Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
The Phantom Menace - How can one mobile App rot everything?
Search
OWASP Japan
March 02, 2016
Technology
0
130
The Phantom Menace - How can one mobile App rot everything?
Alexey Troshichev
@hackappcom
OWASP Japan
March 02, 2016
Tweet
Share
More Decks by OWASP Japan
See All by OWASP Japan
OWASP Night 2019.03 Tokyo
owaspjapan
0
290
OWASP SAMMを活用したセキュア開発の推進
owaspjapan
0
810
20190107_AbuseCaseCheatSheet
owaspjapan
0
150
セキュリティ要求定義で使える非機能要求グレードとASVS
owaspjapan
5
760
AWSクラスタに捧ぐウェブを衛っていく方法論と死なない程度の修羅場の価値
owaspjapan
9
2.9k
Shifting Left Like a Boss
owaspjapan
2
270
OWASP Top 10 and Your Web Apps
owaspjapan
2
360
OWASP Japan Proposal: Encouraging Japanese Translation
owaspjapan
1
200
elegance_of_OWASP_Top10_2017
owaspjapan
2
470
Other Decks in Technology
See All in Technology
20240321_生成AI時代のDevOps
kzkmaeda
2
610
検証からプロダクトへ: シームレスなLLM開発の ためのしくみ作り
nunukim
1
190
データマネジメントを支える武器としてのメタデータ管理
10xinc
1
700
業務で使えるかもしれない…!?GitHub Actions の Tips 集 / CI/CD Test Night #7
ponkio_o
PRO
24
7k
2023 Japan AWS Jr.Championsに選出されての振り返りとこれから
hiropy877
1
130
暗黙知を集積するプラットフォーム : 「健常者エミュレータ事例集」の取り組み
sora32127
1
160
プッシュ型子育てサービスを、先行プロジェクト実施自治体において開始します
govtechtokyo
0
270
中央集権体制からDataOpsへの転換 / centralized-to-dataops-transformation
pei0804
7
1.5k
LLM + RAG を使った SORACOM Support Bot の裏側の歴史
soracom
PRO
1
640
LLMプロダクト事業の立ち上げにおける挑戦
layerx
PRO
7
1.4k
データ品質をコード化! LINEヤフーのMLOpsを最適化する "ACP Data Quality" の紹介
lycorptech_jp
PRO
2
200
Vos logs méritent mieux que la config par défaut
lyrixx
2
350
Featured
See All Featured
Agile that works and the tools we love
rasmusluckow
323
20k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
657
120k
Thoughts on Productivity
jonyablonski
57
3.8k
Robots, Beer and Maslow
schacon
PRO
154
7.9k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
111
35k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
355
22k
In The Pink: A Labor of Love
frogandcode
137
21k
Building Better People: How to give real-time feedback that sticks.
wjessup
350
18k
The Brand Is Dead. Long Live the Brand.
mthomps
48
22k
Scaling GitHub
holman
456
140k
Docker and Python
trallard
33
2.6k
No one is an island. Learnings from fostering a developers community.
thoeni
14
2k
Transcript
The Phantom Menace How can one mobile App rot everything?
Who am I? - Work hard on defense - Have
fun in offense - Break things 1 Alexey Troshichev @hackappcom
What may be wrong with an App? - Insecure transfer
- Injections - Insecure storage - Architecture flaws 2 OWASP mobile for details
Common Attacks 3
App is dangerous for users. What’s about vendors? Why should
we waste time attacking one user, when we can just break into backend to get them all? 4
What can an App tell us? - Environment disclosure -
Common authentication data - Built-in accounts - Anything you can’t even imagine =) 5
Why it’s interesting? - Static analysis - We are just
searching strings…and it could be automated =) 6
AWK, STRINGS, GREP? - Not suitable for binary containers -
Too much garbage 7
App in our dreams 8
App in the real world 9
Steps - Containers recursive traversal - Unusual files search -
Selective GREP - Structure validation (sqlite, binXML,plist, etc..) 10
Let’s take 21268 top apps from Google Play… …and scan
it ! 11
Shared cloud storage credentials 12
Environment disclosure 13
Backend sources 8( 14
Free Scanner 15 https://hackapp.com/scanner
Questions Alexey Troshichev @hackappcom 16