Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
The Phantom Menace - How can one mobile App rot...
Search
OWASP Japan
March 02, 2016
Technology
150
0
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
The Phantom Menace - How can one mobile App rot everything?
Alexey Troshichev
@hackappcom
OWASP Japan
March 02, 2016
More Decks by OWASP Japan
See All by OWASP Japan
OWASP Night 2019.03 Tokyo
owaspjapan
0
400
OWASP SAMMを活用したセキュア開発の推進
owaspjapan
0
1.1k
20190107_AbuseCaseCheatSheet
owaspjapan
0
220
セキュリティ要求定義で使える非機能要求グレードとASVS
owaspjapan
5
1.2k
AWSクラスタに捧ぐウェブを衛っていく方法論と死なない程度の修羅場の価値
owaspjapan
9
3.5k
Shifting Left Like a Boss
owaspjapan
2
340
OWASP Top 10 and Your Web Apps
owaspjapan
2
430
OWASP Japan Proposal: Encouraging Japanese Translation
owaspjapan
1
300
elegance_of_OWASP_Top10_2017
owaspjapan
2
580
Other Decks in Technology
See All in Technology
Kaggleで成長するために意識したこと
prgckwb
1
240
依頼文化をやめる日 EM視点で語るPlatform EngineeringとInclusive SRE / Discussing Platform Engineering and Inclusive SRE from an EM's Perspective
shin1988
4
5.2k
美しいコードを書くためにF#を学んでみた話
yud0uhu
1
400
「ちゃんとやっている」は独りよがりだった ― 不安に寄り添うインシデント対応へ / Towards incident response that addresses anxieties
chmikata
1
4.8k
Oracle Base Database Service 技術詳細
oracle4engineer
PRO
15
110k
SRE依存からの脱却 運用を開 発チームへ移す、 フルサイ クル開 発体制の実践
joooee0000
0
2.6k
Making sense of Google’s agentic dev tools
glaforge
1
150
プライバシー保護の理論と実践
lycorptech_jp
PRO
1
250
Control Planeで育てるBtoB SaaSの認証基盤 - SRE NEXT 2026
pokohide
1
2.2k
脱金融のフューチャー・デザイン / Future Design Beyond Finance
ks91
PRO
0
150
AI Agent SaaS を支える自社仮想化基盤への挑戦と実運用 / ai-agent-saas-virtualization
flatt_security
2
3.7k
Zoom2Youtube.Claude
kawaguti
PRO
3
490
Featured
See All Featured
Building Better People: How to give real-time feedback that sticks.
wjessup
370
20k
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
16
2k
How To Speak Unicorn (iThemes Webinar)
marktimemedia
1
500
A brief & incomplete history of UX Design for the World Wide Web: 1989–2019
jct
2
420
DBのスキルで生き残る技術 - AI時代におけるテーブル設計の勘所
soudai
PRO
67
56k
The AI Search Optimization Roadmap by Aleyda Solis
aleyda
1
6k
Navigating the moral maze — ethical principles for Al-driven product design
skipperchong
2
410
The Impact of AI in SEO - AI Overviews June 2024 Edition
aleyda
5
1.1k
Hiding What from Whom? A Critical Review of the History of Programming languages for Music
tomoyanonymous
3
910
Large-scale JavaScript Application Architecture
addyosmani
515
110k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
35
2.5k
Building a A Zero-Code AI SEO Workflow
portentint
PRO
0
630
Transcript
The Phantom Menace How can one mobile App rot everything?
Who am I? - Work hard on defense - Have
fun in offense - Break things 1 Alexey Troshichev @hackappcom
What may be wrong with an App? - Insecure transfer
- Injections - Insecure storage - Architecture flaws 2 OWASP mobile for details
Common Attacks 3
App is dangerous for users. What’s about vendors? Why should
we waste time attacking one user, when we can just break into backend to get them all? 4
What can an App tell us? - Environment disclosure -
Common authentication data - Built-in accounts - Anything you can’t even imagine =) 5
Why it’s interesting? - Static analysis - We are just
searching strings…and it could be automated =) 6
AWK, STRINGS, GREP? - Not suitable for binary containers -
Too much garbage 7
App in our dreams 8
App in the real world 9
Steps - Containers recursive traversal - Unusual files search -
Selective GREP - Structure validation (sqlite, binXML,plist, etc..) 10
Let’s take 21268 top apps from Google Play… …and scan
it ! 11
Shared cloud storage credentials 12
Environment disclosure 13
Backend sources 8( 14
Free Scanner 15 https://hackapp.com/scanner
Questions Alexey Troshichev @hackappcom 16