Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
The Phantom Menace - How can one mobile App rot...
Search
OWASP Japan
March 02, 2016
Technology
0
140
The Phantom Menace - How can one mobile App rot everything?
Alexey Troshichev
@hackappcom
OWASP Japan
March 02, 2016
Tweet
Share
More Decks by OWASP Japan
See All by OWASP Japan
OWASP Night 2019.03 Tokyo
owaspjapan
0
320
OWASP SAMMを活用したセキュア開発の推進
owaspjapan
0
930
20190107_AbuseCaseCheatSheet
owaspjapan
0
150
セキュリティ要求定義で使える非機能要求グレードとASVS
owaspjapan
5
880
AWSクラスタに捧ぐウェブを衛っていく方法論と死なない程度の修羅場の価値
owaspjapan
9
3.1k
Shifting Left Like a Boss
owaspjapan
2
270
OWASP Top 10 and Your Web Apps
owaspjapan
2
360
OWASP Japan Proposal: Encouraging Japanese Translation
owaspjapan
1
220
elegance_of_OWASP_Top10_2017
owaspjapan
2
500
Other Decks in Technology
See All in Technology
エンジニア人生の拡張性を高める 「探索型キャリア設計」の提案
tenshoku_draft
1
120
OCI Security サービス 概要
oracle4engineer
PRO
0
6.5k
Terraform未経験の御様に対してどの ように導⼊を進めていったか
tkikuchi
2
430
強いチームと開発生産性
onk
PRO
34
11k
Why App Signing Matters for Your Android Apps - Android Bangkok Conference 2024
akexorcist
0
120
マルチプロダクトな開発組織で 「開発生産性」に向き合うために試みたこと / Improving Multi-Product Dev Productivity
sugamasao
1
300
Lexical Analysis
shigashiyama
1
150
EventHub Startup CTO of the year 2024 ピッチ資料
eventhub
0
110
透過型SMTPプロキシによる送信メールの可観測性向上: Update Edition / Improved observability of outgoing emails with transparent smtp proxy: Update edition
linyows
2
210
Evangelismo técnico: ¿qué, cómo y por qué?
trishagee
0
360
Shopifyアプリ開発における Shopifyの機能活用
sonatard
4
250
なぜ今 AI Agent なのか _近藤憲児
kenjikondobai
4
1.3k
Featured
See All Featured
Facilitating Awesome Meetings
lara
50
6.1k
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
6
410
The Illustrated Children's Guide to Kubernetes
chrisshort
48
48k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
31
2.7k
Docker and Python
trallard
40
3.1k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
28
2k
The Cult of Friendly URLs
andyhume
78
6k
Imperfection Machines: The Place of Print at Facebook
scottboms
265
13k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
29
2.3k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
47
2.1k
Music & Morning Musume
bryan
46
6.2k
5 minutes of I Can Smell Your CMS
philhawksworth
202
19k
Transcript
The Phantom Menace How can one mobile App rot everything?
Who am I? - Work hard on defense - Have
fun in offense - Break things 1 Alexey Troshichev @hackappcom
What may be wrong with an App? - Insecure transfer
- Injections - Insecure storage - Architecture flaws 2 OWASP mobile for details
Common Attacks 3
App is dangerous for users. What’s about vendors? Why should
we waste time attacking one user, when we can just break into backend to get them all? 4
What can an App tell us? - Environment disclosure -
Common authentication data - Built-in accounts - Anything you can’t even imagine =) 5
Why it’s interesting? - Static analysis - We are just
searching strings…and it could be automated =) 6
AWK, STRINGS, GREP? - Not suitable for binary containers -
Too much garbage 7
App in our dreams 8
App in the real world 9
Steps - Containers recursive traversal - Unusual files search -
Selective GREP - Structure validation (sqlite, binXML,plist, etc..) 10
Let’s take 21268 top apps from Google Play… …and scan
it ! 11
Shared cloud storage credentials 12
Environment disclosure 13
Backend sources 8( 14
Free Scanner 15 https://hackapp.com/scanner
Questions Alexey Troshichev @hackappcom 16
owaspjapan
tenshoku_draft
oracle4engineer
tkikuchi
onk
akexorcist
sugamasao
shigashiyama
eventhub
linyows
trishagee
sonatard
kenjikondobai
lara
tammyeverts
chrisshort
rmw
trallard
jcasabona
andyhume
scottboms
danielanewman
bryan
philhawksworth
