Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
The Phantom Menace - How can one mobile App rot...
Search
OWASP Japan
March 02, 2016
Technology
150
0
Share
The Phantom Menace - How can one mobile App rot everything?
Alexey Troshichev
@hackappcom
OWASP Japan
March 02, 2016
More Decks by OWASP Japan
See All by OWASP Japan
OWASP Night 2019.03 Tokyo
owaspjapan
0
390
OWASP SAMMを活用したセキュア開発の推進
owaspjapan
0
1.1k
20190107_AbuseCaseCheatSheet
owaspjapan
0
210
セキュリティ要求定義で使える非機能要求グレードとASVS
owaspjapan
5
1.2k
AWSクラスタに捧ぐウェブを衛っていく方法論と死なない程度の修羅場の価値
owaspjapan
9
3.5k
Shifting Left Like a Boss
owaspjapan
2
340
OWASP Top 10 and Your Web Apps
owaspjapan
2
420
OWASP Japan Proposal: Encouraging Japanese Translation
owaspjapan
1
290
elegance_of_OWASP_Top10_2017
owaspjapan
2
570
Other Decks in Technology
See All in Technology
コミュニティ・勉強会を作るのは目的じゃない
ohmori_yusuke
0
280
20年前の「OSS革命」に学ぶ AI時代の生存戦略
samakada
0
510
Modernizing Your HCL Connections Experience: Visual Report to chain, Profile Enhancements, and AI Integration
wannesrams
0
240
エージェントスキルを作って自分のインプットに役立てよう
tsubakimoto_s
0
500
色を視る
yuzneri
0
300
GitHub Copilot CLI と VS Code Agent Mode の使い分け
tomokusaba
0
120
ハーネスエンジニアリングをやりすぎた話 ~そのハーネスは解体された~
gotalab555
5
1.9k
ファインディの事業拡大を支える 拡張可能なデータ基盤へのリアーキテクチャ
hiracky16
0
680
はじめての MagicPod生成AI機能 機能紹介から活用方法まで
magicpod
0
130
AndroidアプリとCopilot Studioの統合
nakasho
0
190
[Oracle TechNight#99] 生成AI時代のAI/ML入門 ~ AIとオラクルデータベースの関係 (後半)
oracle4engineer
PRO
1
160
Google Cloud Next '26 の裏でこっそりリリースされたCloud Number Registry & Cloud Hub コスト分析 を試してみた
hikaru1001
0
140
Featured
See All Featured
How to Align SEO within the Product Triangle To Get Buy-In & Support - #RIMC
aleyda
2
1.5k
The AI Revolution Will Not Be Monopolized: How open-source beats economies of scale, even for LLMs
inesmontani
PRO
3
3.4k
Exploring anti-patterns in Rails
aemeredith
3
340
Reality Check: Gamification 10 Years Later
codingconduct
0
2.1k
Stewardship and Sustainability of Urban and Community Forests
pwiseman
0
190
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
31
3.2k
Building a A Zero-Code AI SEO Workflow
portentint
PRO
0
480
How Fast Is Fast Enough? [PerfNow 2025]
tammyeverts
3
550
Six Lessons from altMBA
skipperchong
29
4.2k
The Web Performance Landscape in 2024 [PerfNow 2024]
tammyeverts
12
1.1k
Design in an AI World
tapps
1
200
Reflections from 52 weeks, 52 projects
jeffersonlam
356
21k
Transcript
The Phantom Menace How can one mobile App rot everything?
Who am I? - Work hard on defense - Have
fun in offense - Break things 1 Alexey Troshichev @hackappcom
What may be wrong with an App? - Insecure transfer
- Injections - Insecure storage - Architecture flaws 2 OWASP mobile for details
Common Attacks 3
App is dangerous for users. What’s about vendors? Why should
we waste time attacking one user, when we can just break into backend to get them all? 4
What can an App tell us? - Environment disclosure -
Common authentication data - Built-in accounts - Anything you can’t even imagine =) 5
Why it’s interesting? - Static analysis - We are just
searching strings…and it could be automated =) 6
AWK, STRINGS, GREP? - Not suitable for binary containers -
Too much garbage 7
App in our dreams 8
App in the real world 9
Steps - Containers recursive traversal - Unusual files search -
Selective GREP - Structure validation (sqlite, binXML,plist, etc..) 10
Let’s take 21268 top apps from Google Play… …and scan
it ! 11
Shared cloud storage credentials 12
Environment disclosure 13
Backend sources 8( 14
Free Scanner 15 https://hackapp.com/scanner
Questions Alexey Troshichev @hackappcom 16
owaspjapan
ohmori_yusuke
samakada
wannesrams
tsubakimoto_s
yuzneri
tomokusaba
gotalab555
hiracky16
magicpod
nakasho
oracle4engineer
hikaru1001
aleyda
inesmontani
aemeredith
codingconduct
pwiseman
danielanewman
portentint
tammyeverts
skipperchong
tapps
jeffersonlam
