iMAS – iOS Mobile Application Security

Now Available!

iMAS – iOS Mobile Application Security

January 2013

iMAS is a secure iOS application framework research project focused on reducing iOS application vulnerabilities and information loss.

iMAS iOS Mobile Application Security

Now Available – iMAS and its first open source static security controls for download and use in iOS applications. Visit and browse our project to find out more; download and give it a try. Once you do, tell us what you think or better yet, get involved and participate!




iMAS is a collaborative research project from the MITRE Corporation focused on open source iOS security controls.  Today, iOS meets the enterprise security needs of customers, however many security experts cite critical vulnerabilities and have demonstrated exploits, which pushes enterprises to augment iOS deployments with commercial solutions.  The iMAS intent is to protect iOS applications and data beyond the Apple provided security model and reduce the adversary’s ability and efficiency to perform recon, exploitation, control and execution on iOS mobile applications.  iMAS will transform the effectiveness of the existing iOS security model across major vulnerability areas including the System Passcode, jailbreak, debugger / run-time, flash storage, and the system keychain.  Research outcomes include an open source secure application framework, including an application container, developer and validation tools/techniques.  With iMAS, a developer can leverage our research to considerably raise their iOS applications security level in a measured way.
Principal Investigator: Gregg Ganley
Security Research: Shawn Valle

Android Forensics & Security Testing

This is the publicly released slide deck that accompanies a 1-hour webinar that briefed the security (and anti-security) techniques of the Android operating system and applications.

I developed a course, based on my years experience with that platform, and shared my learnings at several public and privately hosted events. Here’s a link to the PDF slide deck from an ITEA (International Test & Evaluation Association) webinar that I hosted.

Android Secure App Development Guidance for DoD

Led research and development of white paper on technical details of developing Android mobile applications with a focus on data security and software assurance. Leveraged emerging guidance from NIST and DISA, for high-assurance.

co-authors: Shawn Valle, Michael Peck

September 30, 2011

Executive Summary

Android applications developed for US Department of Defense (DoD), are required to go through a workflow process to evaluate and test for meeting expected Cyber Security and Information Assurance guidelines. Applications that meet the evaluation guidelines can be permitted into the enterprise application market, known as CAPStore, for user distribution. The following documentation identifies the technical requirements and guidance Android application developers should adhere to when developing applications for DoD.

The details within are technical and security focused, and should be made available to software engineers and IA engineers. The material is organized with a logical flow in mind, initially focusing on application permissions, then into securing code and data, and finally focusing on multiple application interaction.

Android Secure Application Development Guidance_Public_Release