Behind The Mask

Transcript

1. BEHIND THE MASK 2026.04.20 OWASP SAITAMA MTG #31, TALK #1

   “Masquerade” by James O'Gorman, CC BY-SA 2.0

2. TEXT SESSION FLAGS ▸ ࿥ըɾ࿥Իɾެ։: OK "Gay Traffic Lights" by

   Nico Kaiser, CC BY 2.0

3. TEXT BACKGROUND ▸ ઌ೔ग़͖ͯͨϗϫΠτϋ΢εΞϓϦʹ͍ͭͯ ղੳ͕ͪΒ΄Βग़͖͍ͯͯΔ (3/28ʙ) ▸ https://thereallo.dev/blog/decompiling-the-white- house-app etc.

   ▸ ؾʹͳΔ͜ͱ͕গʑ ▸ Ґஔ৘ใͷఆظ௥੻ͩͱ͔ ▸ มͳୈࡾऀͷϖʔδΛద౰ʹ࢖͍ͬͯΔͩͱ͔ ▸ ࣄ࣮ͩͱ͢Δͱ͔ͳΓ໰୊ →࣮ࡍͷͱ͜ΖͲ͏ͳͷ͔ʁ

4. TEXT WHO I AM ▸ Takahiro Yoshimura (@alterakey) https://orcid.org/0009-0005-4826-3832 ▸

   Monolith Works Inc. Co-founder, CTO Security researcher

5. TEXT WHAT I DO ▸ Security research and development ▸

   iOS/Android Apps →Financial, Games, IoT related, etc. (>200) →trueseeing: Non-decompiling Android Application Vulnerability Scanner [2017] ▸ Windows/Mac/Web/HTML5 Apps →POS, RAD tools etc. ▸ Network/Web penetration testing →PCI-DSS etc. ▸ Search engine reconnaissance (aka. Google Hacking) ▸ Whitebox testing ▸ Forensic analysis

6. TEXT WHAT I DO ▸ CTF ▸ Enemy10, Sutegoma2 ▸

   METI CTFCJ 2012 Qual.: Won ▸ METI CTFCJ 2012: 3rd ▸ DEF CON 21 CTF: 6th ▸ DEF CON 22 OpenCTF: 4th ▸ ൃදɾߨԋͳͲ DEF CON 25 Demo Labs (2017) DEF CON 27 AI Village (2019) CODE BLUE (2017, 2019) CYDEF (2020) etc. “DEFCON 2016” by Wiyre Media, CC BY 2.0

7. TEXT THE WHITE HOUSE APP ▸ ϗϫΠτϋ΢εͷ޿ใΞϓϦ (iOS/Android) ▸ هࣄӾཡ

   ▸ ಈըࢹௌ ▸ etc.

8. TEXT TOOLKIT ▸ ੩తղੳΛߦͳ͓͏… ▸ Trueseeing 2.2.8+ (alterakey et al.)

   https://github.com/alterakey/trueseeing ▸ hermes_rs (Pilfer et al.) https://github.com/Pilfer/hermes_rs “img_7589” by Michael Hicks, CC BY 2.0

9. TEXT OVERVIEW ▸ Android൛: ReactNative ▸ API 24Ҏ߱ͷΈ: declarative TLS

   pinning ▸ ύʔϛογϣϯ: ଟ͍͕badgeܥ ▸ ௥੻: Firebase, Onesignal ▸ एׯͷrootedݕ஌: /xbin/su ͳͲ

10. TEXT THE APP LOGIC ▸ ΞϓϦͷϩδοΫ: Bundled Hermes /assets/index.android.bundle ▸

    Bundled Hermes: ReactNative 0.69 ͔Βಋೖ͞ Εͨ৽͍͠όΠφϦܗࣜ →hermes_rsͰٯΞηϯϒϧͰ͖Δ

11. TEXT IN-APP WEBVIEW ▸ In-app WebView setup ▸ before-content-loadedʹ͓͍ͯJSΛinject ▸

    UAِ૷ [1] /ద౰ͳୈࡾऀϖʔδ [2] ΁ͷࢀর͸͋Δɺ ͕… ͦͷ··ભҠ͍ͯ͠ΔΑ͏ʹ͸ݟ͑ͳ͍ ▸ [1] Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36 ▸ [2] https://lonelycpp.github.io/react-native- youtube-iframe/iframe_v2.html

12. TEXT TRACKERS ▸ Ґஔ৘ใͷڐՄ͕ͳ͍… ͕ɺ಺෦ΛݟΔͱҐஔ৘ใ Λऔಘ͕͍ͨͬͯ͠ΔՕॴ͕ଟʑ ▸ ಛʹOneSignalɺ܅ͩ (OneSignalLocation etc.)

    ▸ IMEI΍ANDROID_IDͷऩूϩδοΫ΋࢒Δ (ଟ෼support library͔ΒͷΈͷ࢖༻ͩͱࢥ͏͕…) ▸ ͦ΋ͦ΋manifest΁એݴ͞Ε͍ͯͳ͍ύʔϛογϣ ϯ͸࣮ߦ࣌ʹऔಘͰ͖ͳ͍… →ԿͷͨΊͷίʔυͳͷ͔Ṗ

13. TEXT TRACKERS .. SANS PERMISSION? ▸ Ӆṭʁ →ύʔϛογϣϯมߋ͸໨ཱͭ →΍ΔͳΒ΋ͬͱ͏·͘΍ΔͷͰ͸ ʢίʔυ࡟আͳͲʣ

    ▸ ୯ͳΔshrink࢒ᕓ͔ͳͱ͍͏ؾ΋͢Δ “cloak 018” by Justin Sewell, CC BY 2.0

14. TEXT DYNAMIC ANALYSIS ▸ ࣮ࡍͷڍಈΛௐ΂Α͏… ▸ API 24Ҏ߱ͷΈରԠͳͷͰNetwork Security Con

    fi gΛύον͢Δඞཁ͕͋Δ → xtn;xtx;xpd!

15. TEXT .. INTEGRITY FAILED ▸ ͕…ύον͢ΔͱઌʹਐΊͳ͍ ▸ PairIP: GoogleʹΑΔΞϓϦอޢϥΠϒϥϦ (Play

    Integrity APIΫϥΠΞϯτ࣮૷) ▸ ෆਖ਼୺຤؀ڥݕ஌ ▸ Πϯετʔϧݩͷೝূ (API > 30) ▸ վ᜵ݕ஌ →ࠓճ͸͜ΕʹҾֻ͔ͬͬͨܗ

16. TEXT BREAKING PAIRIP ▸ ֎͢… cd disas ͱͨ͠ͷͪ ▸ LicenseClientʹ͓͍ͯҎԼ

    ※͜ΕͰ֎ΕΔͷ͸͔ͳΓ؁͍ ɾॳظঢ়ଶΛFULL_CHECK_OK (ࡁ) ʹ ɾperformLocalInstallerCheck()Λۭʹ (1) ɾprocessResponse()ͷ಺෦ม਺Λࡁʹ ɾinitializeLicenseCheck()Λۭʹ ▸ ca disas Ͱ࠶ߏங; ࠶౓։͖ xtn;xtx;xpd! “Therapy Dogs” by GCPL, CC BY-NC-ND 2.0

17. TEXT DYNAMIC ANALYSIS ▸ done. τϥϑΟοΫղੳՄೳʹɻ ▸ tracker ▸ fi

    rebase ▸ onesignal Ϟσϧ໊, όʔδϣϯ, ΩϟϦΞ, IPΞυϨεͳ Ͳ (※Ґஔ৘ใ͸ͳ͍) ▸ ྫͷୈࡾऀϖʔδΞΫηε͸ݕग़Ͱ͖ͳ͍

18. TEXT MULTIPLE LAYERS OF PINNING ▸ τϥϑΟοΫղੳ͸Ͱ͖ΔΑ͏ʹͳ͕ͬͨશ෦ Ͱ͸ͳ͍ ▸ reactଆͰ΋PinningΛ͍ͯ͠ΔͨΊ

    (͓ͦΒ͘react-native-ssl-public-key-pinning) →֎ͦ͏… ▸ index.android.bundleʹର͢Δอޢ͸ͳ͍ →௚઀όΠφϦύον͕༗ޮ͕ͩ࣌ؒ੾Ε ※base64(sha256(Public Key Info))

19. TEXT IOS ▸ iOS൛͸Ͳ͏ͳΜͩΖ͏ ▸ onesignal΁ͷ௨৴͸શ͘ͳ͍ ▸ Info.plistʹҐஔ৘ใ͸࢖͍ͬͯͳ͍ͱ໌ه →Ґஔ৘ใʹؔΘΔઆ໌จͱͯ͠ →ؾ࣋ͪѱ͍…

20. TEXT TAKEAWAYS ▸ ϗϫΠτϋ΢εΞϓϦʹ͍ͭͯ ▸ ߋ৽͞Ε͍ͯΔΑ͏ʹݟ͑Δ →dev؀ڥ΁ͷݴٴ͸ͳ͍ →pinningͷ௥Ճ etc. ▸

    ݴΘΕΔ΄Ͳͷ͜ͱ͸ͳ͍Α͏ͳؾ͸͢Δ (3/30ʙ) →Ґஔ৘ใͷ௥੻͸ଟ෼ͳ͍ →ୈࡾऀϖʔδͷར༻͸ଟ෼ͳ͍ ▸ ࢖͍ͬͯͯICEͷඪతʹͳͬͨΓͱ͍͏͜ͱ͸ ͔͜͜ΒͰ͸গ͠ߟ͑ʹ͍͕͘…

21. TEXT TAKEAWAYS ▸ ϗϫΠτϋ΢εΞϓϦʹ͍ͭͯ ▸ Ґஔ৘ใͷऔಘ͸ͳ͍ͱ͸͍͑ɺίʔυͷଘࡏҙ ͕͔ٛͳΓṖ →Ұ࣌తͳӅṭ޻࡞ʁՄೳੑ͸௿͍ؾ͸͢Δ͕… ▸ ؾΛ͚͓ͭͯ͘ʹӽͨ͜͠ͱ͸ͳ͍

    →IPΞυϨε͔ΒҐஔ͕͋Δఔ౓ਪఆՄೳ →in-app webview͸ಛʹԿΛ͞ΕΔ͔෼͔Βͳ͍ (ແؔ܎ͳϖʔδͰ͋ͬͯ΋JSΛೖΕ͍ͯΔ) “Spying” by kishjar?, CC BY 2.0

22. ONE MORE THING.. Image by Chris Pirillo, CC BY-NC-ND 2.0

23. TEXT FEDERAL AGENCY RULES ▸ EULAʹ͋·Ͷ͘೜ͼ͜Ή։ࣔཁ݅ ▸ tech֤ࣾ΁ྲྀΕ͍ͯΔ৘ใ͸੓෎΁౵ൈ͚ͱࢥͬ ͯࢧোͳ͍ (trackerͳͲ)

    ▸ CIA΋ۙ೥͸͜ͷลΛ৘ใιʔεʹ ▸ regime͕෗Δͱݖݶ͕ཞ༻͞Ε… (e.g. ICE) ▸ Claude/ChatGPT/GeminiͳͲAIαʔϏε͸Juicy “IMG_3746” by tux0racer, CC BY 2.0

24. STAY SAFE! Image by KaCey97078, CC BY-NC 2.0

25. FIN. 2026.04.20 TAKAHIRO YOSHIMURA (@ALTERAKEY) “Masquerade” by Shawon Ashraf, CC

    BY-NC 2.0