Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
The Phantom Menace - How can one mobile App rot...
Search
OWASP Japan
March 02, 2016
Technology
0
140
The Phantom Menace - How can one mobile App rot everything?
Alexey Troshichev
@hackappcom
OWASP Japan
March 02, 2016
Tweet
Share
More Decks by OWASP Japan
See All by OWASP Japan
OWASP Night 2019.03 Tokyo
owaspjapan
0
350
OWASP SAMMを活用したセキュア開発の推進
owaspjapan
0
1k
20190107_AbuseCaseCheatSheet
owaspjapan
0
190
セキュリティ要求定義で使える非機能要求グレードとASVS
owaspjapan
5
1k
AWSクラスタに捧ぐウェブを衛っていく方法論と死なない程度の修羅場の価値
owaspjapan
9
3.3k
Shifting Left Like a Boss
owaspjapan
2
300
OWASP Top 10 and Your Web Apps
owaspjapan
2
390
OWASP Japan Proposal: Encouraging Japanese Translation
owaspjapan
1
250
elegance_of_OWASP_Top10_2017
owaspjapan
2
530
Other Decks in Technology
See All in Technology
セキュアな認可付きリモートMCPサーバーをAWSマネージドサービスでつくろう! / Let's build an OAuth protected remote MCP server based on AWS managed services
kaminashi
3
350
Node.js 2025: What's new and what's next
ruyadorno
0
400
プレーリーカードを活用しよう❗❗デジタル名刺交換からはじまるイベント会場交流のススメ
tsukaman
0
180
Findy Team+ QAチーム これからのチャレンジ!
findy_eventslides
0
430
AIツールでどこまでデザインを忠実に実装できるのか
oikon48
6
3.5k
LLMアプリの地上戦開発計画と運用実践 / 2025.10.15 GPU UNITE 2025
smiyawaki0820
1
630
いまからでも遅くない!SSL/TLS証明書超入門(It's not too late to start! SSL/TLS Certificates: The Absolute Beginner's Guide)
norimuraz
0
270
Introdução a Service Mesh usando o Istio
aeciopires
0
200
ガバメントクラウドの概要と自治体事例(名古屋市)
techniczna
3
240
Geospatialの世界最前線を探る [2025年版]
dayjournal
1
240
能登半島災害現場エンジニアクロストーク 【JAWS FESTA 2025 in 金沢】
ditccsugii
0
890
衛星画像超解像化によって実現する2D, 3D空間情報の即時生成と“AI as a Service”/ Real-time generation spatial data enabled_by satellite image super-resolution
lehupa
0
180
Featured
See All Featured
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
359
30k
The MySQL Ecosystem @ GitHub 2015
samlambert
251
13k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
46
2.5k
KATA
mclloyd
PRO
32
15k
Building Better People: How to give real-time feedback that sticks.
wjessup
369
20k
Producing Creativity
orderedlist
PRO
347
40k
Build The Right Thing And Hit Your Dates
maggiecrowley
37
2.9k
The Cost Of JavaScript in 2023
addyosmani
55
9k
Scaling GitHub
holman
463
140k
4 Signs Your Business is Dying
shpigford
185
22k
The Web Performance Landscape in 2024 [PerfNow 2024]
tammyeverts
10
870
The Straight Up "How To Draw Better" Workshop
denniskardys
238
140k
Transcript
The Phantom Menace How can one mobile App rot everything?
Who am I? - Work hard on defense - Have
fun in offense - Break things 1 Alexey Troshichev @hackappcom
What may be wrong with an App? - Insecure transfer
- Injections - Insecure storage - Architecture flaws 2 OWASP mobile for details
Common Attacks 3
App is dangerous for users. What’s about vendors? Why should
we waste time attacking one user, when we can just break into backend to get them all? 4
What can an App tell us? - Environment disclosure -
Common authentication data - Built-in accounts - Anything you can’t even imagine =) 5
Why it’s interesting? - Static analysis - We are just
searching strings…and it could be automated =) 6
AWK, STRINGS, GREP? - Not suitable for binary containers -
Too much garbage 7
App in our dreams 8
App in the real world 9
Steps - Containers recursive traversal - Unusual files search -
Selective GREP - Structure validation (sqlite, binXML,plist, etc..) 10
Let’s take 21268 top apps from Google Play… …and scan
it ! 11
Shared cloud storage credentials 12
Environment disclosure 13
Backend sources 8( 14
Free Scanner 15 https://hackapp.com/scanner
Questions Alexey Troshichev @hackappcom 16
owaspjapan
kaminashi
ruyadorno
tsukaman
findy_eventslides
oikon48
smiyawaki0820
norimuraz
aeciopires
techniczna
dayjournal
ditccsugii
lehupa
bermonpainter
samlambert
bcantrill
mclloyd
wjessup
orderedlist
maggiecrowley
addyosmani
holman
shpigford
tammyeverts
denniskardys
