Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
The Phantom Menace - How can one mobile App rot...
Search
OWASP Japan
March 02, 2016
Technology
0
140
The Phantom Menace - How can one mobile App rot everything?
Alexey Troshichev
@hackappcom
OWASP Japan
March 02, 2016
Tweet
Share
More Decks by OWASP Japan
See All by OWASP Japan
OWASP Night 2019.03 Tokyo
owaspjapan
0
340
OWASP SAMMを活用したセキュア開発の推進
owaspjapan
0
1k
20190107_AbuseCaseCheatSheet
owaspjapan
0
180
セキュリティ要求定義で使える非機能要求グレードとASVS
owaspjapan
5
1k
AWSクラスタに捧ぐウェブを衛っていく方法論と死なない程度の修羅場の価値
owaspjapan
9
3.3k
Shifting Left Like a Boss
owaspjapan
2
290
OWASP Top 10 and Your Web Apps
owaspjapan
2
380
OWASP Japan Proposal: Encouraging Japanese Translation
owaspjapan
1
240
elegance_of_OWASP_Top10_2017
owaspjapan
2
530
Other Decks in Technology
See All in Technology
論文紹介:LLMDet (CVPR2025 Highlight)
tattaka
0
240
より良いプロダクトの開発を目指して - 情報を中心としたプロダクト開発 #phpcon #phpcon2025
bengo4com
1
3.2k
KubeCon + CloudNativeCon Japan 2025 Recap by CA
ponkio_o
PRO
0
250
KubeCon + CloudNativeCon Japan 2025 に行ってきた! & containerd の新機能紹介
honahuku
0
120
事業成長の裏側:エンジニア組織と開発生産性の進化 / 20250703 Rinto Ikenoue
shift_evolve
PRO
1
950
無意味な開発生産性の議論から抜け出すための予兆検知とお金とAI
i35_267
0
1.4k
rubygem開発で鍛える設計力
joker1007
2
270
KubeCon + CloudNativeCon Japan 2025 Recap
ren510dev
1
310
Tokyo_reInforce_2025_recap_iam_access_analyzer
hiashisan
0
140
LangSmith×Webhook連携で実現するプロンプトドリブンCI/CD
sergicalsix
1
160
Lambda Web Adapterについて自分なりに理解してみた
smt7174
5
140
Beyond Kaniko: Navigating Unprivileged Container Image Creation
f30
0
110
Featured
See All Featured
Designing for humans not robots
tammielis
253
25k
Why You Should Never Use an ORM
jnunemaker
PRO
58
9.4k
10 Git Anti Patterns You Should be Aware of
lemiorhan
PRO
657
60k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
507
140k
Code Reviewing Like a Champion
maltzj
524
40k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
281
13k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
124
52k
Designing Experiences People Love
moore
142
24k
Optimising Largest Contentful Paint
csswizardry
37
3.3k
Building a Scalable Design System with Sketch
lauravandoore
462
33k
GraphQLの誤解/rethinking-graphql
sonatard
71
11k
Java REST API Framework Comparison - PWX 2021
mraible
31
8.7k
Transcript
The Phantom Menace How can one mobile App rot everything?
Who am I? - Work hard on defense - Have
fun in offense - Break things 1 Alexey Troshichev @hackappcom
What may be wrong with an App? - Insecure transfer
- Injections - Insecure storage - Architecture flaws 2 OWASP mobile for details
Common Attacks 3
App is dangerous for users. What’s about vendors? Why should
we waste time attacking one user, when we can just break into backend to get them all? 4
What can an App tell us? - Environment disclosure -
Common authentication data - Built-in accounts - Anything you can’t even imagine =) 5
Why it’s interesting? - Static analysis - We are just
searching strings…and it could be automated =) 6
AWK, STRINGS, GREP? - Not suitable for binary containers -
Too much garbage 7
App in our dreams 8
App in the real world 9
Steps - Containers recursive traversal - Unusual files search -
Selective GREP - Structure validation (sqlite, binXML,plist, etc..) 10
Let’s take 21268 top apps from Google Play… …and scan
it ! 11
Shared cloud storage credentials 12
Environment disclosure 13
Backend sources 8( 14
Free Scanner 15 https://hackapp.com/scanner
Questions Alexey Troshichev @hackappcom 16
owaspjapan
tattaka
bengo4com
ponkio_o
honahuku
shift_evolve
i35_267
joker1007
ren510dev
hiashisan
sergicalsix
smt7174
f30
tammielis
jnunemaker
lemiorhan
chriscoyier
maltzj
stephaniewalter
aki_iinuma
moore
csswizardry
lauravandoore
sonatard
mraible
