Upgrade to PRO for Only $50/Year—Limited-Time Offer! 🔥
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
The Phantom Menace - How can one mobile App rot...
Search
OWASP Japan
March 02, 2016
Technology
0
140
The Phantom Menace - How can one mobile App rot everything?
Alexey Troshichev
@hackappcom
OWASP Japan
March 02, 2016
Tweet
Share
More Decks by OWASP Japan
See All by OWASP Japan
OWASP Night 2019.03 Tokyo
owaspjapan
0
370
OWASP SAMMを活用したセキュア開発の推進
owaspjapan
0
1.1k
20190107_AbuseCaseCheatSheet
owaspjapan
0
190
セキュリティ要求定義で使える非機能要求グレードとASVS
owaspjapan
5
1.1k
AWSクラスタに捧ぐウェブを衛っていく方法論と死なない程度の修羅場の価値
owaspjapan
9
3.4k
Shifting Left Like a Boss
owaspjapan
2
310
OWASP Top 10 and Your Web Apps
owaspjapan
2
400
OWASP Japan Proposal: Encouraging Japanese Translation
owaspjapan
1
260
elegance_of_OWASP_Top10_2017
owaspjapan
2
540
Other Decks in Technology
See All in Technology
モダンデータスタック (MDS) の話とデータ分析が起こすビジネス変革
sutotakeshi
0
500
Microsoft Agent 365 についてゆっくりじっくり理解する!
skmkzyk
0
330
2025年 開発生産「可能」性向上報告 サイロ解消からチームが能動性を獲得するまで/ 20251216 Naoki Takahashi
shift_evolve
PRO
1
150
MLflowダイエット大作戦
lycorptech_jp
PRO
1
120
Lambdaの常識はどう変わる?!re:Invent 2025 before after
iwatatomoya
1
530
エンジニアリングをやめたくないので問い続ける
estie
2
1.2k
AI駆動開発における設計思想 認知負荷を下げるフロントエンドアーキテクチャ/ 20251211 Teppei Hanai
shift_evolve
PRO
2
390
ログ管理の新たな可能性?CloudWatchの新機能をご紹介
ikumi_ono
1
750
多様なデジタルアイデンティティを攻撃からどうやって守るのか / 20251212
ayokura
0
450
プロンプトやエージェントを自動的に作る方法
shibuiwilliam
10
7.8k
評価駆動開発で不確実性を制御する - MLflow 3が支えるエージェント開発
databricksjapan
1
180
グレートファイアウォールを自宅に建てよう
ctes091x
0
150
Featured
See All Featured
Save Time (by Creating Custom Rails Generators)
garrettdimon
PRO
32
1.8k
The Power of CSS Pseudo Elements
geoffreycrofte
80
6.1k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
37
2.6k
Writing Fast Ruby
sferik
630
62k
It's Worth the Effort
3n
187
29k
The Straight Up "How To Draw Better" Workshop
denniskardys
239
140k
Automating Front-end Workflow
addyosmani
1371
200k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
162
16k
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
12
1.3k
Raft: Consensus for Rubyists
vanstee
141
7.2k
Fireside Chat
paigeccino
41
3.7k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
49
3.2k
Transcript
The Phantom Menace How can one mobile App rot everything?
Who am I? - Work hard on defense - Have
fun in offense - Break things 1 Alexey Troshichev @hackappcom
What may be wrong with an App? - Insecure transfer
- Injections - Insecure storage - Architecture flaws 2 OWASP mobile for details
Common Attacks 3
App is dangerous for users. What’s about vendors? Why should
we waste time attacking one user, when we can just break into backend to get them all? 4
What can an App tell us? - Environment disclosure -
Common authentication data - Built-in accounts - Anything you can’t even imagine =) 5
Why it’s interesting? - Static analysis - We are just
searching strings…and it could be automated =) 6
AWK, STRINGS, GREP? - Not suitable for binary containers -
Too much garbage 7
App in our dreams 8
App in the real world 9
Steps - Containers recursive traversal - Unusual files search -
Selective GREP - Structure validation (sqlite, binXML,plist, etc..) 10
Let’s take 21268 top apps from Google Play… …and scan
it ! 11
Shared cloud storage credentials 12
Environment disclosure 13
Backend sources 8( 14
Free Scanner 15 https://hackapp.com/scanner
Questions Alexey Troshichev @hackappcom 16
owaspjapan
sutotakeshi
skmkzyk
shift_evolve
lycorptech_jp
iwatatomoya
estie
ikumi_ono
ayokura
shibuiwilliam
databricksjapan
ctes091x
garrettdimon
geoffreycrofte
eileencodes
sferik
3n
denniskardys
addyosmani
sstephenson
tammyeverts
vanstee
paigeccino
