Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
The Phantom Menace - How can one mobile App rot...
Search
OWASP Japan
March 02, 2016
Technology
0
140
The Phantom Menace - How can one mobile App rot everything?
Alexey Troshichev
@hackappcom
OWASP Japan
March 02, 2016
Tweet
Share
More Decks by OWASP Japan
See All by OWASP Japan
OWASP Night 2019.03 Tokyo
owaspjapan
0
380
OWASP SAMMを活用したセキュア開発の推進
owaspjapan
0
1.1k
20190107_AbuseCaseCheatSheet
owaspjapan
0
210
セキュリティ要求定義で使える非機能要求グレードとASVS
owaspjapan
5
1.1k
AWSクラスタに捧ぐウェブを衛っていく方法論と死なない程度の修羅場の価値
owaspjapan
9
3.5k
Shifting Left Like a Boss
owaspjapan
2
330
OWASP Top 10 and Your Web Apps
owaspjapan
2
410
OWASP Japan Proposal: Encouraging Japanese Translation
owaspjapan
1
280
elegance_of_OWASP_Top10_2017
owaspjapan
2
560
Other Decks in Technology
See All in Technology
生成AI活用でQAエンジニアにどのような仕事が生まれるか/Support Required of QA Engineers for Generative AI
goyoki
1
300
ガバメントクラウドにおけるAWSの長期継続割引について
takeda_h
2
5.4k
visionOS 開発向けの MCP / Skills をつくり続けることで XR の探究と学習を最大化
karad
1
980
バクラク最古参プロダクトで重ねた技術投資を振り返る
ypresto
0
180
Kiro Powers 入門
k_adachi_01
0
120
スケールアップ企業でQA組織が機能し続けるための組織設計と仕組み〜ボトムアップとトップダウンを両輪としたアプローチ〜
tarappo
1
200
Goのerror型がシンプルであることの恩恵について理解する
yamatai1212
1
250
形式手法特論:SMT ソルバで解く認可ポリシの静的解析 #kernelvm / Kernel VM Study Tsukuba No3
ytaka23
1
610
脳内メモリ、思ったより揮発性だった
koutorino
0
390
AI時代のSaaSとETL
shoe116
1
190
VPCエンドポイント意外とお金かかるなぁ。せや、共有したろ!
tommy0124
1
710
アーキテクチャモダナイゼーションを実現する組織
satohjohn
1
1.1k
Featured
See All Featured
Public Speaking Without Barfing On Your Shoes - THAT 2023
reverentgeek
1
340
The innovator’s Mindset - Leading Through an Era of Exponential Change - McGill University 2025
jdejongh
PRO
1
130
ReactJS: Keep Simple. Everything can be a component!
pedronauck
666
130k
Marketing Yourself as an Engineer | Alaka | Gurzu
gurzu
0
150
Abbi's Birthday
coloredviolet
2
5.5k
30 Presentation Tips
portentint
PRO
1
260
<Decoding/> the Language of Devs - We Love SEO 2024
nikkihalliwell
1
160
It's Worth the Effort
3n
188
29k
Keith and Marios Guide to Fast Websites
keithpitt
413
23k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
162
16k
Breaking role norms: Why Content Design is so much more than writing copy - Taylor Woolridge
uxyall
0
210
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
26
3.4k
Transcript
The Phantom Menace How can one mobile App rot everything?
Who am I? - Work hard on defense - Have
fun in offense - Break things 1 Alexey Troshichev @hackappcom
What may be wrong with an App? - Insecure transfer
- Injections - Insecure storage - Architecture flaws 2 OWASP mobile for details
Common Attacks 3
App is dangerous for users. What’s about vendors? Why should
we waste time attacking one user, when we can just break into backend to get them all? 4
What can an App tell us? - Environment disclosure -
Common authentication data - Built-in accounts - Anything you can’t even imagine =) 5
Why it’s interesting? - Static analysis - We are just
searching strings…and it could be automated =) 6
AWK, STRINGS, GREP? - Not suitable for binary containers -
Too much garbage 7
App in our dreams 8
App in the real world 9
Steps - Containers recursive traversal - Unusual files search -
Selective GREP - Structure validation (sqlite, binXML,plist, etc..) 10
Let’s take 21268 top apps from Google Play… …and scan
it ! 11
Shared cloud storage credentials 12
Environment disclosure 13
Backend sources 8( 14
Free Scanner 15 https://hackapp.com/scanner
Questions Alexey Troshichev @hackappcom 16
owaspjapan
goyoki
takeda_h
karad
ypresto
k_adachi_01
tarappo
yamatai1212
ytaka23
koutorino
shoe116
tommy0124
satohjohn
reverentgeek
jdejongh
pedronauck
gurzu
coloredviolet
portentint
nikkihalliwell
3n
keithpitt
sstephenson
uxyall
eileencodes
