Course description
Lack of input validation is the single most commonly cited mistake that mobile app developers make. Corrupt or manipulated input lies at the root of most malicious hacking exploits. As a mobile app developer, you need to know how to defend your app and the user’s data from attack. In this course, you will learn which characters can be misinterpreted as commands and how to render those characters harmless. You will practice using input sanitization techniques including regular expressions. You’ll defend against SQL injection, understand the larger scope of cross-site scripting, cross-site request forgeries and cross-app scripting. You will also learn how to defend against unexpected attack vectors such as QR codes and deserialized JSON objects. Finally, you will learn about validating input in forms.

Syllabus
Understanding Input Risks
Video — 00:14:59
In this lesson, we discuss trusted and untrusted data sources, as well as trust boundaries for an app.
Autocompletion
Video — 00:13:34
In this lesson, we discuss how to use autofill and autocorrect in our app.
Autocompletion, Part 2
Video — 00:09:13
In this lesson, we discuss autofill hints and SMS one-time-code autofill.
Activity: Securing autocompletion
Video — 00:04:30
In this activity, we practice securing autocompletion in our app.
Special characters
Video — 00:11:04
In this lesson, we discuss special characters, escaped characters, string literals and raw strings in Kotlin.
Special characters, Part 2
Video — 00:06:03
In this lesson, we discuss incorporating Unicode characters in our strings.
Activity: Using special characters
Video — 00:11:25
In this activity, we practice using special characters.
Null safety
Video — 00:12:17
In this lesson, we discuss what null values and null pointer exceptions are. We learn how to check for nulls and make variables nullable.
Null safety, Part 2: Safe call operator
Video — 00:04:41
In this lesson, we learn how to use the Kotlin safe call operator.
Null safety, Part 3: Not null operator
Video — 00:03:35
In this lesson, we learn how to use the Kotlin not null operator.
Null safety, Part 4: Elvis operator
Video — 00:07:00
In this lesson, we learn how to use the Kotlin Elvis operator.
Null safety, Part 5: Safe cast/unsafe cast operators
Video — 00:07:57
In this lesson, we learn how to use the Kotlin safe cast/unsafe cast operators.
Null safety, Part 6: Smart cast
Video — 00:08:55
In this lesson, we learn what Kotlin smart cast is and how to use it.
Activity: Implementing null safety
Video — 00:11:35
In this activity, we implement what we have learned about null safety.
Activity: Implementing null safety, Part 2
Video — 00:13:18
We continue our activity implementing null safety.
Activity: Implementing null safety, Part 3
Video — 00:15:15
We conclude our activity implementing null safety.
String interpolation
Video — 00:11:02
In this lesson, we learn what string interpolation is and how to use it in our code.
Activity: Understanding string interpolation
Video — 00:15:08
In this activity, we implement string interpolation.
Format string attacks
Video — 00:07:42
In this lesson, we examine format strings and how they can be manipulated in an attack.
Regular expressions
Video — 00:14:04
In this lesson, we explore regular expressions.
Regular expressions, Part 2
Video — 00:06:26
We continue with our lesson on regular expressions.
Activity: Working with regular expressions
Video — 00:14:01
In this activity, we practice using regular expressions.
Activity: Working with regular expressions, Part 2
Video — 00:10:03
We continue our practice with regular expressions.
Activity: Validating input with regular expressions
Video — 00:14:56
In this activity, we use regular expressions to validate user input in our app.
Input sanitization
Video — 00:07:04
In this lesson, we discuss input sanitization.
Activity: Sanitizing input
Video — 00:03:51
In this activity, we practice sanitizing input.
Activity: Clamping input to a range
Video — 00:05:16
In this activity, we continue practicing input sanitization by clamping input to a range.
Kotlin filter and trim
Video — 00:06:35
In this lesson, we learn how to use the Kotlin filter() and trim() functions to limit output.
Activity: Filtering and trimming input
Video — 00:09:49
In this activity, we practice using Kotlin filter() and trim().
Cross-site attacks
Video — 00:14:13
In this lesson, we learn about cross-site scripting and cross-site request forgery attacks.
Activity: Exploring cross-site scripting
Video — 00:10:08
In this activity, we examine the impact a cross-site scripting attack on a website.
Cross-app scripting
Video — 00:04:42
In this lesson, we learn what cross-app scripting is and how to protect against it.
Activity: Defending against cross-app scripting
Video — 00:09:00
In this activity, we protect our app from cross-app scripting.
Code tampering and injection
Video — 00:07:07
In this lesson, we learn what code injection is and how to avoid it.
Code tampering and injection, Part 2
Video — 00:10:35
We continue our lesson on code injection by examining SQL injection, directory traversal and poison null bytes.
Code tampering and injection, Part 3
Video — 00:11:37
We conclude our lesson on code injection by learning how to replace unsafe characters, identify scripting in HTML and examining the risks associated with QR codes.
Activity: Filtering a malicious QR code
Video — 00:08:57
In this activity, we protect a QR code reader from malicious input.
Activity: Filtering a malicious QR code, Part 2
Video — 00:03:59
We conclude our activity of protecting our QR code reader app.
SQL injection
Video — 00:14:24
In this lesson, we learn about SQL injection and how to protect our app from it.
SQL stored procedures
Video — 00:04:55
In this lesson, we learn about SQL stored procedures and how they can be used to protect against SQL injection.
Object deserialization
Video — 00:04:48
In this lesson, we learn what object serialization/deserialization is and how it can pose security risks for our app.
Object deserialization, Part 2
Video — 00:04:25
We continue with our discussion of object deserialization, how to protect against it and how to use Google Gson to parse JSON objects.
Activity: Protecting JSON with an API key
Video — 00:16:17
In this activity, we use an API key to protect JSON input.
Activity: Protecting JSON with an API key, Part 2
Video — 00:04:48
We continue with our activity of using an API key to protect JSON.
Form validation
Video — 00:12:12
In this lesson, we learn how to use regex to validate form input.
Form validation, Part 2
Video — 00:09:37
We continue with our form validation discussion, using regex to validate email addresses.
Form validation, Part 3
Video — 00:06:29
We conclude our form validation lesson, learning how to validate passwords and phone numbers with regex. We also learn how to use Android built-in patterns to validate form input.
WebView vulnerabilities
Video — 00:11:34
In this lesson, we learn about Android WebView and how to protect our app from SSL errors.
WebView vulnerabilities, Part 2
Video — 00:10:14
We continue our exploration of WebView, including protecting against malicious JavaScript. We are also introduced to Google Safe Browsing.
Activity: Securing Android WebView
Video — 00:11:53
In this activity, we practice protecting our WebView app.
Activity: Validating form input
Video — 00:13:29
Activity: Validating form input, Part 2
Video — 00:04:36
We continue our activity of validating form input.

Meet the author
Chrys Thorsen is a technology and education consultant with 25 years of experience. Her work has taken her around the U.S. and overseas, including as a contractor for the CDC using technology to help fight HIV/AIDS in Africa.
During her career, she has acquired 40 IT certifications, authored over 25 textbooks on a wide range of IT subjects, including secure iOS and Android coding, and created an equal number of IT-related video courses. When not working, Chrys enjoys reading scientific articles and experimenting with Internet-of-Things devices. She currently lives in Virginia with her sister, her cat and her dog which, as she describes it, “have the worst sibling rivalry imaginable.”
Unlock 7 days of free training
- 1,400+ hands-on courses and labs
- Certification practice exams
- Skill assessments
Associated NICE Work Roles
All Infosec training maps directly to the NICE Workforce Framework for Cybersecurity to guide you from beginner to expert across 52 Work Roles.
- Cyber Operator
- Law Enforcement / Counterintelligence Forensics Analyst
- Cyber Defense Forensics Analyst
You're in good company
We use Infosec Skills to provide continuous training to our technicians and to prepare them for various certifications. Infosec Skills allows us to create personalized training programs that focus on each of our technicians’ particular roles and see their progress as they take courses. We also, recommend it to clients to make their IT support teams better.
Caleb Yankus
This has been utilized to bridge the skills gap across our cyber team and to aid them as they prepare for their various certifications. It also has provided a nice learning foundation for our various cyber team members to utilize as we continue to find ways for cross-utilization with operations while minimizing the downtime needed to ensure everyone’s knowledge is the same.
Daniel Simpson
We use Infosec Skills to provide base level knowledge for employees. We also use the services to provide in depth learning for employees as they encounter new technologies. If an employee is is assigned to a new project, we can rely on Infosec Skills to provide a rapid concentrated learning environment. This rapid concentrated learning positions our employees for success.
Infosec Skills Teams client
Plans & pricing
-
Infosec Skills Personal
- 190+ role-guided learning paths (e.g., Ethical Hacking, Threat Hunting)
- 100s of hands-on labs in cloud-hosted cyber ranges
- Custom certification practice exams (e.g., CISSP, Security+)
- Skill assessments
- Infosec peer community support
-
Infosec Skills Teams
- Team administration and reporting
- Dedicated client success manager
-
Single sign-on (SSO)
Easily authenticate and manage your learners by connecting to any identity provider that supports the SAML 2.0 standard.
-
Integrations via API
Retrieve training performance and engagement metrics and integrate learner data into your existing LMS or HRS.
- 190+ role-guided learning paths and assessments (e.g., Incident Response)
- 100s of hands-on labs in cloud-hosted cyber ranges
- Create and assign custom learning paths
- Custom certification practice exams (e.g., CISSP, CISA)
- Optional upgrade: Guarantee team certification with live boot camps
Award-winning training that you can trust




