CompTIA Mobile App Security+ Certification Exam (Android Edition) Live exam ADR-001 Beta Exam AD1-001



Similar documents
CompTIA Mobile App Security+ Certification Exam (ios Edition) Live exam IOS-001 Beta Exam IO1-001

Enterprise Application Security Workshop Series

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Building a Mobile App Security Risk Management Program. Copyright 2012, Security Risk Advisors, Inc. All Rights Reserved

Mobile Application Hacking for Android and iphone. 4-Day Hands-On Course. Syllabus

elearning for Secure Application Development

JVA-122. Secure Java Web Development

Where every interaction matters.

Architectural Design Patterns. Design and Use Cases for OWASP. Wei Zhang & Marco Morana OWASP Cincinnati, U.S.A.

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

05.0 Application Development

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

Promoting Application Security within Federal Government. AppSec DC November 13, The OWASP Foundation

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Network Test Labs (NTL) Software Testing Services for igaming

Adobe Systems Incorporated

Standard: Web Application Development

Pentesting Android Apps. Sneha Rajguru

Passing PCI Compliance How to Address the Application Security Mandates

Advanced ANDROID & ios Hands-on Exploitation

ASP.NET MVC Secure Coding 4-Day hands on Course. Course Syllabus

Web Application Hacking (Penetration Testing) 5-day Hands-On Course

Workday Mobile Security FAQ

Bypassing SSL Pinning on Android via Reverse Engineering

SENSE Security overview 2014

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

Sitefinity Security and Best Practices

APPLICATION SECURITY: FROM WEB TO MOBILE. DIFFERENT VECTORS AND NEW ATTACK

Promoting Application Security within Federal Government. AppSec DC November 13, The OWASP Foundation

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

OWASP Top Ten Tools and Tactics

Security First Umbrella

Best Practice Guide (SSL Implementation) for Mobile App Development 最 佳 行 事 指 引. Jointly published by. Publication version 1.

Check list for web developers

BlackBerry Enterprise Service 10. Universal Device Service Version: Administration Guide

Mobile Application Hacking for ios. 3-Day Hands-On Course. Syllabus

ANDROID SECURITY ATTACKS AND DEFENSES ABHISHEK DUBEY I ANMOL MISRA. ( r öc) CRC Press VV J Taylor & Francis Group ^ "^ Boca Raton London New York

Web Application Guidelines

Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

PCI-DSS and Application Security Achieving PCI DSS Compliance with Seeker

Christchurch Polytechnic Institute of Technology Information Systems Acquisition, Development and Maintenance Security Standard

BUILDING SECURITY IN. Analyzing Mobile Single Sign-On Implementations

CYBERTRON NETWORK SOLUTIONS

Cloud Security:Threats & Mitgations

Web Application Penetration Testing

Application Security Testing

Mobile Application Security

TECHNICAL AUDITS FOR CERTIFYING EUROPEAN CITIZEN COLLECTION SYSTEMS

Hacking Web Apps. Detecting and Preventing Web Application Security Problems. Jorge Blanco Alcover. Mike Shema. Technical Editor SYNGRESS

QuickBooks Online: Security & Infrastructure

Criminal charges are not pursued: Hacking PKI

SECURING MOBILE APPLICATIONS

MASTER'S THESIS. Android Application Security with OWASP Mobile Top James King 2014

Guidance End User Devices Security Guidance: Apple OS X 10.9

Nuclear Regulatory Commission Computer Security Office Computer Security Standard

Chapter 1 Web Application (In)security 1

1 0 0 V i l l a g e C o u r t H a z l e t, N J , U S A Tel: +1 (732) w w w. p a l i n d r o m e t e c h. c o m.

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

PCI DSS Requirements - Security Controls and Processes

Salesforce1 Mobile Security Guide

Secure your ios applications and uncover hidden vulnerabilities by conducting penetration tests

(WAPT) Web Application Penetration Testing

WEB SITE SECURITY. Jeff Aliber Verizon Digital Media Services

MS-55096: Securing Data on Microsoft SQL Server 2012

Mobile Application Security. Helping Organizations Develop a Secure and Effective Mobile Application Security Program

SYLLABUS MOBILE APPLICATION SECURITY AND PENETRATION TESTING. MASPT at a glance: v1.0 (28/01/2014) 10 highly practical modules

Magento Security and Vulnerabilities. Roman Stepanov

DFW INTERNATIONAL AIRPORT STANDARD OPERATING PROCEDURE (SOP)

Securing your Mobile Applications. Karson Chan Security Consultant

ipad in Business Security

Criteria for web application security check. Version

Mobile Application Security Study

Certified Secure Web Application Security Test Checklist

Lecture 11 Web Application Security (part 1)

Legal notices. Legal notices. For legal notices, see

Security Evaluation CLX.Sentinel

Developers. Saturday, June 30, 2012

Securing Data on Microsoft SQL Server 2012

Automatic vs. Manual Code Analysis

Top Web Application Security Issues. Daniel Ramsbrock, CISSP, GSSP

CNT Computer and Network Security Review/Wrapup

OAuth: Where are we going?

Introduction to Mobile Access Gateway Installation

8070.S000 Application Security

Visa U.S.A Cardholder Information Security Program (CISP) Payment Application Best Practices

Payment Card Industry (PCI) Terminal Software Security. Best Practices

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

The Security Behind Sticky Password

NSA/DHS CAE in IA/CD 2014 Mandatory Knowledge Unit Checklist 4 Year + Programs

LBSEC.

Mobile Application Security and Penetration Testing Syllabus

The monsters under the bed are real World Tour

What is Web Security? Motivation

SECURITY PRACTICES FOR ADVANCED METERING INFRASTRUCTURE Elif Üstündağ Soykan, Seda Demirağ Ersöz , ICSG 2014

How To Ensure That Your Computer System Is Safe

Pentesting Mobile Applications

WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6

Transcription:

CompTIA Mobile App Security+ Certification Exam (Android Edition) Live exam ADR-001 Beta Exam AD1-001 INTRODUCTION This exam will certify that the successful candidate has the knowledge and skills required to securely create a native Android mobile application, while also ensuring secure network communications and backend Web services. Test Purpose: The CompTIA Mobile App Security+ Certification Exam (Android Edition) is suited for those individuals with at least 24 months of application development experience, as well as solid familiarity with Java, the Android SDK, and principles of secure application development. The successful candidate should have the knowledge and skills to: Describe fundamental principles of application security Describe the security model of Android devices Describe common threats to mobile application security Develop moderately complex applications using the Android SDK Describe Web services security model and vulnerabilities Properly implement SSL/TLS for Web communications Utilize the security features of the Android operating system and APIs Properly implement secure coding techniques Avoid insecure retention of data in memory Describe common implementations of cryptography such as PKI Leverage encryption for storage and/or communications Understand access control and file permissions Harden an application against attack to levels appropriate for the risk model of the application Prerequisite knowledge: JAVA programming, Android SDK, SQL coding, mobile and application security essentials, and implementing encryption. Domain % of Examination 1.0 Mobile application security, SDLC, and threat models 18% 2.0 Android SDK, APIs, and security features 20% 3.0 Web service and network security 23% 4.0 Data security and implementing encryption 23% 5.0 Application hardening and reverse engineering 5% 6.0 Secure Java coding 11% Total 100% CompTIA Mobile App Security+ Certification Exam Objectives (Android Edition) 1 of 9

**Note: The bulleted lists below each objective are not exhaustive lists. Even though they are not included in this document, other examples of technologies, processes or tasks pertaining to each objective may also be included on the exam. 1.0 Mobile Application Security, SDLC, and Threat Models 1.1 Identify reasons for significance of secure mobile development. U.S. Regulatory requirements: PCI, HIPAA, FFIEC, FISMA International requirements: E.U. privacy Business requirements Consumer expectations (including privacy) Security risks which are unique or higher for mobile Lost/stolen device (physical access) Untrusted Wi-Fi networking (DNS attack, MITM) Users running modified OS (jailbroken) Telephony-related attacks (SMiShing, MitMo, toll fraud) 1.2 Compare relative severity of security issues. Unprotected Web interfaces Vulnerability to SQL injection Storage of passwords, sensitive data without encryption Transmission without encryption (TLS/SSL) 1.3 Explain a secure development process throughout application development. Security testing/review on release (and during development) Business requirements Specifications Threat model/architectural risk analysis Code review Automated Manual Perform security testing Fuzzing Security functionality Dynamic validation Risk-based testing Penetration testing Types of documentation Regulatory or corporate policy security or privacy requirements. Schedule on-going security tests post-os upgrades CompTIA Mobile App Security+ Certification Exam Objectives (Android Edition) 2 of 9

1.4 Summarize general application security best practices. Sanitizing input, input validation Contextually appropriate output escaping Good design considerations: Logic in applications Storage of variables Database design Debugging Error handling Secure storage Secure communications Authentication and authorization Session management Ensuring application and data integrity Security by design vs. obscurity Sandbox 1.5 Identify the major architectural risks to weaknesses in an application. Build an architecture diagram of an application (including back-end services), along with descriptions of each component Establish a deep and comprehensive understanding of the application and its components Break the architecture into specific security zones for individual consideration For each zone, articulate and enumerate each of the following: Who has access to the zone? What would motivate someone to attack the system? What would an attacker target, specifically, in each zone? (e.g., data, functions) How could each target be attacked? (Reference Microsoft s STRIDE process.) What would be the impact to the business of a successful attack? What remediation could be implemented to reduce the likelihood of a successful attack? Recommend and justify remediation based on their corresponding likelihood and magnitude of impact vs. their costs to the business 2.0 Android SDK, APIs and Security Features 2.1 Summarize the Android security architecture. System and kernel level security Application sandbox Application signing Purpose Key management CompTIA Mobile App Security+ Certification Exam Objectives (Android Edition) 3 of 9

Permissions File system Application-defined URI permissions 2.2 Explain the Android permission model. Protected APIs Requesting permissions Defining permissions Use of signatures Protection levels Summarize the Device Administration API Purpose and appropriate use Letting the user control access to sensitive data Start the contacts activity to let the user select a contact for use by the application rather than require permission to access all contacts Start the camera application to let the user take a picture for use in the application without requiring camera permissions 2.3 Describe secure inter-process communication. Public and private components Protecting access to Services Broadcast receivers Activities Content providers Databases Securely accessing third-party components with IPC Types of attacks Confused deputy Intent sniffing Intent hijacking Data disclosure 2.4 Securely implement common features. Web view KeyChain 3.0 Web Service and Network Security 3.1 Summarize the risks in performing Web and network communications. Clear text transmission of data Man-in-the-middle attacks Cellular proxy attack (provisioning profile) Insufficient validation of certificates/certificate chain CompTIA Mobile App Security+ Certification Exam Objectives (Android Edition) 4 of 9

SSL compromise DNS hijacking 3.2 Implement an SSL session with validation. Encryption/confidentiality of data Basics of public-key crypto as used in SSL Understanding of threats that SSL encryption protects against Authentication of the server (basic) How server certificates are verified (default CA chain checking) Understanding of threats that SSL server authentication protects against Authentication of the server (advanced) Custom Hostname Verifiers Customize trust (configuring application to only trust certain certs) Use self-signed certificates for server authentication Authentication of the client Explain basics of mutual-authentication SSL Understanding of threats that SSL client authentication protects against Deploy client certificate into application s keystore Deploy client certificate into system keystore Configure application to present client certificates for client authentication 3.3 Distinguish sound security protections for authentication. Explain pros/cons and implement device/application authentication techniques Mutual-authentication SSL for client device authentication Web service API keys for client application authentication Explain pros/cons and implement user authentication techniques Storing/accessing user credentials using AccountManager Basic authentication Digest authentication Token-based authentication using OAuth 3.4 Explain common threats and protections for Web services. Explain input validation Need for input validation (lack of client/communicating-party authentication) Postel s Law Positive (whitelist) vs negative (blacklist) validation Pros/cons of whitelist validation Pros/cons of blacklist validation Explain cross site scripting (XSS) attacks Stored XSS CompTIA Mobile App Security+ Certification Exam Objectives (Android Edition) 5 of 9

Reflected XSS XSS prevention strategies Explain cross site request forgery (CSRF attacks) CSRF attack general principles Login CSRF CSRF prevention strategies Explain command/sql injection attacks Basics of command/sql injection Input validation as a defense strategy Parameterized queries/prepared statements 3.5 Describe proper implementation of session security. Highly random token Expire on timeout or exit Store in memory not in data Avoid static user token UDID deprecation 4.0 Data security and Implementing Encryption 4.1 Explain how encryption and hashing works. Symmetric-keys and public-key cryptography One-way functions (e.g., hashes) Why is the salting of passwords needed Key generation, why 10,000 rounds is better than 2000 Security by design vs obscurity 4.2 Summarize methods for securing stored data. Certificates Permissions and access rights Database security Strong SQL database passwords Sanitizing inputs (stopping SQL injection) Encryption 4.3 Distinguish proper implementation of encryption in an Android application. Encrypting the application (when it is enabled again) Why using GPG/OpenPGP might be better than your own version Using some known value like the MEID to obscure data, better than nothing? Obfuscation the code to stop someone reversing the algorithm that being using How to store passwords and keys so they cannot be extracted from the application How to encrypt or hash data stored in SQL databases CompTIA Mobile App Security+ Certification Exam Objectives (Android Edition) 6 of 9

Checking if the device encryption is enabled 4.4 Implement data security using the Android permissions model. Create a custom permission for your application Secure a service with the correct permissions Grant temporary permission to open a downloaded file 5.0 Application Hardening and Reverse Engineering 5.1 Explain reverse engineering. Explain what reverse engineering is Explain good reasons for reverse engineering applications Explain bad reasons for reverse engineering applications Nature of the Android and Java platforms and why reverse engineering is easy/easier Explain basic reverse engineering techniques and approaches Process/stages APK components (classes, dex, certificates, manifest, layouts, jars, native libraries, resource/assets, etc.) Static analysis Strings/resources analysis Disassembly Decompilation Pros and cons Dynamic analysis Sandboxes Observing network communications Android emulator Live debugging Pros and cons Understand forward engineering (code => javac => dx => classes.dx) to understand reverse engineering Reverse engineering tools apktool, dex2jar, jd-gui 5.2 Explain reverse engineering countermeasures. ProGuard Explain what ProGuard is Explain why ProGuard can make reverse engineering more difficult Deploy a default installation of ProGuard into an Android project Explain why native methods can make ProGuard application more difficult Explain why reflection can make ProGuard application more difficult CompTIA Mobile App Security+ Certification Exam Objectives (Android Edition) 7 of 9

Explain the various options that can be configured in a ProGuard configuration Provide an example where the default ProGuard configuration must be altered Explain how native libraries impact reverse engineering Information leakage Remove/reduce logcat logging info Remove/reduce debug code Remove/reduce stacktrace leaks Catch exceptions Things used to debug applications will help reverse the application if left in code Make man-in-the-middle (MITM) harder for network protocol reverse engineering Use SSL for communications to server Use certificate pinning: hardcode the cert for the server Detect package modifications Check integrity of APK MD5/SHA checksum of application public key? Check if individual fields match? Password Storage Explain why reverse engineering can make recovery of static passwords easy Explain what information, contained in an application, can be recovered via reverse engineering Explain the trade-offs between storage, derivation, and user-supply of secret information 6.0 Secure Java Coding 6.1 Explain Java language structure and object oriented development. Classes, objects, methods, fields Exception handling, try/catch Packages 6.2 Demonstrate proper handling of sensitive information. Purge sensitive information from exceptions and from memory after usage Avoid logging highly sensitive information 6.3 Explain general secure Java coding best practices. Correct naming Limit the extensibility of classes and methods Define wrappers around native methods CompTIA Mobile App Security+ Certification Exam Objectives (Android Edition) 8 of 9

Get proper reference to external storage like SD-card Isolate unrelated code CompTIA Mobile App Security+ Certification Exam Objectives (Android Edition) 9 of 9

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information