Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
The Phantom Menace - How can one mobile App rot...
Search
Sponsored
·
Ship Features Fearlessly
Turn features on and off without deploys. Used by thousands of Ruby developers.
→
OWASP Japan
March 02, 2016
Technology
150
0
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
The Phantom Menace - How can one mobile App rot everything?
Alexey Troshichev
@hackappcom
OWASP Japan
March 02, 2016
More Decks by OWASP Japan
See All by OWASP Japan
OWASP Night 2019.03 Tokyo
owaspjapan
0
400
OWASP SAMMを活用したセキュア開発の推進
owaspjapan
0
1.1k
20190107_AbuseCaseCheatSheet
owaspjapan
0
220
セキュリティ要求定義で使える非機能要求グレードとASVS
owaspjapan
5
1.2k
AWSクラスタに捧ぐウェブを衛っていく方法論と死なない程度の修羅場の価値
owaspjapan
9
3.5k
Shifting Left Like a Boss
owaspjapan
2
340
OWASP Top 10 and Your Web Apps
owaspjapan
2
430
OWASP Japan Proposal: Encouraging Japanese Translation
owaspjapan
1
290
elegance_of_OWASP_Top10_2017
owaspjapan
2
580
Other Decks in Technology
See All in Technology
自律型AIエージェントは何を破壊するのか
kojira
0
130
スキルと MCP ツール、責務をどう分けるか? AI が迷わないインターフェース設計の戦略
cdataj
0
170
新規事業を牽引する技術選定 〜フルスタックTypeScript開発の実践事例〜
nullnull
3
370
LLMにもCAP定理があるという話
harukasakihara
0
230
マーケットプレイス版Oracle WebCenter Content For OCI
oracle4engineer
PRO
5
1.8k
MCP Appsを作ってみよう
iwamot
PRO
4
200
EventBridge Connection
_kensh
5
660
Socrates × Looker 〜セマンティックレイヤーで進化するデータ分析エージェント〜
hanon52_
2
1.3k
非エンジニアがClaudeと挑んだ「1ヶ月間プロダクト30本ノック」
askokc
0
140
AIソロプレナー時代に2ヶ月で20人増員した事業創造会社の開発組織の話
miyatakoji
0
190
Amazon Bedrock AgentCore ワークショップ JAWS UG TOHOKU / amazon-bedrock-agentcore-workshop-jawsug-tohoku-2026
gawa
9
470
TypeScript Compiler APIとPHP-Parserを活用し、TypeScriptとPHPで型を共有する
shuta13
0
370
Featured
See All Featured
[SF Ruby Conf 2025] Rails X
palkan
2
1.1k
New Earth Scene 8
popppiees
3
2.3k
Intergalactic Javascript Robots from Outer Space
tanoku
273
27k
GitHub's CSS Performance
jonrohan
1033
470k
The #1 spot is gone: here's how to win anyway
tamaranovitovic
2
1.1k
Faster Mobile Websites
deanohume
310
31k
A designer walks into a library…
pauljervisheath
211
24k
So, you think you're a good person
axbom
PRO
2
2.1k
How to Talk to Developers About Accessibility
jct
2
220
Google's AI Overviews - The New Search
badams
0
1k
AI Search: Implications for SEO and How to Move Forward - #ShenzhenSEOConference
aleyda
1
1.3k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
508
140k
Transcript
The Phantom Menace How can one mobile App rot everything?
Who am I? - Work hard on defense - Have
fun in offense - Break things 1 Alexey Troshichev @hackappcom
What may be wrong with an App? - Insecure transfer
- Injections - Insecure storage - Architecture flaws 2 OWASP mobile for details
Common Attacks 3
App is dangerous for users. What’s about vendors? Why should
we waste time attacking one user, when we can just break into backend to get them all? 4
What can an App tell us? - Environment disclosure -
Common authentication data - Built-in accounts - Anything you can’t even imagine =) 5
Why it’s interesting? - Static analysis - We are just
searching strings…and it could be automated =) 6
AWK, STRINGS, GREP? - Not suitable for binary containers -
Too much garbage 7
App in our dreams 8
App in the real world 9
Steps - Containers recursive traversal - Unusual files search -
Selective GREP - Structure validation (sqlite, binXML,plist, etc..) 10
Let’s take 21268 top apps from Google Play… …and scan
it ! 11
Shared cloud storage credentials 12
Environment disclosure 13
Backend sources 8( 14
Free Scanner 15 https://hackapp.com/scanner
Questions Alexey Troshichev @hackappcom 16
owaspjapan
kojira
cdataj
nullnull
harukasakihara
oracle4engineer
iwamot
_kensh
hanon52_
askokc
miyatakoji
gawa
shuta13
palkan
popppiees
tanoku
jonrohan
tamaranovitovic
deanohume
pauljervisheath
axbom
jct
badams
aleyda
chriscoyier
