Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
The Phantom Menace - How can one mobile App rot...
Search
OWASP Japan
March 02, 2016
Technology
0
140
The Phantom Menace - How can one mobile App rot everything?
Alexey Troshichev
@hackappcom
OWASP Japan
March 02, 2016
Tweet
Share
More Decks by OWASP Japan
See All by OWASP Japan
OWASP Night 2019.03 Tokyo
owaspjapan
0
380
OWASP SAMMを活用したセキュア開発の推進
owaspjapan
0
1.1k
20190107_AbuseCaseCheatSheet
owaspjapan
0
210
セキュリティ要求定義で使える非機能要求グレードとASVS
owaspjapan
5
1.1k
AWSクラスタに捧ぐウェブを衛っていく方法論と死なない程度の修羅場の価値
owaspjapan
9
3.5k
Shifting Left Like a Boss
owaspjapan
2
330
OWASP Top 10 and Your Web Apps
owaspjapan
2
410
OWASP Japan Proposal: Encouraging Japanese Translation
owaspjapan
1
280
elegance_of_OWASP_Top10_2017
owaspjapan
2
560
Other Decks in Technology
See All in Technology
【Oracle Cloud ウェビナー】【入門編】はじめてのOracle AI Data Platform - AIのためのデータ準備&自社用AIエージェントをワンストップで実現
oracle4engineer
PRO
1
140
Everything Claude Code を眺める
oikon48
8
5.1k
ソフトバンク流!プラットフォームエンジニアリング実現へのアプローチ
sbtechnight
0
140
Google系サービスで文字起こしから勝手にカレンダーを埋めるエージェントを作った話
risatube
0
190
わからなくて良いなら、わからなきゃだめなの?
kotaoue
1
360
今のWordPress の制作手法ってなにがあんねん?(改) / What’s the Deal with WordPress Development These Days?
tbshiki
0
470
わたしがセキュアにAWSを使えるわけないじゃん、ムリムリ!(※ムリじゃなかった!?)
cmusudakeisuke
1
750
[JAWSDAYS2026][D8]その起票、愛が足りてますか?AWSサポートを味方につける、技術的「ラブレター」の書き方
hirosys_
3
180
AIエージェント時代に備える AWS Organizations とアカウント設計
kossykinto
3
1.1k
Agent ServerはWeb Serverではない。ADKで考えるAgentOps
akiratameto
0
110
クラウド × シリコンの Mashup - AWS チップ開発で広がる AI 基盤の選択肢
htokoyo
2
260
Oracle Cloud Infrastructure IaaS 新機能アップデート 2025/12 - 2026/2
oracle4engineer
PRO
0
140
Featured
See All Featured
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
231
22k
Building a Modern Day E-commerce SEO Strategy
aleyda
45
8.9k
SEO for Brand Visibility & Recognition
aleyda
0
4.4k
Git: the NoSQL Database
bkeepers
PRO
432
66k
SEO in 2025: How to Prepare for the Future of Search
ipullrank
3
3.4k
How to Get Subject Matter Experts Bought In and Actively Contributing to SEO & PR Initiatives.
livdayseo
0
85
Being A Developer After 40
akosma
91
590k
Testing 201, or: Great Expectations
jmmastey
46
8.1k
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
9
1.2k
How to Align SEO within the Product Triangle To Get Buy-In & Support - #RIMC
aleyda
1
1.4k
How to Grow Your eCommerce with AI & Automation
katarinadahlin
PRO
1
140
A Tale of Four Properties
chriscoyier
163
24k
Transcript
The Phantom Menace How can one mobile App rot everything?
Who am I? - Work hard on defense - Have
fun in offense - Break things 1 Alexey Troshichev @hackappcom
What may be wrong with an App? - Insecure transfer
- Injections - Insecure storage - Architecture flaws 2 OWASP mobile for details
Common Attacks 3
App is dangerous for users. What’s about vendors? Why should
we waste time attacking one user, when we can just break into backend to get them all? 4
What can an App tell us? - Environment disclosure -
Common authentication data - Built-in accounts - Anything you can’t even imagine =) 5
Why it’s interesting? - Static analysis - We are just
searching strings…and it could be automated =) 6
AWK, STRINGS, GREP? - Not suitable for binary containers -
Too much garbage 7
App in our dreams 8
App in the real world 9
Steps - Containers recursive traversal - Unusual files search -
Selective GREP - Structure validation (sqlite, binXML,plist, etc..) 10
Let’s take 21268 top apps from Google Play… …and scan
it ! 11
Shared cloud storage credentials 12
Environment disclosure 13
Backend sources 8( 14
Free Scanner 15 https://hackapp.com/scanner
Questions Alexey Troshichev @hackappcom 16
owaspjapan
oracle4engineer
oikon48
sbtechnight
risatube
kotaoue
tbshiki
cmusudakeisuke
hirosys_
kossykinto
akiratameto
htokoyo
danielanewman
aleyda
bkeepers
ipullrank
livdayseo
akosma
jmmastey
irinanazarova
katarinadahlin
chriscoyier
