Input validation Course

Now that you understand the need for mobile app security, you should learn how to implement the most fundamental security mechanism of all: input validation.

8 hours, 11 minutes

Course description

Lack of input validation is the single most commonly cited mistake that mobile app developers make. Corrupt or manipulated input lies at the root of most malicious hacking exploits. As a mobile app developer, you need to know how to defend your app and the user's data from attack. In this course, you will learn which characters can be misinterpreted as commands and how to render those characters harmless. You will practice using input sanitization techniques including regular expressions. You'll defend against SQL injection, understand the larger scope of cross-site scripting, cross-site request forgeries and cross-app scripting. You will also learn how to defend against unexpected attack vectors such as QR codes and deserialized JSON objects. Finally, you will learn about validating input in forms.

Syllabus

Activity: Validating form input, Part 2

Video - 00:05:00
We continue our activity of validating form input.
Activity: Validating form input

Video - 00:13:00
Activity: Securing Android WebView

Video - 00:12:00
In this activity, we practice protecting our WebView app.
WebView vulnerabilities, Part 2

Video - 00:10:00
We continue our exploration of WebView, including protecting against malicious JavaScript. We are also introduced to Google Safe Browsing.
WebView vulnerabilities

Video - 00:12:00
In this lesson, we learn about Android WebView and how to protect our app from SSL errors.
Form validation, Part 3

Video - 00:06:00
We conclude our form validation lesson, learning how to validate passwords and phone numbers with regex. We also learn how to use Android built-in patterns to validate form input.
Form validation, Part 2

Video - 00:10:00
We continue with our form validation discussion, using regex to validate email addresses.
Form validation

Video - 00:12:00
In this lesson, we learn how to use regex to validate form input.
Activity: Protecting JSON with an API key, Part 2

Video - 00:05:00
We continue with our activity of using an API key to protect JSON.
Activity: Protecting JSON with an API key

Video - 00:16:00
In this activity, we use an API key to protect JSON input.
Object deserialization, Part 2

Video - 00:04:00
We continue with our discussion of object deserialization, how to protect against it and how to use Google Gson to parse JSON objects.
Object deserialization

Video - 00:05:00
In this lesson, we learn what object serialization/deserialization is and how it can pose security risks for our app.
SQL stored procedures

Video - 00:05:00
In this lesson, we learn about SQL stored procedures and how they can be used to protect against SQL injection.
SQL injection

Video - 00:14:00
In this lesson, we learn about SQL injection and how to protect our app from it.
Activity: Filtering a malicious QR code, Part 2

Video - 00:04:00
We conclude our activity of protecting our QR code reader app.
Activity: Filtering a malicious QR code

Video - 00:09:00
In this activity, we protect a QR code reader from malicious input.
Code tampering and injection, Part 3

Video - 00:12:00
We conclude our lesson on code injection by learning how to replace unsafe characters, identify scripting in HTML and examining the risks associated with QR codes.
Code tampering and injection, Part 2

Video - 00:11:00
We continue our lesson on code injection by examining SQL injection, directory traversal and poison null bytes.
Code tampering and injection

Video - 00:07:00
In this lesson, we learn what code injection is and how to avoid it.
Activity: Defending against cross-app scripting

Video - 00:09:00
In this activity, we protect our app from cross-app scripting.
Cross-app scripting

Video - 00:05:00
In this lesson, we learn what cross-app scripting is and how to protect against it.
Activity: Exploring cross-site scripting

Video - 00:10:00
In this activity, we examine the impact a cross-site scripting attack on a website.
Cross-site attacks

Video - 00:14:00
In this lesson, we learn about cross-site scripting and cross-site request forgery attacks.
Activity: Filtering and trimming input

Video - 00:10:00
In this activity, we practice using Kotlin filter() and trim().
Kotlin filter and trim

Video - 00:07:00
In this lesson, we learn how to use the Kotlin filter() and trim() functions to limit output.
Activity: Clamping input to a range

Video - 00:05:00
In this activity, we continue practicing input sanitization by clamping input to a range.
Activity: Sanitizing input

Video - 00:04:00
In this activity, we practice sanitizing input.
Input sanitization

Video - 00:07:00
In this lesson, we discuss input sanitization.
Activity: Validating input with regular expressions

Video - 00:15:00
In this activity, we use regular expressions to validate user input in our app.
Activity: Working with regular expressions, Part 2

Video - 00:10:00
We continue our practice with regular expressions.
Activity: Working with regular expressions

Video - 00:14:00
In this activity, we practice using regular expressions.
Regular expressions, Part 2

Video - 00:06:00
We continue with our lesson on regular expressions.
Regular expressions

Video - 00:14:00
In this lesson, we explore regular expressions.
Format string attacks

Video - 00:08:00
In this lesson, we examine format strings and how they can be manipulated in an attack.
Activity: Understanding string interpolation

Video - 00:15:00
In this activity, we implement string interpolation.
String interpolation

Video - 00:11:00
In this lesson, we learn what string interpolation is and how to use it in our code.
Activity: Implementing null safety, Part 3

Video - 00:15:00
We conclude our activity implementing null safety.
Activity: Implementing null safety, Part 2

Video - 00:13:00
We continue our activity implementing null safety.
Activity: Implementing null safety

Video - 00:12:00
In this activity, we implement what we have learned about null safety.
Null safety, Part 6: Smart cast

Video - 00:09:00
In this lesson, we learn what Kotlin smart cast is and how to use it.
Null safety, Part 5: Safe cast/unsafe cast operators

Video - 00:08:00
In this lesson, we learn how to use the Kotlin safe cast/unsafe cast operators.
Null safety, Part 4: Elvis operator

Video - 00:07:00
In this lesson, we learn how to use the Kotlin Elvis operator.
Null safety, Part 3: Not null operator

Video - 00:04:00
In this lesson, we learn how to use the Kotlin not null operator.
Null safety, Part 2: Safe call operator

Video - 00:05:00
In this lesson, we learn how to use the Kotlin safe call operator.
Null safety

Video - 00:12:00
In this lesson, we discuss what null values and null pointer exceptions are. We learn how to check for nulls and make variables nullable.
Activity: Using special characters

Video - 00:11:00
In this activity, we practice using special characters.
Special characters, Part 2

Video - 00:06:00
In this lesson, we discuss incorporating Unicode characters in our strings.
Special characters

Video - 00:11:00
In this lesson, we discuss special characters, escaped characters, string literals and raw strings in Kotlin.
Activity: Securing autocompletion

Video - 00:05:00
In this activity, we practice securing autocompletion in our app.
Autocompletion, Part 2

Video - 00:09:00
In this lesson, we discuss autofill hints and SMS one-time-code autofill.
Autocompletion

Video - 00:14:00
In this lesson, we discuss how to use autofill and autocorrect in our app.
Understanding Input Risks

Video - 00:15:00
In this lesson, we discuss trusted and untrusted data sources, as well as trust boundaries for an app.

Meet the author

Chrys Thorsen

Chrys Thorsen is a technology and education consultant with 25 years of experience. Her work has taken her around the U.S. and overseas, including as a contractor for the CDC using technology to help fight HIV/AIDS in Africa.

During her career, she has acquired 40 IT certifications, authored over 25 textbooks on a wide range of IT subjects, including secure iOS and Android coding, and created an equal number of IT-related video courses. When not working, Chrys enjoys reading scientific articles and experimenting with Internet-of-Things devices. She currently lives in Virginia with her sister, her cat and her dog which, as she describes it, "have the worst sibling rivalry imaginable."

Learn More

Unlock 7 days of free training

  • 1,400+ hands-on courses and labs
  • Certification practice exams
  • Skill assessments
Start a Free Trial

Associated NICE Work Roles

All Infosec training maps directly to the NICE Workforce Framework for Cybersecurity to guide you from beginner to expert across 52 Work Roles.

  • Cyber Operator
  • Law Enforcement / Counterintelligence Forensics Analyst
  • Cyber Defense Forensics Analyst

Plans & pricing

Infosec Skills Personal

$299 / year

Buy Now 7-Day Free Trial
  • 190+ role-guided learning paths (e.g., Ethical Hacking, Threat Hunting)
  • 100s of hands-on labs in cloud-hosted cyber ranges
  • Custom certification practice exams (e.g., CISSP, Security+)
  • Skill assessments
  • Infosec peer community support

Infosec Skills Teams

$799 per license / year

Book a Meeting
  • Team administration and reporting
  • Dedicated client success manager
  • Single sign-on (SSO)
    Easily authenticate and manage your learners by connecting to any identity provider that supports the SAML 2.0 standard.
  • Integrations via API
    Retrieve training performance and engagement metrics and integrate learner data into your existing LMS or HRS.
  • 190+ role-guided learning paths and assessments (e.g., Incident Response)
  • 100s of hands-on labs in cloud-hosted cyber ranges
  • Create and assign custom learning paths
  • Custom certification practice exams (e.g., CISSP, CISA)
  • Optional upgrade: Guarantee team certification with live boot camps

Learn about scholarships and financing with

Affirm logo

Award-winning training you can trust