Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
The Phantom Menace - How can one mobile App rot...
Search
OWASP Japan
March 02, 2016
Technology
0
140
The Phantom Menace - How can one mobile App rot everything?
Alexey Troshichev
@hackappcom
OWASP Japan
March 02, 2016
Tweet
Share
More Decks by OWASP Japan
See All by OWASP Japan
OWASP Night 2019.03 Tokyo
owaspjapan
0
350
OWASP SAMMを活用したセキュア開発の推進
owaspjapan
0
1k
20190107_AbuseCaseCheatSheet
owaspjapan
0
190
セキュリティ要求定義で使える非機能要求グレードとASVS
owaspjapan
5
1k
AWSクラスタに捧ぐウェブを衛っていく方法論と死なない程度の修羅場の価値
owaspjapan
9
3.3k
Shifting Left Like a Boss
owaspjapan
2
300
OWASP Top 10 and Your Web Apps
owaspjapan
2
390
OWASP Japan Proposal: Encouraging Japanese Translation
owaspjapan
1
250
elegance_of_OWASP_Top10_2017
owaspjapan
2
530
Other Decks in Technology
See All in Technology
Railsの話をしよう
yahonda
0
160
新規事業におけるGORM+SQLx併用アーキテクチャ
hacomono
PRO
0
330
それでも私が品質保証プロセスを作り続ける理由 #テストラジオ / Why I still continue to create QA process
pineapplecandy
0
130
物体検出モデルでシイタケの収穫時期を自動判定してみた。 #devio2025
lamaglama39
0
230
WEBサービスを成り立たせるAWSサービス
takano0131
1
180
カンファレンスに託児サポートがあるということ / Having Childcare Support at Conferences
nobu09
1
600
「れきちず」のこれまでとこれから - 誰にでもわかりやすい歴史地図を目指して / FOSS4G 2025 Japan
hjmkth
1
320
そのWAFのブロック、どう活かす? サービスを守るための実践的多層防御と思考法 / WAF blocks defense decision
kaminashi
0
200
20251007: What happens when multi-agent systems become larger? (CyberAgent, Inc)
ornew
1
380
Wasmの気になる最新情報
askua
0
120
Findy Team+ QAチーム これからのチャレンジ!
findy_eventslides
0
430
Click A, Buy B: Rethinking Conversion Attribution in ECommerce Recommendations
lycorptech_jp
PRO
0
100
Featured
See All Featured
Practical Tips for Bootstrapping Information Extraction Pipelines
honnibal
PRO
23
1.5k
Into the Great Unknown - MozCon
thekraken
40
2.1k
No one is an island. Learnings from fostering a developers community.
thoeni
21
3.5k
A better future with KSS
kneath
239
18k
Music & Morning Musume
bryan
46
6.8k
Bash Introduction
62gerente
615
210k
Building Applications with DynamoDB
mza
96
6.7k
[RailsConf 2023] Rails as a piece of cake
palkan
57
5.9k
Rebuilding a faster, lazier Slack
samanthasiow
84
9.2k
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
16
1.7k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
37
2.6k
Typedesign – Prime Four
hannesfritz
42
2.8k
Transcript
The Phantom Menace How can one mobile App rot everything?
Who am I? - Work hard on defense - Have
fun in offense - Break things 1 Alexey Troshichev @hackappcom
What may be wrong with an App? - Insecure transfer
- Injections - Insecure storage - Architecture flaws 2 OWASP mobile for details
Common Attacks 3
App is dangerous for users. What’s about vendors? Why should
we waste time attacking one user, when we can just break into backend to get them all? 4
What can an App tell us? - Environment disclosure -
Common authentication data - Built-in accounts - Anything you can’t even imagine =) 5
Why it’s interesting? - Static analysis - We are just
searching strings…and it could be automated =) 6
AWK, STRINGS, GREP? - Not suitable for binary containers -
Too much garbage 7
App in our dreams 8
App in the real world 9
Steps - Containers recursive traversal - Unusual files search -
Selective GREP - Structure validation (sqlite, binXML,plist, etc..) 10
Let’s take 21268 top apps from Google Play… …and scan
it ! 11
Shared cloud storage credentials 12
Environment disclosure 13
Backend sources 8( 14
Free Scanner 15 https://hackapp.com/scanner
Questions Alexey Troshichev @hackappcom 16