Course

Input Validation

Now that you understand the need for mobile app security, you should learn how to implement the most fundamental security mechanism of all: input validation.

    Syllabus

  • Format string attack, part 2 Video — 00:08:38
    • In this segment, we continue our study of format strings in Swift.

  • Null bytes Video — 00:07:27
  • Special characters, Part 2 Video — 00:07:28
    • In this segment, we continue our exploration of Swift 5.1 raw strings. We also examine what Unicode scalar values are and list how to deal with unsafe characters.

  • Activity: Value clamping with a property wrapper Video — 00:06:48
    • In this activity, we continue to practice with property wrappers to clamp values to upper and lower boundaries.

  • Activity: Disabling AutoCorrection Video — 00:10:53
    • In this activity, we practice disabling autocorrection in Swift.

  • Property wrappers Video — 00:09:27
    • In this segment, we learn about the new Swift 5.1 feature called property wrappers. We learn how to use property wrappers to clamp values, trim whitespace and newlines and sanitize input.

  • Understanding input risks Video — 00:14:13
    • In this segment, we learn the difference between trusted and untrusted data, as well as how to identify and diagram trust boundaries both within and outside our app.

  • Activity: Sanitizing input Video — 00:10:44
    • In this activity, we practice sanitization of various text input fields in our Swift mobile app.

  • Activity: Protecting users against insecure UIWebView Video — 00:10:44
    • In this segment, we test the UIWebView vulnerability for ourselves.

  • Activity: Installing Alamofire and SwiftyJSON pods Video — 00:03:36
    • In this activity, we learn how to use CocoaPods to install the external libraries we will use to work with JSON.

  • Activity: Regular expressions, part 2 Video — 00:06:53
    • In this activity, we continue with our Swift playground to match international phone numbers, URLs and emails.

  • Activity: Securely working with JSON, part 2 Video — 00:09:23
    • In this activity, we continue with the previous app to learn about the underlying mechanism of using an API key to make a call to a server and how to utilize it in our app.

  • SQL injection, part 2 Video — 00:04:13
    • In this segment, we examine server-side SQL stored procedures as another mechanism to protect against SQL injection.

  • Input sanitization – Regular expressions, part 2 Video — 00:06:59
    • In this segment, we conclude our study of regular expressions, including examining some practical examples used in Swift.

  • Activity: Filtering a malicious QR code, part 2 Video — 00:05:31
    • In this activity, we conclude our exercise into filtering malicious content from a QR code.

  • Input sanitization Video — 00:12:42
    • In this segment, we learn what input sanitization is and how to achieve it using the filter() method and regular expressions in Swift.

  • Code injection Video — 00:14:51
  • Format string attack, part 3 Video — 00:06:49
    • In this segment, we learn how format strings can be abused by attackers. We examine the most common NSString parameters that are used in format string attacks. We also learn which C, Core Foundation and Cocoa functions are the most vulnerable to format string attacks.

  • Cross-site attacks Video — 00:12:08
    • In this segment, we learn about cross-site scripting and cross-site request forgery attacks, and how to protect against them.

  • Format string attack Video — 00:07:58
    • In this segment, we learn what format strings are and work with examples in Swift.

  • Activity: Sanitizing input with a property wrapper Video — 00:07:18
    • In this activity, we continue to work with property wrappers to sanitize input.

  • Special characters Video — 00:14:23
    • In this segment, we examine what special characters are and the risk they pose when included in an input string. We also learn about string literals in Swift and how to escape special characters. We are also introduced to raw string examples in Swift 5.1.

  • Activity: Trimming whitespace and newlines with a property wrapper Video — 00:06:38
    • In this activity, we use a Swift playground to practice using property wrappers to trim out whitespaces and newlines.

  • AutoCorrect and AutoFill Video — 00:10:43
    • In this segment, we examine the specific risks associated with iOS autocorrection and autofill, and how to programmatically address those risks.

  • Activity: Sanitizing input, part 2 Video — 00:13:45
    • In this activity, we continue working with input sanitization in our mobile app.

  • Activity: Securely working with JSON Video — 00:12:49
    • In this activity, we learn how to deserialize incoming data from a server and display it in our app.

  • Activity: Regular expressions, part 3 Video — 00:07:31
    • In this activity, we continue with our Swift playground to test US Social Security numbers and number formats for popular credit cards.

  • WebView protection Video — 00:04:48
    • In this segment, we study the infamous UIWebView vulnerability, including full code and results of the exploit. We also discuss how to protect against the UIWebView vulnerability.

  • Object deserialization Video — 00:07:20
    • In this segment, we learn what it means to serialize and deserialize and object from Swift to JSON. We learn about the risks of deserialization and how to protect against those risks.

  • Activity: Regular expressions Video — 00:08:17
    • In this activity, we use a Swift playground with NSPredicate to test various regex filters to match password requirements and US/Canada phone numbers.

  • SQL injection Video — 00:11:04
    • In this segment, we learn about SQL injection, including the basics of the SQL language and the code involved in a SQL injection exploit. We learn how to mitigate this risk in SQLite by parameterizing queries.

  • Input sanitization – Regular expressions Video — 00:08:18
    • In this segment, we continue our study of how to use regular expressions, including escaping characters and practical everyday examples.

  • Activity: Filtering a malicious QR code Video — 00:12:11
    • In this activity, we work with the original malicious QR code responsible for exploiting the notorious iOS 11 camera app vulnerability. We learn how to filter malicious content from a QR code, thus rendering the exploit harmless.

  • Activity: Playing with format strings Video — 00:09:53
    • In this activity, we practice working with format strings in Swift.

  • Activity: Exploring XSS attacks Video — 00:10:10
    • In this activity, we explore the mechanisms of cross-site scripting and the potential damage it can cause.

Syllabus

Course description

Lack of input validation is the single most commonly cited mistake that mobile app developers make. Corrupt or manipulated input lies at the root of most malicious hacking exploits. As a mobile app developer, you need to know how to defend your app and the user’s data from attack. In this course you will learn which characters can be misinterpreted as commands, and how to render those characters harmless. You will practice using a number of input sanitization and techniques including regular expressions and Swift functions. You’ll defend against SQL injection, understand the larger scope of cross-site scripting and cross-site request forgeries, and validate the identity of a website API whose content your app consumes. You will also learn how to defend against unexpected attack vectors such as QR codes and deserialized JSON objects.

You're in good company

CY

We use Infosec Skills to provide continuous training to our technicians and to prepare them for various certifications. Infosec Skills allows us to create personalized training programs that focus on each of our technicians’ particular roles and see their progress as they take courses. We also, recommend it to clients to make their IT support teams better.

Caleb Yankus

DS

This has been utilized to bridge the skills gap across our cyber team and to aid them as they prepare for their various certifications. It also has provided a nice learning foundation for our various cyber team members to utilize as we continue to find ways for cross-utilization with operations while minimizing the downtime needed to ensure everyone’s knowledge is the same.

Daniel Simpson

IS

We use Infosec Skills to provide base level knowledge for employees. We also use the services to provide in depth learning for employees as they encounter new technologies. If an employee is is assigned to a new project, we can rely on Infosec Skills to provide a rapid concentrated learning environment. This rapid concentrated learning positions our employees for success.

Infosec Skills Teams client

Plans & pricing

  • Infosec Skills Personal

    $299 / year

    • 190+ role-guided learning paths (e.g., Ethical Hacking, Threat Hunting)
    • 100s of hands-on labs in cloud-hosted cyber ranges
    • Custom certification practice exams (e.g., CISSP, Security+)
    • Skill assessments
    • Infosec peer community support
  • Infosec Skills Teams

    $799 per license / year

    • Team administration and reporting
    • Dedicated client success manager
    • Single sign-on (SSO)
      Easily authenticate and manage your learners by connecting to any identity provider that supports the SAML 2.0 standard.
    • Integrations via API
      Retrieve training performance and engagement metrics and integrate learner data into your existing LMS or HRS.
    • 190+ role-guided learning paths and assessments (e.g., Incident Response)
    • 100s of hands-on labs in cloud-hosted cyber ranges
    • Create and assign custom learning paths
    • Custom certification practice exams (e.g., CISSP, CISA)
    • Optional upgrade: Guarantee team certification with live boot camps

Unlock 7 days of free training

  • 1,400+ hands-on courses and labs
  • Certification practice exams
  • Skill assessments

Award-winning training that you can trust

Comprehensive Cybersecurity Training - Infosec Skills
Cybersecurity Education and Training Gold Award - Infosec IQ
Top Rated Award - Infosec Skills
2021 G2 Summer - Leader - Tech Skills Dev, Online Course, eLearning Content
Top 20 Company - Online Learning Library