing BlackBerry 10 Cascades Applications 723</p> <p>Securing BlackBerry 10 HTML5 and JavaScript (WebWorks) Applications 724</p> <p>Securing Android Applications on BlackBerry 10 726</p> <p>Summary 726</p> <p><b>Chapter 18 Cross‐Platform Mobile Applications 729</b></p> <p>Introduction to Cross‐Platform Mobile Applications 729</p> <p>Bridging Native Functionality 731</p> <p>Exploring PhoneGap and Apache Cordova 736</p> <p>Summary 741</p> <p>Index 743</p>

<p><i>“..there is a shocking lack of published material on the topic of mobile security. The Mobile Application Hacker’s Handbook seeks to change this and be a positive movement to educating others in the topic of mobile security awareness.” </i>(Vigilance-Security Magazine, March 2015)</p>

<p><b>DOMINIC CHELL</b> is a director of MDSec and a recognized expert in mobile security, providing training to leading global organizations. <p><b>TYRONE ERASMUS</b> is an expert on Android security and heads Mobile Practice at MWR InfoSecurity SA. <p><b>SHAUN COLLEY</b> is a security consultant and researcher at IOActive specializing in mobile security and reverse engineering. <p><b>OLLIE WHITEHOUSE</b> is Technical Director with NCC Group who has previously worked for BlackBerry and Symantec specialising in mobile security.

<p><b>View your app through a hacker's eyes</b> <p>IT security breaches make headlines almost daily. With both personal and corporate information being carried in so many pockets, mobile applications on the iOS, Android, Blackberry, and Windows Phones are a fertile field for hackers. To discover the true vulnerabilities in a mobile app, you must look at it as a hacker does. <p>This practical guide focuses relentlessly on the hacker's approach, helping you secure mobile apps by demonstrating how hackers exploit weak points and flaws to gain access to data. Discover a proven methodology for approaching mobile application assessments and the techniques used to prevent, disrupt, and remediate the various types of attacks. <p><b>Learn to:</b> <ul><li>Understand the ways data can be stored and how hackers can defeat cryptography</li> <li>Set up an environment in which insecurities and data leakages can be identified</li> <li>Develop extensions to bypass security controls and perform injection attacks for testing</li> <li>Identify the different types of attacks that apply specifically to cross-platform apps</li> <li>Recognize how hackers bypass security controls such as jailbreak/root detection, tamper detection, runtime protection, and anti-debugging</li> <li>Implement a generic methodology for mobile application testing</li> </ul>

US