CompTIA Mobile App Security+ Certification Exam (ios Edition) Live exam IOS-001 Beta Exam IO1-001



Similar documents
CompTIA Mobile App Security+ Certification Exam (Android Edition) Live exam ADR-001 Beta Exam AD1-001

Building a Mobile App Security Risk Management Program. Copyright 2012, Security Risk Advisors, Inc. All Rights Reserved

SENSE Security overview 2014

ipad in Business Security

Mobile Application Hacking for ios. 3-Day Hands-On Course. Syllabus

Enterprise Application Security Workshop Series

Deploying iphone and ipad Security Overview

How Security Testing can ensure Your Mobile Application Security. Yohannes, CEHv8, ECSAv8, ISE, OSCP(PWK) Information Security Consultant

Mobile Application Hacking for Android and iphone. 4-Day Hands-On Course. Syllabus

Penetration Testing for iphone Applications Part 1

Mobile Application Security and Penetration Testing Syllabus

ABSTRACT' INTRODUCTION' COMMON'SECURITY'MISTAKES'' Reverse Engineering ios Applications

Security for Mac Computers in the Enterprise

Mobile Applications: The True Potential Risks Where to look for information when performing a Pentest on a Mobile Application

Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0

SYLLABUS MOBILE APPLICATION SECURITY AND PENETRATION TESTING. MASPT at a glance: v1.0 (28/01/2014) 10 highly practical modules

Pentesting iphone Applications. Satishb3

elearning for Secure Application Development

Security Testing Guidelines for mobile Apps

ios Security Decoded Dave Test Classroom and Lab Computing Penn State ITS Feedback -

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

Web Application Hacking (Penetration Testing) 5-day Hands-On Course

Secure your ios applications and uncover hidden vulnerabilities by conducting penetration tests

Criteria for web application security check. Version

iphone in Business Security Overview

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Network Test Labs (NTL) Software Testing Services for igaming

AGENDA. Background. The Attack Surface. Case Studies. Binary Protections. Bypasses. Conclusions

ABC LTD EXTERNAL WEBSITE AND INFRASTRUCTURE IT HEALTH CHECK (ITHC) / PENETRATION TEST

VMware Horizon Workspace Security Features WHITE PAPER

Mobile Application Security Study

Passing PCI Compliance How to Address the Application Security Mandates

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

Application Security Testing

Architectural Design Patterns. Design and Use Cases for OWASP. Wei Zhang & Marco Morana OWASP Cincinnati, U.S.A.

Security Technical. Overview. BlackBerry Enterprise Service 10. BlackBerry Device Service Solution Version: 10.2

Advanced ANDROID & ios Hands-on Exploitation

Pentesting Mobile Applications

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

Ensuring the security of your mobile business intelligence

MySQL Security: Best Practices

Mobile Apps - Hands On

Certified Secure Web Application Security Test Checklist

BYOD Guidance: Good Technology

Workday Mobile Security FAQ

Forensic analysis of iphone backups

ios Testing Tools David Lindner Director of Mobile and IoT Security

Securing ios Applications. Dr. Bruce Sams, OPTIMAbit GmbH

ASP.NET MVC Secure Coding 4-Day hands on Course. Course Syllabus

BlackBerry 10.3 Work and Personal Corporate

Norton Mobile Privacy Notice

PCI Security Standards Council

Where every interaction matters.

Sitefinity Security and Best Practices

Adobe Systems Incorporated

Android & ios Application Vulnerability Assessment & Penetration Testing Training. 2-Day hands on workshop on VAPT of Android & ios Applications

COMMONWEALTH OF PENNSYLVANIA DEPARTMENT S OF PUBLIC WELFARE, INSURANCE AND AGING

End User Devices Security Guidance: Apple ios 8

Spigit, Inc. Web Application Vulnerability Assessment/Penetration Test. Prepared By: Accuvant LABS

What is Web Security? Motivation

End User Devices Security Guidance: Apple OS X 10.10

Salesforce1 Mobile Security Guide

Release Notes for Epilog for Windows Release Notes for Epilog for Windows v1.7/v1.8

Pentesting ios Apps Runtime Analysis and Manipulation. Andreas Kurtz

Chapter 1 Web Application (In)security 1

Threat Model for Mobile Applications Security & Privacy

BYOD: End-to-End Security

IT Networking and Security

Pen Testing ios Apps

(WAPT) Web Application Penetration Testing

SecureDoc Disk Encryption Cryptographic Engine

Legal notices. Legal notices. For legal notices, see

MOBILE SECURITY. As seen by FortConsult. Lars Syberg Head of Security Services

Application Security Testing. Generic Test Strategy

Certified Secure Web Application Secure Development Checklist

BYOD Guidance: BlackBerry Secure Work Space

information security and its Describe what drives the need for information security.

Guidance End User Devices Security Guidance: Apple OS X 10.9

Security + Certification (ITSY 1076) Syllabus

LBSEC.

Last update: February 23, 2004

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

WHITEPAPER. Nessus Exploit Integration

Unwrapping the Truth: Analysis of Mobile App Wrapping. Ron Gutierrez

CrashPlan Security SECURITY CONTEXT TECHNOLOGY

Web Application Penetration Testing

Mobile First Government

Guidance End User Devices Security Guidance: Apple ios 7

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

Mobile Application Security

BlackBerry Enterprise Service 10. Universal Device Service Version: Administration Guide

Configuring Security Features of Session Recording

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

Acano solution. Security Considerations. August E

Transcription:

CompTIA Mobile App Security+ Certification Exam (ios Edition) Live exam IOS-001 Beta Exam IO1-001 INTRODUCTION This exam will certify that the successful candidate has the knowledge and skills required to securely create a native ios mobile application, while also ensuring secure network communications and backend Web services. Test Purpose: The CompTIA Mobile App Security+ Certification Exam (ios Edition) is suited for those individuals with at least 24 months of application development experience, as well as solid familiarity with the ios SDK and principles of secure application development. The successful candidate should have the knowledge and skills to: Describe fundamental principles of application security Describe the security model of ios devices Describe common threats to mobile application security Develop moderately complex applications using the ios SDK Describe Web services security model and vulnerabilities Properly implement SSL/TLS for Web communications Utilize the security features of the ios operating system and APIs Properly implement secure coding techniques Avoid insecure retention of data in memory Describe common implementations of cryptography such as PKI Leverage encryption for storage and/or communications Harden an application against attack to levels appropriate for the risk model of the application Prerequisite knowledge: Objective-C programming, ios SDK, SQL coding, mobile and app security essentials, implementing encryption Domain % of Examination 1.0 Application Security and SDLC Fundamentals 11% 2.0 Objective-C Coding 14% 3.0 ios SDK, APIs, and Security Features 21% 4.0 Web Service and Network Security 18% 5.0 Data Security and Implementing Encryption 23% 6.0 Application Hardening 13% Total 100% CompTIA Mobile App Security+ Certification Exam Objectives (ios Edition) 1 of 8

**Note: The bulleted lists below each objective are not exhaustive lists. Even though they are not included in this document, other examples of technologies, processes or tasks pertaining to each objective may also be included on the exam. 1.0 Application Security and SDLC Fundametals 1.1 Identify reasons for significance of secure mobile development. U.S. Regulatory requirements: PCI, HIPAA, FFIEC, FISMA International requirements: E.U. privacy Business requirements Consumer expectations (including privacy) 1.2 Describe security risks which are unique or higher for mobile technologies/devices. Lost/stolen device (physical access) Untrusted Wi-Fi networking (DNS attack, MITM) Users running modified OS (jailbroken) Telephony-related attacks (SMiShing, MitMo, toll fraud) 1.3 Compare the relative severity of security issues. Unprotected web interfaces Vulnerability to SQL Injection Storage of passwords, sensitive data without encryption Transmission without encryption (TLS/SSL) 1.4 Explain a secure development process throughout application development. Security testing/review on release (and during development) Business requirements Specifications Threat model/architectural risk analysis Code review Automated Manual Perform security testing Fuzzing Security functionality Dynamic validation Risk based testing Penetration testing Types of documentation CompTIA Mobile App Security+ Certification Exam Objectives (ios Edition) 2 of 8

Regulatory or corporate policy security or privacy requirements Schedule on-going security tests post-os upgrades 1.5 Summarize general application security best practices. Sanitizing input, input validation Contextually appropriate output escaping Good design considerations: Logic in applications Storage of variables Database design Debugging Error handling Secure storage Secure communications Authentication and authorization Session management Ensuring Application and data integrity Security by design vs. obscurity Sandbox 1.6 Identify the major architectural risks to weaknesses in an application. Build an architecture diagram of an application (including backend services), along with descriptions of each component Establish a deep and comprehensive understanding of the application and its components Break the architecture into specific security zones for individual consideration For each zone, articulate and enumerate each of the following: Who has access to the zone? What would motivate someone to attack the system? What would an attacker target, specifically, in each zone? (e.g., data, functions) How could each target be attacked? (Reference Microsoft s STRIDE process.) What would be the impact to the business of a successful attack? What remediation could be implemented to reduce the likelihood of successful attack? Recommend and justify remediation based on their corresponding likelihood and magnitude of impact vs. their costs to the business 2.0 Objective-C Coding 2.1 Explain the Objective-C language and design. Instance variables Methods CompTIA Mobile App Security+ Certification Exam Objectives (ios Edition) 3 of 8

Method Cache Integrating C into Objective-C 2.2 Demonstrate proper handling of sensitive data in memory. Level 3, use code example selection Cleaning up sensitive values used temporarily (passcodes, keys, credit card info) Show ability to select correct code, which does not store and which clears values 2.3 Explain Objective-C framework paradigms and related security impacts. Nuances to class construction, pose and replace functions (methods, classes, etc), and other design nuances which can be exploited Objective-C interfaces into C Land (dlsym, dladdr, Objective-C library calls for replacing methods, etc) 2.4 Demonstrate proper interaction with ios security facilities and objects. Code examples of various implementations (correct and incorrect), and distinguish between incorrect and correct usage Security frameworks (dataprotection), keychain access, read/write access to files within an application, memory handling, ARC (Automatic Reference Counting), SQLite DB querying (Level 4) 3.0 ios SDK, APIs, and Security Features 3.1 Summarize the security features of the platform. Code signing Sandbox Data at rest encryption Generic native exploit mitigation features ASLR Non executable memory Stack smashing protection 3.2 Explain the data protection API. Automatically setup when passcode is set Various levels of protection, driven by developer Complete protection Protected unless open Protected until first user authentication No protections 3.3 Explain the features of the security framework. Common Crypto Libraries CompTIA Mobile App Security+ Certification Exam Objectives (ios Edition) 4 of 8

Symmetric encryption HMAC Digests Generating secure random numbers 3.4 Explain the security and limitations of the keychain. Keychain access groups Managing certificates and keys What does not belong in the keychain How keychain can be accessed or compromised (e.g., physical access, backups) 3.5 Demonstrate proper use of keychain for storing sensitive data. Select correct code, using enumeration 4.0 Web Service and Network Security 4.1 Summarize the risks in performing Web and network communications. Clear text transmission of data Man-in-the-middle attacks Cellular proxy attack (provisioning profile) Insufficient validation of certificates / certificate chain SSL compromise DNS hijacking 4.2 Implement an SSL session with validation. Validate originated from a trusted CA Validate the certificate has not been revoked Describe how to implement / validate client-side certificates SSL pinning If using CFNetwork ensure validation on expiry, root, and chain is enabled Use secure transport API to manage cipher suites Set SSL protocol type and versions 4.3 Explain common threats to Web services. Information disclosure Brute forcing Fuzzing SQL injection CompTIA Mobile App Security+ Certification Exam Objectives (ios Edition) 5 of 8

Directory traversal 4.4 Distinguish sound security protections for authentication. Brute forcing PIN locally Brute forcing authentication against Web service Not using basic authentication Not passing server/service credentials from application 4.5 Describe proper implementation of session security. Highly random token Expire on timeout or exit Store in memory not in data Avoid static user token UDID deprecation 5.0 Data Security and Implementing Encryption 5.1 Explain a secure data storage and encryption implementation. Key storage and retention Key derivation - Why 10,000 rounds of PBKDF2 is better than 3,000 Master keys Key strength Cipher Specifications Forensic trace Storage of data in protected APIs Built-in encryption vs. custom encryption File permissions and using strong passwords for database security How to hash sensitive data and seed of passwords Storing more data externally on servers Not storing data outside of the applications security Do not store sensitive data, if you can avoid it Protecting data at rest while the device is locked 5.2 Demonstrate knowledge of proper implementation of encryption in ios. Common cryptor Good design considerations: Logic in applications Certificate and key exchange Authentication and authorization Session management Decryption as authentication, not after 5.3 Describe Apple Data Encryption APIs. CompTIA Mobile App Security+ Certification Exam Objectives (ios Edition) 6 of 8

PIN vs. complex passphrase Data protection APIs Keychain and vulnerabilities Demonstrate knowledge of Apple s encrypted file system Journal 5.4 Demonstrate understanding of best practices for secure data deletion. Wiping memory Wiping SQLite records DOD 5220.22-M data destruction standard 5.5 Explain nature and extent of data recovery techniques for ios. Binary imaging and carving, could keys/passwords be recovered by a raw dump? How jailbreaking can lead to access to data protected by permissions. SQLite database, when does data get deleted, does is hang around? Recovery data from backup, icloud security Flash NAND storage, if something is deleted is it actually deleted? Custom RAM disks, booting another kernel to gain access to the file system Live Forensics, what is being stored in memory, can this be dumped? 5.6 Explain types and sensitivity of particular data, and how it can leak. Usage logs, session logs, debugging data Phone book, calendar, notes Content of private communications messages, IM, etc. Account and log in information Transaction and payment data Web caches, cookies and other temporary data Location data, Cell tower and GPS information Wi-Fi and Bluetooth passwords, IP address and routing information Audio recording and video Picture meta data 6.0 Application Hardening 6.1 Explain application object binaries and tools. Apple Digital Rights Management Mach-O object format Symbol table definitions Class-dump Dumping memory Binary stripping CompTIA Mobile App Security+ Certification Exam Objectives (ios Edition) 7 of 8

6.2 Explain Objective-C debugging. Attaching to processes Common debugger commands Code obfuscations Dynamic code injection Debugging detection techniques 6.3 Describe forms of abusive runtime manipulation. Attaching to processes using cycript Bypassing application UI locks Overriding application methods Manipulating instance variables Foundation class attacks 6.4 Summarize counter-runtime abuse techniques. Jailbreak detection Runtime class validation Process trace checks Tamper response Counter-debugging techniques Code obfuscations Optimizations Inline functions Encrypted payloads CompTIA Mobile App Security+ Certification Exam Objectives (ios Edition) 8 of 8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information