Announcing: Slashdot Deals - Explore geek apps, games, gadgets and more. (what is this?)

Thank you!

We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!

Book Review: Hacking Exposed Mobile Security Secrets & Solutions

samzenpus posted about a year and a half ago | from the read-all-about-it dept.

Books 10

benrothke writes "Little did anyone know that when the first Hacking Exposed book came out over 15 years ago, that it would launch a set of sequels on topics from Windows, Linux, web development, to virtualization and cloud computing, and much more. In 2013, the newest edition is Hacking Exposed Mobile Security Secrets & Solutions. In this edition, authors Neil Bergman, Mike Stanfield, Jason Rouse & Joel Scambray provide an extremely detailed overview of the security and privacy issues around mobile devices. The authors have heaps of experience in the topics and bring that to every chapter." Read below for the rest of Ben's review.The power of mobile devices can be understood by the fact that this book came out in July 2013, and just last week, Steve Ballmer announced that he will step down as Microsoft CEO. While mobile has spelled the doom to Ballmer's career and Microsoft's bottom line, mobile has the Apple brand relevant again, and extremely dominant. More of a concern is that mobile is the new avenue of security attacks for a new generation of attackers.

The book provides a great overview of the new threats created by mobile devices. Like the other books in the series, it provides an overview of the issues, shows how attackers will use vulnerabilities to compromise and exploit mobile devices, in addition to showing you how to secure your mobile devices and enterprise mobile platforms against these threats.

One of difference between this book and other Hacking Exposed titles, especially the Windows editions, is that this has a dearth of script kiddie tools. This is due to the fact that such tools don't exist so much for the mobile platforms.

The 9 chapters in the book provide a comprehensive and meticulous synopsis of all of the core areas around security and privacy concerns about mobile computing.

The first two chapters provide a thorough analysis of the mobile risk ecosystem and how the cellular networks operate.

One of the major risks detailed in chapter 1 is that of physical risks. When data resides in physical data centers, a company can have some semblance of assurance of security given the data has multiple layers of physical controls in an enterprise data center or colocation. The authors note that physical access to mobile devices is difficult to defend against for very long, and the entire phenomenon of rooting and jailbreaking certainly proves this.

They also write that they have yet to find a mobile application that they could not defeat when given physical access, including defeating the mobile device management software.

The book astutely notes that if your mobile risk model assumes that information can be securely stored indefinitely on a physical mobile device, then you are starting with a false assumption. The entire book is based on the assumption of an attacker gaining control of the mobile device. To compensate for that, the book provides the requisite countermeasures.

Another bit of sagacious advice in the book is ensuring your developers, and those you outsource your development to, understand the specific risks and vulnerabilities around mobile apps. It is crucial that all programmers developing mobile apps be sufficiently trained in how to write secure mobile apps.

Chapter 3 details iOS, the Apple mobile operating system. An interesting part of the chapter is on how to jailbreak Apple devices. But the authors also note that there are pros and cons to jailbreaking. The main negative is that you expose yourself to a variety of attack vectors that could lead to a complete compromise of the device. A non-jailbroken device obviates that in most cases given the security controls in place.

The book also sheds light on the fact that even those iOS is a closed system with less threat vectors, it is still far from perfect. The Apple App Store, even with its security controls, is far from impervious to attack. The chapter tells the story of a few malicious apps that slipped past security reviews and found themselves on the Apple App Store. While these malicious apps were later removed, they will there long enough to cause damage.

While the book provides ample evidence of the risk and vulnerabilities around mobile devices, it is rich in appropriate countermeasures and methods to compensate for these. The chapters on iOS and Android provide myriad ways in which to secure the devices. Chapter 8 on mobile development security details a framework in which to secure mobile devices. This framework includes requirements from secure communications, effective authentication, preventing information leakage, to platform controls and more.

Appendix A contains a checklist of options that end-users can use to ensure the security of their private data and sensitive information stored on their mobile devices.

Appendix B is a mobile application penetration testing toolkit for performing security assessment of mobile technologies.

The press is full of stories of how the demise of Microsoft is directly related to their misreading the mobile market. The public has responded to buying mobile devices in the billions, and attackers who not so long ago wrote exploits for Windows, are now putting their efforts into iOS and Android. The message is clear, mobile apps need to be written with security in mind and the mobile devices need to be secured.

For those looking for an understanding of current mobile security threats and how to counter them, Hacking Exposed Mobile Security Secrets & Solutions is a uniquely good book.

Reviewed by Ben Rothke

You can purchase Hacking Exposed Mobile Security Secrets & Solutions from amazon.com. Slashdot welcomes readers' book reviews (sci-fi included) -- to see your own review here, read the book review guidelines, then visit the submission page.

Sorry! There are no comments related to the filter you selected.

HTML encode & decode (1)

tulcod (1056476) | about a year and a half ago | (#44679109)

someone messed up & replaced decode by encode?

Re:HTML encode & decode (0)

Anonymous Coward | about a year and a half ago | (#44679139)

Ok..you got me...waht does that mean?

Re:HTML encode & decode (1)

stewsters (1406737) | about a year and a half ago | (#44679407)

He is talking about html entities. If you want to use an & in html, you can write '&'. The book title has an & in it, and it is displaying as if they double encoded it, like I did to post that string.

Re:HTML encode & decode (1)

tulcod (1056476) | about a year and a half ago | (#44680289)

On a related subject, it seems slashdot doesn't HTML encode the parent's subject when replying.

where's the problem? (0)

Anonymous Coward | about a year and a half ago | (#44679447)

that the mobile device is just a (mobile) dumb terminal?
all the relevant (personal) data lives in an american datacenter?
that people (with petty human problems) oversee these data sets?
that we just trust them (like on the desktop we trust m$) to "do the right thing" (with our data)?
that, unlike a desktop computer, we take this little spy gadgets everywhere?
that they have a wealth of sensors (put-in-another-dollar-radio, camera, microsphone, GPS, wifi, NFC ...)
right smartly built in?
dunno what could go wrong ...

Outdated when it came out? (2)

gmuslera (3436) | about a year and a half ago | (#44680091)

How much this book got outdated (even the entire series) when PRISM et al got widely disclosed, with Apple, Google and Microsoft (some of the main smartphone OS manufacturers) between the companies with close ties with NSA?

Re:Outdated when it came out? (1)

Steve_Ussler (2941703) | about a year and a half ago | (#44680105)

Where do you see it being obsolete?

Re:Outdated when it came out? (0)

Anonymous Coward | about a year and a half ago | (#44689189)

How much this book got outdated (even the entire series) when PRISM et al got widely disclosed, with Apple, Google and Microsoft (some of the main smartphone OS manufacturers) between the companies with close ties with NSA?

PRISM (seems) is an integration of data, not a protocol with known hacks. There is a large difference between the two. However, I don't think you comment was looking for an answer, just trying to stir the pot.

how it can be obsolete (1)

fauzsp (3032873) | about a year ago | (#44694813)

The media is full of experiences of how the death of Microsof company is proportional to their misinterpreting the cellular market. The public has addressed buying cellular phones in the enormous amounts, and assailants who not so long ago wrote uses for Microsoft windows, are now placing their initiatives into iOS and Android operating system. The concept is clear, cellular phone applications need to be published with security in mind and the cellular phones need to be properly secured. Cheap flights To Dar es salaam [travellax.co.uk] | Cheap Umrah Packages [cheaphajjandumrah.co.uk]

Re:how it can be obsolete (1)

Steve_Ussler (2941703) | about a year ago | (#44695261)

Are you sure you are replying to the right thing? Not sure your point.
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?