Table Of ContentHACKING EXPOSED :
™
MOBILE SECURITY
SECRETS & SOLUTIONS
00_FM.indd i 6/19/2013 12:33:21 AM
This page intentionally left blank
HACKING EXPOSED :
™
MOBILE SECURITY
SECRETS & SOLUTIONS
NEIL BERGMAN
MIKE STANFIELD
JASON ROUSE
JOEL SCAMBRAY
New York Chicago San Francisco
Athens London Madrid
Mexico City Milan New Delhi
Singapore Sydney Toronto
00_FM.indd iii 6/19/2013 12:33:22 AM
Copyright © 2013 by McGraw-Hill Education. All rights reserved. Except as permitted under the United States Copyright Act of 1976,
no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system,
without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a
computer system, but they may not be reproduced for publication.
ISBN: 978-0-07-181702-8
MHID: 0-07-181702-6
The material in this eBook also appears in the print version of this title: ISBN: 978-0-07-181701-1,
MHID: 0-07-181701-8.
All trademarks are trademarks of their respective owners. Rather than put a trademark symbol after every occurrence of a trademarked
name, we use names in an editorial fashion only, and to the benefi t of the trademark owner, with no intention of infringement of the
trademark. Where such designations appear in this book, they have been printed with initial caps.
McGraw-Hill Education eBooks are available at special quantity discounts to use as premiums and sales promotions or for use in corporate
training programs. To contact a representative, please visit the Contact Us page at www.mhprofessional.com.
McGraw-Hill Education, the McGraw-Hill Education Publishing logo, Hacking ExposedTM, and related trade dress are trademarks or
registered trademarks of McGraw-Hill Education and/or its affi liates in the United States and other countries and may not be used without
written permission. All other trademarks are the property of their respective owners. McGraw-Hill Education is not associated with any
product or vendor mentioned in this book.
Information has been obtained by McGraw-Hill Education from sources believed to be reliable. However, because of the possibility of
human or mechanical error by our sources, McGraw-Hill Education, or others, McGraw-Hill Education does not guarantee the accuracy,
adequacy, or completeness of any information and is not responsible for any errors or omissions or the results obtained from the use of
such information.
TERMS OF USE
This is a copyrighted work and McGraw-Hill Education and its licensors reserve all rights in and to the work. Use of this work is subject
to these terms. Except as permitted under the Copyright Act of 1976 and the right to store and retrieve one copy of the work, you may
not decompile, disassemble, reverse engineer, reproduce, modify, create derivative works based upon, transmit, distribute, disseminate,
sell, publish or sublicense the work or any part of it without McGraw-Hill Education’s prior consent. You may use the work for your own
noncommercial and personal use; any other use of the work is strictly prohibited. Your right to use the work may be terminated if you fail
to comply with these terms.
THE WORK IS PROVIDED “AS IS.” McGRAW-HILL EDUCATION AND ITS LICENSORS MAKE NO GUARANTEES OR
WARRANTIES AS TO THE ACCURACY, ADEQUACY OR COMPLETENESS OF OR RESULTS TO BE OBTAINED FROM
USING THE WORK, INCLUDING ANY INFORMATION THAT CAN BE ACCESSED THROUGH THE WORK VIA HYPERLINK
OR OTHERWISE, AND EXPRESSLY DISCLAIM ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED
TO IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. McGraw-Hill Education and
its licensors do not warrant or guarantee that the functions contained in the work will meet your requirements or that its operation will be
uninterrupted or error free. Neither McGraw-Hill Education nor its licensors shall be liable to you or anyone else for any inaccuracy, error
or omission, regardless of cause, in the work or for any damages resulting therefrom. McGraw-Hill Education has no responsibility for the
content of any information accessed through the work. Under no circumstances shall McGraw-Hill Education and/or its licensors be liable
for any indirect, incidental, special, punitive, consequential or similar damages that result from the use of or inability to use the work, even
if any of them has been advised of the possibility of such damages. This limitation of liability shall apply to any claim or cause whatsoever
whether such claim or cause arises in contract, tort or otherwise.
To my family, friends, and coworkers who have kept me sane over the years.
—Neil
To Leslie, for your patience and unwavering support.
—Mike
To Masha, for (im)patience.
—JR
To Susan, Julia, Sarah, and Michael—I promise I will put the phone down now.
—Joel
00_FM.indd v 6/19/2013 12:33:22 AM
vi
Hacking Exposed: Mobile Security Secrets & Solutions
ABOUT THE AUTHORS
Neil Bergman
Neil Bergman is a senior security consultant at Cigital. He has been involved in
leading and conducting penetration testing, code review, and architecture risk
analysis of critical applications for industry-leading financial and software
companies. Neil has conducted security assessments on a multitude of mobile
platforms such as Android, iOS, and RIM in addition to conducting numerous
assessments against web services, web applications, and thick clients. His primary
areas of interest include mobile and web application vulnerability discovery and
exploitation. Neil graduated from James Madison University with a master’s degree in
Computer Science and received a bachelor’s degree in Computer Science from North
Carolina State University.
Mike Stanfi eld
Mike Stanfield joined Cigital in 2012 as a security consultant. As part of Cigital’s
mobile security practice, Mike has specialized in application security assessments
and penetration testing involving the iOS, Android, and Blackberry platforms,
and has been involved with the development and delivery of Cigital’s mobile
software security training offerings. He also has experience working with mobile
payment platforms, including GlobalPlatform/Java Card applet security and
development. Prior to joining Cigital, Mike was the head of Information Technology for
the Division of Student Affairs at Indiana University. He also worked as a grant analyst
for the Office of Research Administration at Indiana University, where he was involved
with the development of the open source Kuali Coeus project. Currently residing in
Manhattan, Mike studied Security Informatics at Indiana University and holds a
bachelor’s degree in Anthropology from Indiana State University.
Jason Rouse
Jason Rouse brings over a decade of hands-on security experience after plying his
craft at many of the leading companies in the world. He is currently a member of
the team responsible for the security of Bloomberg LP’s products and services,
exploring how to reinvent trusted computing and deliver on the promise of
ubiquitous biometrics. Jason is passionate about security, splitting his time between
improving Bloomberg’s security capabilities and contributing to cutting-edge security
projects around the world. In his spare time, he has chaired the Financial Services
Technology Consortium committee on Mobile Security and worked to elevate mobile
security through his professional contributions. Prior to his work at Bloomberg, Jason
was a principal consultant at Cigital, Inc., an enterprise software security consulting
firm. He performed many activities at Cigital, including creating the mobile and wireless
security practice, performing architecture assessments, and being a trusted advisor to
some of the world’s largest development organizations. Prior to Cigital, Jason worked
with Carnegie Mellon’s CyLab Security Research Lab, creating next-generation mobile
00_FM.indd vi 6/19/2013 12:33:22 AM
vii
About the Authors
authentication and authorization frameworks and expanding the state of the art in
computer security. Currently residing in Manhattan, Jason holds both a BCS and MCS
from Dalhousie University, Canada.
Joel Scambray
Joel Scambray is a Managing Principal at Cigital, a leading software security firm
established in 1992. He has assisted companies ranging from newly minted startups
to members of the Fortune 500 address information security challenges and
opportunities for over 15 years.
Joel’s background includes roles as an executive, technical consultant, and
entrepreneur. He co-founded and led information security consulting firm
Consciere before it was acquired by Cigital in June 2011. He has been a Senior Director at
Microsoft Corporation, where he provided security leadership in Microsoft’s online
services and Windows divisions. Joel also co-founded security software and services
startup Foundstone, Inc., and helped lead it to acquisition by McAfee in 2004. He
previously held positions as a manager for Ernst & Young, security columnist for
Microsoft TechNet, editor at large for InfoWorld Magazine, and director of IT for a major
commercial real estate firm.
Joel is a widely recognized writer and speaker on information security. He has co-
authored and contributed to over a dozen books on IT and software security, many of
them international bestsellers. He has spoken at forums including Black Hat, as well as
for organizations including IANS, CERT, CSI, ISSA, ISACA, SANS, private corporations,
and government agencies including the FBI and the RCMP.
Joel holds a BS from the University of California at Davis, an MA from UCLA, and he
is a Certified Information Systems Security Professional (CISSP).
About the Contributing Authors
Swapnil Deshmukh is an Information Security Specialist at Visa. He was previously a
security consultant at Cigital, where he helped clients build secure mobile practices. His
responsibilities included designing and implementing mobile threat modeling,
implementing security coding practices, performing source code analysis, reverse
engineering application binaries, and performing mobile penetration testing. Prior to
working at Cigital, Swapnil held a position as a mobile threat analyst at MyAppSecurity,
where he designed and implemented a mobile threat modeler. Swapnil holds an MS
from George Mason University in Computer Networks and Telecommunication.
Sarath Geethakumar is Chief Information Security Specialist at Visa, Inc. He specializes
in mobile platform and application security and is actively involved in security research
around mobility. Sarath’s research activities have been instrumental in uncovering
numerous security weaknesses with mobile device management solutions and platform
security capabilities that were ethically disclosed to appropriate vendors. In addition to
research, Sarath leads efforts around secure mobile application development and ethical
hacking at Visa.
00_FM.indd vii 6/19/2013 12:33:23 AM
viii
Hacking Exposed: Mobile Security Secrets & Solutions
Sarath’s background also includes roles such as security specialist, security consultant,
lead architect, and software developer. Before joining Visa, he served as an information
security specialist and Red Team member at American Express. Sarath has also provided
consulting expertise to various financial institutions and Fortune 500 companies as part
of his consulting career. He has played a key role in shaping mobile security practices
across various organizations and training security professionals on mobile security.
Scott Matsumoto is a Principal Consultant at Cigital with over 20 years of software
security and commercial software product development experience. At Cigital, Scott is
responsible for mobile security practice within the company and has been instrumental
in building Cigital’s western US business through direct consulting as well as oversight
of projects, training, and software deployments. He works with many of Cigital’s clients
on security architecture topics such as Mobile Application Security, Cloud Computing
Security, SOA Security, fine-grained entitlements systems, and SOA Governance. Scott’s
prior experience encompasses development of component-based middleware,
performance management systems, graphical UIs, language compilers, database
management systems, and operating system kernels. He is a founding member of the
Cloud Security Alliance (CSA) and is actively involved in its Trusted Computing
Initiative.
Mike Price is currently Chief Architect at Appthority, Inc. In this role, Mike focuses full
time on research and development related to mobile operating system and application
security. Mike was previously Senior Operations Manager for McAfee Labs in Santiago,
Chile. In this role, Mike was responsible for ensuring smooth operation of the office,
working with external entities in Chile and Latin America, and generally promoting
technical excellence and innovation across the team and region. Mike was a member of
the Foundstone Research team for nine years. Most recently, he was responsible for
content development for the McAfee Foundstone Enterprise vulnerability management
product. In this role, Mike worked with and managed a global team of security researchers
responsible for implementing software checks designed to remotely detect the presence
of operating system and application vulnerabilities. He has extensive experience in the
information security field, having worked in the area of vulnerability analysis and
infosec-related R&D for nearly 13 years. Mike is a published author, contributing to
Hacking Exposed™: Network Security Secrets & Solutions, 7th Edition on the topic of iOS
security and to Sockets, Shellcode, Porting & Coding on the topic of sockets programming
and code portability. Mike is also co-founder of the 8.8 Computer Security Conference,
held annually in Santiago, Chile. Mike also served as technical reviewer for this book.
John Steven is Cigital’s Internal CTO. He is a sought-after speaker with over 15 years of
industry experience. John’s expertise runs the gamut of software security from threat
modeling and architectural risk analysis, through static analysis (with an emphasis on
automation), to security testing. As a Principal Consultant, John provided strategic
direction to many multinational corporations. As Internal CTO, John directs Cigital’s
security practices and his keen interest in automation keeps Cigital technology at the
cutting edge.
00_FM.indd viii 6/19/2013 12:33:23 AM
ix
About the Authors
About the Technical Reviewer
Gabriel Eacevedo is a security researcher at Cylance, Inc., working with an elite group
of security experts helping to protect the real-world and solving large and complex
problems every day simply and elegantly. Previous to Cylance, Gabriel was a security
researcher for McAfee Labs. In this role, he analyzed vulnerabilities on Microsoft
Windows, Mac OS X, Unix platforms, mobile devices, security appliances, and other
systems. His team was responsible for the design and implementation of software checks
that detected the presence of security flaws in remote systems. While working with
McAfee, Gabriel also led the Mobile Security Working Group, analyzing the security of
embedded systems. He was also a spokesperson for McAfee in LTAM. Gabriel has
whitepapers and articles published by McAfee, has been featured on Chilean national
television and radio programs, and is also a co-author of a scientific paper titled
“Transformation for Class Immutability,” which was published by the Association for
Computing Machinery (ACM) for the 33rd International Conference on Software
Engineering. He is interested in information security research, iOS and Mac OS X
internals, and software engineering.
00_FM.indd ix 6/19/2013 12:33:23 AM
