Joel Scambray - Hacking Exposed Mobile Security Secrets & Solutions

Copyright 2013 by McGraw-Hill Education. All rights reserved. Except as permitted under the United States Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher.

ISBN: 978-0-07-181702-8
MHID: 0-07-181702-6

The material in this eBook also appears in the print version of this title: ISBN: 978-0-07-181701-1, MHID: 0-07-181701-8.

E-book conversion by Codemantra
Version 2.0

All trademarks are trademarks of their respective owners. Rather than put a trademark symbol after every occurrence of a trademarked name, we use names in an editorial fashion only, and to the benefit of the trademark owner, with no intention of infringement of the trademark. Where such designations appear in this book, they have been printed with initial caps.

McGraw-Hill Education products are available at special quantity discounts to use as premiums and sales promotions or for use in corporate training programs. To contact a representative, please visit the Contact Us pages at www.mhprofessional.com.

TERMS OF USE

This is a copyrighted work and McGraw-Hill Education and its licensors reserve all rights in and to the work. Use of this work is subject to these terms. Except as permitted under the Copyright Act of 1976 and the right to store and retrieve one copy of the work, you may not decompile, disassemble, reverse engineer, reproduce, modify, create derivative works based upon, transmit, distribute, disseminate, sell, publish or sublicense the work or any part of it without McGraw-Hill Educations Education prior consent. You may use the work for your own noncommercial and personal use; any other use of the work is strictly prohibited. Your right to use the work may be terminated if you fail to comply with these terms.

THE WORK IS PROVIDED AS IS. McGRAW-HILL EDUCATION AND ITS LICENSORS MAKE NO GUARANTEES OR WARRANTIES AS TO THE ACCURACY, ADEQUACY OR COMPLETENESS OF OR RESULTS TO BE OBTAINED FROM USING THE WORK, INCLUDING ANY INFORMATION THAT CAN BE ACCESSED THROUGH THE WORK VIA HYPERLINK OR OTHERWISE, AND EXPRESSLY DISCLAIM ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. McGraw-Hill Education and its licensors do not warrant or guarantee that the functions contained in the work will meet your requirements or that its operation will be uninterrupted or error free. Neither McGraw-Hill Education nor its licensors shall be liable to you or anyone else for any inaccuracy, error or omission, regardless of cause, in the work or for any damages resulting there from. McGraw-Hill Education has no responsibility for the content of any information accessed through the work. Under no circumstances shall McGraw-Hill Education and/or its licensors be liable for any indirect, incidental, special, punitive, consequential or similar damages that result from the use of or inability to use the work, even if any of them has been advised of the possibility of such damages. This limitation of liability shall apply to any claim or cause whatsoever whether such claim or cause arises in contract, tort or otherwise.

To my family, friends, and coworkers who have kept me sane over the years.
Neil

To Leslie, for your patience and unwavering support.
Mike

To Masha, for (im)patience.
JR

To Susan, Julia, Sarah, and MichaelI promise I will put the phone down now.
Joel

Neil Bergman is a senior security consultant at Cigital. He has been involved in leading and conducting penetration testing, code review, and architecture risk analysis of critical applications for industry-leading financial and software companies. Neil has conducted security assessments on a multitude of mobile platforms such as Android, iOS, and RIM in addition to conducting numerous assessments against web services, web applications, and thick clients. His primary areas of interest include mobile and web application vulnerability discovery and exploitation. Neil graduated from James Madison University with a masters degree in Computer Science and received a bachelors degree in Computer Science from North Carolina State University.

Mike Stanfield joined Cigital in 2012 as a security consultant. As part of Cigitals mobile security practice, Mike has specialized in application security assessments and penetration testing involving the iOS, Android, and Blackberry platforms, and has been involved with the development and delivery of Cigitals mobile software security training offerings. He also has experience working with mobile payment platforms, including GlobalPlatform/Java Card applet security and development. Prior to joining Cigital, Mike was the head of Information Technology for the Division of Student Affairs at Indiana University. He also worked as a grant analyst for the Office of Research Administration at Indiana University, where he was involved with the development of the open source Kuali Coeus project. Currently residing in Manhattan, Mike studied Security Informatics at Indiana University and holds a bachelors degree in Anthropology from Indiana State University.

Jason Rouse brings over a decade of hands-on security experience after plying his craft at many of the leading companies in the world. He is currently a member of the team responsible for the security of Bloomberg LPs products and services, exploring how to reinvent trusted computing and deliver on the promise of ubiquitous biometrics. Jason is passionate about security, splitting his time between improving Bloombergs security capabilities and contributing to cutting-edge security projects around the world. In his spare time, he has chaired the Financial Services Technology Consortium committee on Mobile Security and worked to elevate mobile security through his professional contributions. Prior to his work at Bloomberg, Jason was a principal consultant at Cigital, Inc., an enterprise software security consulting firm. He performed many activities at Cigital, including creating the mobile and wireless security practice, performing architecture assessments, and being a trusted advisor to some of the worlds largest development organizations. Prior to Cigital, Jason worked with Carnegie Mellons CyLab Security Research Lab, creating next-generation mobile authentication and authorization frameworks and expanding the state of the art in computer security. Currently residing in Manhattan, Jason holds both a BCS and MCS from Dalhousie University, Canada.

Joel Scambray is a Managing Principal at Cigital, a leading software security firm established in 1992. He has assisted companies ranging from newly minted startups to members of the Fortune 500 address information security challenges and opportunities for over 15 years.