Lock in $30 Savings on PRO—Offer Ends Soon! ⏳
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
The Phantom Menace - How can one mobile App rot...
Search
OWASP Japan
March 02, 2016
Technology
0
140
The Phantom Menace - How can one mobile App rot everything?
Alexey Troshichev
@hackappcom
OWASP Japan
March 02, 2016
Tweet
Share
More Decks by OWASP Japan
See All by OWASP Japan
OWASP Night 2019.03 Tokyo
owaspjapan
0
370
OWASP SAMMを活用したセキュア開発の推進
owaspjapan
0
1.1k
20190107_AbuseCaseCheatSheet
owaspjapan
0
200
セキュリティ要求定義で使える非機能要求グレードとASVS
owaspjapan
5
1.1k
AWSクラスタに捧ぐウェブを衛っていく方法論と死なない程度の修羅場の価値
owaspjapan
9
3.4k
Shifting Left Like a Boss
owaspjapan
2
310
OWASP Top 10 and Your Web Apps
owaspjapan
2
400
OWASP Japan Proposal: Encouraging Japanese Translation
owaspjapan
1
260
elegance_of_OWASP_Top10_2017
owaspjapan
2
540
Other Decks in Technology
See All in Technology
SQLだけでマイグレーションしたい!
makki_d
0
1.1k
GitHub Copilotを使いこなす 実例に学ぶAIコーディング活用術
74th
3
3.6k
ActiveJobUpdates
igaiga
1
260
re:Invent2025 3つの Frontier Agents を紹介 / introducing-3-frontier-agents
tomoki10
0
320
MySQLとPostgreSQLのコレーション / Collation of MySQL and PostgreSQL
tmtms
1
1.1k
Agent Skillsがハーネスの垣根を超える日
gotalab555
3
1.6k
Snowflakeで実践する、生成AIを活用した「自然言語によるデータとの対話」
nayuts
0
100
AgentCore BrowserとClaude Codeスキルを活用した 『初手AI』を実現する業務自動化AIエージェント基盤
ruzia
4
240
2025年 開発生産「可能」性向上報告 サイロ解消からチームが能動性を獲得するまで/ 20251216 Naoki Takahashi
shift_evolve
PRO
2
210
シニアソフトウェアエンジニアになるためには
kworkdev
PRO
3
200
子育てで想像してなかった「見えないダメージ」 / Unforeseen "hidden burdens" of raising children.
pauli
2
310
AWS re:Invent 2025 re:Cap LT大会 データベース好きが語る re:Invent 2025 データベースアップデート/セッションの紹介
coldairflow
0
120
Featured
See All Featured
Digital Ethics as a Driver of Design Innovation
axbom
PRO
0
130
Chrome DevTools: State of the Union 2024 - Debugging React & Beyond
addyosmani
9
1k
Reality Check: Gamification 10 Years Later
codingconduct
0
1.9k
Getting science done with accelerated Python computing platforms
jacobtomlinson
0
73
Tips & Tricks on How to Get Your First Job In Tech
honzajavorek
0
390
Side Projects
sachag
455
43k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
132
19k
The Limits of Empathy - UXLibs8
cassininazir
1
190
Gemini Prompt Engineering: Practical Techniques for Tangible AI Outcomes
mfonobong
2
220
技術選定の審美眼(2025年版) / Understanding the Spiral of Technologies 2025 edition
twada
PRO
115
91k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
26
3.3k
Efficient Content Optimization with Google Search Console & Apps Script
katarinadahlin
PRO
0
240
Transcript
The Phantom Menace How can one mobile App rot everything?
Who am I? - Work hard on defense - Have
fun in offense - Break things 1 Alexey Troshichev @hackappcom
What may be wrong with an App? - Insecure transfer
- Injections - Insecure storage - Architecture flaws 2 OWASP mobile for details
Common Attacks 3
App is dangerous for users. What’s about vendors? Why should
we waste time attacking one user, when we can just break into backend to get them all? 4
What can an App tell us? - Environment disclosure -
Common authentication data - Built-in accounts - Anything you can’t even imagine =) 5
Why it’s interesting? - Static analysis - We are just
searching strings…and it could be automated =) 6
AWK, STRINGS, GREP? - Not suitable for binary containers -
Too much garbage 7
App in our dreams 8
App in the real world 9
Steps - Containers recursive traversal - Unusual files search -
Selective GREP - Structure validation (sqlite, binXML,plist, etc..) 10
Let’s take 21268 top apps from Google Play… …and scan
it ! 11
Shared cloud storage credentials 12
Environment disclosure 13
Backend sources 8( 14
Free Scanner 15 https://hackapp.com/scanner
Questions Alexey Troshichev @hackappcom 16
owaspjapan
makki_d
74th
igaiga
tomoki10
tmtms
gotalab555
nayuts
ruzia
shift_evolve
kworkdev
pauli
coldairflow
axbom
addyosmani
codingconduct
jacobtomlinson
honzajavorek
sachag
morganepeng
cassininazir
mfonobong
twada
eileencodes
katarinadahlin
