Course

Input validation

Now that you understand the need for mobile app security, you should learn how to implement the most fundamental security mechanism of all: input validation.

8 hours, 11 minutes 52 videos

Start Free Trial

Course description

Lack of input validation is the single most commonly cited mistake that mobile app developers make. Corrupt or manipulated input lies at the root of most malicious hacking exploits. As a mobile app developer, you need to know how to defend your app and the user’s data from attack. In this course, you will learn which characters can be misinterpreted as commands and how to render those characters harmless. You will practice using input sanitization techniques including regular expressions. You’ll defend against SQL injection, understand the larger scope of cross-site scripting, cross-site request forgeries and cross-app scripting. You will also learn how to defend against unexpected attack vectors such as QR codes and deserialized JSON objects. Finally, you will learn about validating input in forms.

Syllabus

Understanding Input Risks

Video — 00:14:59

In this lesson, we discuss trusted and untrusted data sources, as well as trust boundaries for an app.

Autocompletion

Video — 00:13:34

In this lesson, we discuss how to use autofill and autocorrect in our app.

Autocompletion, Part 2

Video — 00:09:13

In this lesson, we discuss autofill hints and SMS one-time-code autofill.

Activity: Securing autocompletion

Video — 00:04:30

In this activity, we practice securing autocompletion in our app.

Special characters

Video — 00:11:04

In this lesson, we discuss special characters, escaped characters, string literals and raw strings in Kotlin.

Special characters, Part 2

Video — 00:06:03

In this lesson, we discuss incorporating Unicode characters in our strings.

Activity: Using special characters

Video — 00:11:25

In this activity, we practice using special characters.

Null safety

Video — 00:12:17

In this lesson, we discuss what null values and null pointer exceptions are. We learn how to check for nulls and make variables nullable.

Null safety, Part 2: Safe call operator

Video — 00:04:41

In this lesson, we learn how to use the Kotlin safe call operator.

Null safety, Part 3: Not null operator

Video — 00:03:35

In this lesson, we learn how to use the Kotlin not null operator.

Null safety, Part 4: Elvis operator

Video — 00:07:00

In this lesson, we learn how to use the Kotlin Elvis operator.

Null safety, Part 5: Safe cast/unsafe cast operators

Video — 00:07:57

In this lesson, we learn how to use the Kotlin safe cast/unsafe cast operators.

Null safety, Part 6: Smart cast

Video — 00:08:55

In this lesson, we learn what Kotlin smart cast is and how to use it.

Activity: Implementing null safety

Video — 00:11:35

In this activity, we implement what we have learned about null safety.

Activity: Implementing null safety, Part 2

Video — 00:13:18

We continue our activity implementing null safety.

Activity: Implementing null safety, Part 3

Video — 00:15:15

We conclude our activity implementing null safety.

String interpolation

Video — 00:11:02

In this lesson, we learn what string interpolation is and how to use it in our code.

Activity: Understanding string interpolation

Video — 00:15:08

In this activity, we implement string interpolation.

Format string attacks

Video — 00:07:42

In this lesson, we examine format strings and how they can be manipulated in an attack.

Regular expressions

Video — 00:14:04

In this lesson, we explore regular expressions.

Regular expressions, Part 2

Video — 00:06:26

We continue with our lesson on regular expressions.

Activity: Working with regular expressions

Video — 00:14:01

In this activity, we practice using regular expressions.

Activity: Working with regular expressions, Part 2

Video — 00:10:03

We continue our practice with regular expressions.

Activity: Validating input with regular expressions

Video — 00:14:56

In this activity, we use regular expressions to validate user input in our app.

Input sanitization

Video — 00:07:04

In this lesson, we discuss input sanitization.

Activity: Sanitizing input

Video — 00:03:51

In this activity, we practice sanitizing input.

Activity: Clamping input to a range

Video — 00:05:16

In this activity, we continue practicing input sanitization by clamping input to a range.

Kotlin filter and trim

Video — 00:06:35

In this lesson, we learn how to use the Kotlin filter() and trim() functions to limit output.

Activity: Filtering and trimming input

Video — 00:09:49

In this activity, we practice using Kotlin filter() and trim().

Cross-site attacks

Video — 00:14:13

In this lesson, we learn about cross-site scripting and cross-site request forgery attacks.

Activity: Exploring cross-site scripting

Video — 00:10:08

In this activity, we examine the impact a cross-site scripting attack on a website.

Cross-app scripting

Video — 00:04:42

In this lesson, we learn what cross-app scripting is and how to protect against it.

Activity: Defending against cross-app scripting

Video — 00:09:00

In this activity, we protect our app from cross-app scripting.

Code tampering and injection

Video — 00:07:07

In this lesson, we learn what code injection is and how to avoid it.

Code tampering and injection, Part 2

Video — 00:10:35

We continue our lesson on code injection by examining SQL injection, directory traversal and poison null bytes.

Code tampering and injection, Part 3

Video — 00:11:37

We conclude our lesson on code injection by learning how to replace unsafe characters, identify scripting in HTML and examining the risks associated with QR codes.

Activity: Filtering a malicious QR code

Video — 00:08:57

In this activity, we protect a QR code reader from malicious input.

Activity: Filtering a malicious QR code, Part 2

Video — 00:03:59

We conclude our activity of protecting our QR code reader app.

SQL injection

Video — 00:14:24

In this lesson, we learn about SQL injection and how to protect our app from it.

SQL stored procedures

Video — 00:04:55

In this lesson, we learn about SQL stored procedures and how they can be used to protect against SQL injection.

Object deserialization

Video — 00:04:48

In this lesson, we learn what object serialization/deserialization is and how it can pose security risks for our app.

Object deserialization, Part 2

Video — 00:04:25

We continue with our discussion of object deserialization, how to protect against it and how to use Google Gson to parse JSON objects.

Activity: Protecting JSON with an API key

Video — 00:16:17

In this activity, we use an API key to protect JSON input.

Activity: Protecting JSON with an API key, Part 2

Video — 00:04:48

We continue with our activity of using an API key to protect JSON.

Form validation

Video — 00:12:12

In this lesson, we learn how to use regex to validate form input.

Form validation, Part 2

Video — 00:09:37

We continue with our form validation discussion, using regex to validate email addresses.

Form validation, Part 3

Video — 00:06:29

We conclude our form validation lesson, learning how to validate passwords and phone numbers with regex. We also learn how to use Android built-in patterns to validate form input.

WebView vulnerabilities

Video — 00:11:34

In this lesson, we learn about Android WebView and how to protect our app from SSL errors.

WebView vulnerabilities, Part 2

Video — 00:10:14

We continue our exploration of WebView, including protecting against malicious JavaScript. We are also introduced to Google Safe Browsing.

Activity: Securing Android WebView

Video — 00:11:53

In this activity, we practice protecting our WebView app.

Activity: Validating form input

Video — 00:13:29

Activity: Validating form input, Part 2

Video — 00:04:36

We continue our activity of validating form input.

Meet the author

Chrys Thorsen is a technology and education consultant with 25 years of experience. Her work has taken her around the U.S. and overseas, including as a contractor for the CDC using technology to help fight HIV/AIDS in Africa.

During her career, she has acquired 40 IT certifications, authored over 25 textbooks on a wide range of IT subjects, including secure iOS and Android coding, and created an equal number of IT-related video courses. When not working, Chrys enjoys reading scientific articles and experimenting with Internet-of-Things devices. She currently lives in Virginia with her sister, her cat and her dog which, as she describes it, “have the worst sibling rivalry imaginable.”

Learn More

Unlock 7 days of free training

  • 1,400+ hands-on courses and labs
  • Certification practice exams
  • Skill assessments
Start Free Trial

Associated NICE Work Roles

All Infosec training maps directly to the NICE Workforce Framework for Cybersecurity to guide you from beginner to expert across 52 Work Roles.

  • Cyber Operator
  • Law Enforcement / Counterintelligence Forensics Analyst
  • Cyber Defense Forensics Analyst

You're in good company

CY

We use Infosec Skills to provide continuous training to our technicians and to prepare them for various certifications. Infosec Skills allows us to create personalized training programs that focus on each of our technicians’ particular roles and see their progress as they take courses. We also, recommend it to clients to make their IT support teams better.

Caleb Yankus

DS

This has been utilized to bridge the skills gap across our cyber team and to aid them as they prepare for their various certifications. It also has provided a nice learning foundation for our various cyber team members to utilize as we continue to find ways for cross-utilization with operations while minimizing the downtime needed to ensure everyone’s knowledge is the same.

Daniel Simpson

IS

We use Infosec Skills to provide base level knowledge for employees. We also use the services to provide in depth learning for employees as they encounter new technologies. If an employee is is assigned to a new project, we can rely on Infosec Skills to provide a rapid concentrated learning environment. This rapid concentrated learning positions our employees for success.

Infosec Skills Teams client

Plans & pricing

  • Infosec Skills Personal

    $299 / year
    Buy Now 7-Day Free Trial
    • 190+ role-guided learning paths (e.g., Ethical Hacking, Threat Hunting)
    • 100s of hands-on labs in cloud-hosted cyber ranges
    • Custom certification practice exams (e.g., CISSP, Security+)
    • Skill assessments
    • Infosec peer community support

  • Infosec Skills Teams

    $799 per license / year
    Book a Meeting
    • Team administration and reporting
    • Dedicated client success manager
    • Single sign-on (SSO)
      Easily authenticate and manage your learners by connecting to any identity provider that supports the SAML 2.0 standard.
    • Integrations via API
      Retrieve training performance and engagement metrics and integrate learner data into your existing LMS or HRS.
    • 190+ role-guided learning paths and assessments (e.g., Incident Response)
    • 100s of hands-on labs in cloud-hosted cyber ranges
    • Create and assign custom learning paths
    • Custom certification practice exams (e.g., CISSP, CISA)
    • Optional upgrade: Guarantee team certification with live boot camps

Award-winning training that you can trust

Comprehensive Cybersecurity Training - Infosec Skills
Cybersecurity Education and Training Gold Award - Infosec IQ
Top Rated Award - Infosec Skills
Technical Skills Development - Small Business, Mid-Market
Top 20 Online Learning Library