Course Security in Mobile Applications
Objective:
The objective of this course is to create awareness among and train those involved in the development of software solutions with GeneXus about the importance of security and techniques for the detection, validation, and mitigation of potential risks in mobile applications, especially those generated for Android.
It is mainly focused on GeneXus users, from analysts, developers, and testers to project managers, who want to learn more about the features that currently make an ANDROID application safe in its context of use. OWASP ASVS Mobile (OWASP Mobile Application Security Verification Standard) [1] is used as a reference and course guide.  

Duration:
The total duration of the course is 16 hours, divided into 2 sessions of 8 hours, taught in person, to a maximum of 14 people. 

Instructor
The course instructor will be one of the following professionals:
Requirements:
Participants must bring their own computers (notebook or desktop), which must include the possibility of wire or wireless connection to the testing environment that will be deployed. Access is through remote desktop.

Methodology:
The course has a theory approach, detailing the basic concepts required to address security issues and a practical component that extends over most of the time.
 
For each of the OWASP ASVS Mobile issues, the following topics are addressed:
  •     Explanation of safety requirements, in particular of the ASVS.
  •     Description of what GeneXus does automatically to meet these requirements.
  •     Discussion of what the developer must do to implement the requirement (if necessary).
  •     Mechanisms for validating the implementation of the safety requirement.
  •     Practical exercise using GeneXus to detect the problem, exploit it, solve it and verify it.

Syllabus:
The main topics of the course are presented below.

Introduction
Presentation of the instructor, the topics to be covered in the course and the work methodology.

OWASP ASVS Mobile
ASVS Mobile, its objectives and levels

Sample applications and setting up of environments
The applications to be used are presented and the environment is set up for the tests to be carried out later.

GeneXus & ASVS Mobile
The items to be addressed are as follows:
·       V1 – Architecture, design and threat modelling requirements
·       V2 – Data storage and privacy requirements
·       V3 – Cryptography requirements
·       V4 – Authentication and session management requirements
·       V5 – Network communication requirements
·       V6 – Environmental interaction requirements
·       V7 – Code quality and build setting requirements
·       V8 – Reverse engineering resilience requirements

Material:
The course material will be delivered in digital format to all participants.
The working environment will be provided for the course and will contain the following elements:
·       GeneXus and Knowledge Bases with exercises
·       Application generated based on the Knowledge Base
·       Android emulator
·       Support tools (OWASP ZAP)
The test environment will not be provided to participants, but will be used exclusively for the purpose of teaching the course.

[1] https://github.com/OWASP/owasp-masvs/releases

For more information: