Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
The Phantom Menace - How can one mobile App rot...
Search
OWASP Japan
March 02, 2016
Technology
0
140
The Phantom Menace - How can one mobile App rot everything?
Alexey Troshichev
@hackappcom
OWASP Japan
March 02, 2016
Tweet
Share
More Decks by OWASP Japan
See All by OWASP Japan
OWASP Night 2019.03 Tokyo
owaspjapan
0
320
OWASP SAMMを活用したセキュア開発の推進
owaspjapan
0
970
20190107_AbuseCaseCheatSheet
owaspjapan
0
160
セキュリティ要求定義で使える非機能要求グレードとASVS
owaspjapan
5
940
AWSクラスタに捧ぐウェブを衛っていく方法論と死なない程度の修羅場の価値
owaspjapan
9
3.2k
Shifting Left Like a Boss
owaspjapan
2
280
OWASP Top 10 and Your Web Apps
owaspjapan
2
370
OWASP Japan Proposal: Encouraging Japanese Translation
owaspjapan
1
230
elegance_of_OWASP_Top10_2017
owaspjapan
2
510
Other Decks in Technology
See All in Technology
データエンジニアリング領域におけるDuckDBのユースケース
chanyou0311
9
2.2k
IAMのマニアックな話2025
nrinetcom
PRO
4
970
AIエージェント開発のノウハウと課題
pharma_x_tech
0
480
株式会社Awarefy(アウェアファイ)会社説明資料 / Awarefy-Company-Deck
awarefy
3
11k
Potential EM 制度を始めた理由、そして2年後にやめた理由 - EMConf JP 2025
hoyo
2
2.7k
AWSを活用したIoTにおけるセキュリティ対策のご紹介
kwskyk
0
380
エンジニアリング価値を黒字化する バリューベース戦略を用いた 技術戦略策定の道のり
kzkmaeda
6
2.8k
遷移の高速化 ヤフートップの試行錯誤
narirou
6
1.2k
サイト信頼性エンジニアリングとAmazon Web Services / SRE and AWS
ymotongpoo
7
1.6k
ExaDB-XSで利用されている Exadata Exascaleについて
oracle4engineer
PRO
3
260
Share my, our lessons from the road to re:Invent
naospon
0
150
Perlの生きのこり - エンジニアがこの先生きのこるためのカンファレンス2025
kfly8
2
270
Featured
See All Featured
Making the Leap to Tech Lead
cromwellryan
133
9.1k
A better future with KSS
kneath
238
17k
Code Reviewing Like a Champion
maltzj
521
39k
How to train your dragon (web standard)
notwaldorf
91
5.9k
Building an army of robots
kneath
303
45k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
175
52k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
280
13k
Six Lessons from altMBA
skipperchong
27
3.6k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
40
2k
It's Worth the Effort
3n
184
28k
Speed Design
sergeychernyshev
27
810
Navigating Team Friction
lara
183
15k
Transcript
The Phantom Menace How can one mobile App rot everything?
Who am I? - Work hard on defense - Have
fun in offense - Break things 1 Alexey Troshichev @hackappcom
What may be wrong with an App? - Insecure transfer
- Injections - Insecure storage - Architecture flaws 2 OWASP mobile for details
Common Attacks 3
App is dangerous for users. What’s about vendors? Why should
we waste time attacking one user, when we can just break into backend to get them all? 4
What can an App tell us? - Environment disclosure -
Common authentication data - Built-in accounts - Anything you can’t even imagine =) 5
Why it’s interesting? - Static analysis - We are just
searching strings…and it could be automated =) 6
AWK, STRINGS, GREP? - Not suitable for binary containers -
Too much garbage 7
App in our dreams 8
App in the real world 9
Steps - Containers recursive traversal - Unusual files search -
Selective GREP - Structure validation (sqlite, binXML,plist, etc..) 10
Let’s take 21268 top apps from Google Play… …and scan
it ! 11
Shared cloud storage credentials 12
Environment disclosure 13
Backend sources 8( 14
Free Scanner 15 https://hackapp.com/scanner
Questions Alexey Troshichev @hackappcom 16
owaspjapan
chanyou0311
nrinetcom
.png){kind=icon}
pharma_x_tech
awarefy
hoyo
kwskyk
kzkmaeda
narirou
ymotongpoo
oracle4engineer
naospon
kfly8
cromwellryan
kneath
maltzj
notwaldorf
soudai
stephaniewalter
skipperchong
bcantrill
3n
sergeychernyshev
lara
