Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
The Phantom Menace - How can one mobile App rot...
Search
OWASP Japan
March 02, 2016
Technology
0
140
The Phantom Menace - How can one mobile App rot everything?
Alexey Troshichev
@hackappcom
OWASP Japan
March 02, 2016
Tweet
Share
More Decks by OWASP Japan
See All by OWASP Japan
OWASP Night 2019.03 Tokyo
owaspjapan
0
340
OWASP SAMMを活用したセキュア開発の推進
owaspjapan
0
1k
20190107_AbuseCaseCheatSheet
owaspjapan
0
180
セキュリティ要求定義で使える非機能要求グレードとASVS
owaspjapan
5
1k
AWSクラスタに捧ぐウェブを衛っていく方法論と死なない程度の修羅場の価値
owaspjapan
9
3.3k
Shifting Left Like a Boss
owaspjapan
2
290
OWASP Top 10 and Your Web Apps
owaspjapan
2
380
OWASP Japan Proposal: Encouraging Japanese Translation
owaspjapan
1
240
elegance_of_OWASP_Top10_2017
owaspjapan
2
530
Other Decks in Technology
See All in Technology
ビズリーチが挑む メトリクスを活用した技術的負債の解消 / dev-productivity-con2025
visional_engineering_and_design
3
6.7k
fukabori.fm 出張版: 売上高617億円と高稼働率を陰で支えた社内ツール開発のあれこれ話 / 20250704 Yoshimasa Iwase & Tomoo Morikawa
shift_evolve
PRO
2
6.8k
20250707-AI活用の個人差を埋めるチームづくり
shnjtk
4
3.6k
AI導入の理想と現実~コストと浸透〜
oprstchn
0
190
Tech-Verse 2025 Global CTO Session
lycorptech_jp
PRO
0
1.7k
ゼロからはじめる採用広報
yutadayo
2
510
マーケットプレイス版Oracle WebCenter Content For OCI
oracle4engineer
PRO
3
960
OPENLOGI Company Profile for engineer
hr01
1
34k
プライベートクラウドでの効率的な証明書配布戦略 / Efficient Certificate Distribution Strategy in Private Cloud
lycorptech_jp
PRO
0
110
敢えて生成AIを使わないマネジメント業務
kzkmaeda
2
380
AIとともに進化するエンジニアリング / Engineering-Evolving-with-AI_final.pdf
lycorptech_jp
PRO
0
160
怖くない!はじめてのClaude Code
shinya337
0
380
Featured
See All Featured
Done Done
chrislema
184
16k
Optimizing for Happiness
mojombo
379
70k
Bash Introduction
62gerente
614
210k
Designing Experiences People Love
moore
142
24k
Making the Leap to Tech Lead
cromwellryan
134
9.4k
A Tale of Four Properties
chriscoyier
160
23k
Navigating Team Friction
lara
187
15k
We Have a Design System, Now What?
morganepeng
53
7.7k
Writing Fast Ruby
sferik
628
62k
No one is an island. Learnings from fostering a developers community.
thoeni
21
3.4k
Become a Pro
speakerdeck
PRO
28
5.4k
Why Our Code Smells
bkeepers
PRO
337
57k
Transcript
The Phantom Menace How can one mobile App rot everything?
Who am I? - Work hard on defense - Have
fun in offense - Break things 1 Alexey Troshichev @hackappcom
What may be wrong with an App? - Insecure transfer
- Injections - Insecure storage - Architecture flaws 2 OWASP mobile for details
Common Attacks 3
App is dangerous for users. What’s about vendors? Why should
we waste time attacking one user, when we can just break into backend to get them all? 4
What can an App tell us? - Environment disclosure -
Common authentication data - Built-in accounts - Anything you can’t even imagine =) 5
Why it’s interesting? - Static analysis - We are just
searching strings…and it could be automated =) 6
AWK, STRINGS, GREP? - Not suitable for binary containers -
Too much garbage 7
App in our dreams 8
App in the real world 9
Steps - Containers recursive traversal - Unusual files search -
Selective GREP - Structure validation (sqlite, binXML,plist, etc..) 10
Let’s take 21268 top apps from Google Play… …and scan
it ! 11
Shared cloud storage credentials 12
Environment disclosure 13
Backend sources 8( 14
Free Scanner 15 https://hackapp.com/scanner
Questions Alexey Troshichev @hackappcom 16
owaspjapan
visional_engineering_and_design
shift_evolve
shnjtk
oprstchn
lycorptech_jp
yutadayo
oracle4engineer
hr01
kzkmaeda
shinya337
chrislema
mojombo
62gerente
moore
cromwellryan
chriscoyier
lara
morganepeng
sferik
thoeni
speakerdeck
bkeepers
