Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
The Phantom Menace - How can one mobile App rot...
Search
OWASP Japan
March 02, 2016
Technology
0
140
The Phantom Menace - How can one mobile App rot everything?
Alexey Troshichev
@hackappcom
OWASP Japan
March 02, 2016
Tweet
Share
More Decks by OWASP Japan
See All by OWASP Japan
OWASP Night 2019.03 Tokyo
owaspjapan
0
370
OWASP SAMMを活用したセキュア開発の推進
owaspjapan
0
1.1k
20190107_AbuseCaseCheatSheet
owaspjapan
0
200
セキュリティ要求定義で使える非機能要求グレードとASVS
owaspjapan
5
1.1k
AWSクラスタに捧ぐウェブを衛っていく方法論と死なない程度の修羅場の価値
owaspjapan
9
3.4k
Shifting Left Like a Boss
owaspjapan
2
310
OWASP Top 10 and Your Web Apps
owaspjapan
2
400
OWASP Japan Proposal: Encouraging Japanese Translation
owaspjapan
1
260
elegance_of_OWASP_Top10_2017
owaspjapan
2
540
Other Decks in Technology
See All in Technology
Entity Framework Core におけるIN句クエリ最適化について
htkym
0
130
ESXi のAIOps だ!2025冬
unnowataru
0
400
AWSに革命を起こすかもしれない新サービス・アップデートについてのお話
yama3133
0
520
株式会社ビザスク_AI__Engineering_Summit_Tokyo_2025_登壇資料.pdf
eikohashiba
1
120
20251222_サンフランシスコサバイバル術
ponponmikankan
2
150
ActiveJobUpdates
igaiga
1
330
Agentic AIが変革するAWSの開発・運用・セキュリティ ~Frontier Agentsを試してみた~ / Agentic AI transforms AWS development, operations, and security I tried Frontier Agents
yuj1osm
0
100
Next.js 16の新機能 Cache Components について
sutetotanuki
0
190
松尾研LLM講座2025 応用編Day3「軽量化」 講義資料
aratako
11
4.5k
MariaDB Connector/C のcaching_sha2_passwordプラグインの仕様について
boro1234
0
1.1k
"人"が頑張るAI駆動開発
yokomachi
1
630
AI との良い付き合い方を僕らは誰も知らない
asei
0
280
Featured
See All Featured
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
141
34k
Dominate Local Search Results - an insider guide to GBP, reviews, and Local SEO
greggifford
PRO
0
21
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
52
5.8k
Evolving SEO for Evolving Search Engines
ryanjones
0
78
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
12
1.4k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
333
22k
Conquering PDFs: document understanding beyond plain text
inesmontani
PRO
4
2.2k
Jess Joyce - The Pitfalls of Following Frameworks
techseoconnect
PRO
1
31
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
128
55k
Measuring Dark Social's Impact On Conversion and Attribution
stephenakadiri
1
97
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
PRO
196
70k
Technical Leadership for Architectural Decision Making
baasie
0
190
Transcript
The Phantom Menace How can one mobile App rot everything?
Who am I? - Work hard on defense - Have
fun in offense - Break things 1 Alexey Troshichev @hackappcom
What may be wrong with an App? - Insecure transfer
- Injections - Insecure storage - Architecture flaws 2 OWASP mobile for details
Common Attacks 3
App is dangerous for users. What’s about vendors? Why should
we waste time attacking one user, when we can just break into backend to get them all? 4
What can an App tell us? - Environment disclosure -
Common authentication data - Built-in accounts - Anything you can’t even imagine =) 5
Why it’s interesting? - Static analysis - We are just
searching strings…and it could be automated =) 6
AWK, STRINGS, GREP? - Not suitable for binary containers -
Too much garbage 7
App in our dreams 8
App in the real world 9
Steps - Containers recursive traversal - Unusual files search -
Selective GREP - Structure validation (sqlite, binXML,plist, etc..) 10
Let’s take 21268 top apps from Google Play… …and scan
it ! 11
Shared cloud storage credentials 12
Environment disclosure 13
Backend sources 8( 14
Free Scanner 15 https://hackapp.com/scanner
Questions Alexey Troshichev @hackappcom 16
owaspjapan
htkym
unnowataru
yama3133
eikohashiba
ponponmikankan
igaiga
yuj1osm
sutetotanuki
.jpg){kind=avatar}
aratako
boro1234
yokomachi
asei
eileencodes
greggifford
reverentgeek
ryanjones
tammyeverts
caitiem20
inesmontani
techseoconnect
aki_iinuma
stephenakadiri
soudai
baasie
