The Phantom Menace - How can one mobile App rot...

March 02, 2016

140

The Phantom Menace - How can one mobile App rot everything?

Alexey Troshichev
@hackappcom

OWASP Japan

March 02, 2016

Tweet

More Decks by OWASP Japan

See All by OWASP Japan

OWASP Night 2019.03 Tokyo

0

380

OWASP SAMMを活用したセキュア開発の推進

0

1.1k

20190107_AbuseCaseCheatSheet

0

200

セキュリティ要求定義で使える非機能要求グレードとASVS

5

1.1k

AWSクラスタに捧ぐウェブを衛っていく方法論と死なない程度の修羅場の価値

9

3.4k

Shifting Left Like a Boss

2

320

OWASP Top 10 and Your Web Apps

2

410

OWASP Japan Proposal: Encouraging Japanese Translation

1

270

elegance_of_OWASP_Top10_2017

2

560

Other Decks in Technology

See All in Technology

Bill One急成長の舞台裏開発組織が直面した失敗と教訓

PRO

2

400

Why Organizations Fail: ノーベル経済学賞「国家はなぜ衰退するのか」から考えるアジャイル組織論

PRO

1

180

20260208_第66回コンピュータビジョン勉強会

0

190

Tebiki Engineering Team Deck

0

24k

AIエージェントに必要なのはデータではなく文脈だった/ai-agent-context-graph-mybest

1

240

ブロックテーマ、WordPress でウェブサイトをつくるということ / 2026.02.07 Gifu WordPress Meetup

0

200

SREチームをどう作り、どう育てるか ― Findy横断SREのマネジメント

0

340

Agile Leadership Summit Keynote 2026

1

670

ブロックテーマでサイトをリニューアルした話 / 2026-01-31 Kansai WordPress Meetup

0

480

コミュニティが変えるキャリアの地平線：コロナ禍新卒入社のエンジニアがAWSコミュニティで見つけた成長の羅針盤

0

130

茨城の思い出を振り返る～CDKのセキュリティを添えて～ / 20260201 Mitsutoshi Matsuo

PRO

1

390

CDKで始めるTypeScript開発のススメ

1

540

Featured

See All Featured

Visual Storytelling: How to be a Superhuman Communicator

2

430

Unsuck your backbone

671

58k

The agentic SEO stack - context over prompts

0

650

The Cult of Friendly URLs

79

6.8k

The Illustrated Guide to Node.js - THAT Conference 2024

0

260

SEO Brein meetup: CTRL+C is not how to scale international SEO

0

2.4k

AI: The stuff that nobody shows you

PRO

2

270

My Coaching Mixtape

0

49

Tell your own story through comics

1

810

The Success of Rails: Ensuring Growth for the Next 100 Years

47

7.9k

Designing for Performance

610

70k

We Analyzed 250 Million AI Search Results: Here's What I Found

1

750

Transcript

The Phantom Menace How can one mobile App rot everything?
Who am I? - Work hard on defense - Have
fun in offense - Break things 1 Alexey Troshichev @hackappcom
What may be wrong with an App? - Insecure transfer
- Injections - Insecure storage - Architecture flaws 2 OWASP mobile for details
Common Attacks 3
App is dangerous for users. What’s about vendors? Why should
we waste time attacking one user, when we can just break into backend to get them all? 4
What can an App tell us? - Environment disclosure -
Common authentication data - Built-in accounts - Anything you can’t even imagine =) 5
Why it’s interesting? - Static analysis - We are just
searching strings…and it could be automated =) 6
AWK, STRINGS, GREP? - Not suitable for binary containers -
Too much garbage 7
App in our dreams 8
App in the real world 9
Steps - Containers recursive traversal - Unusual files search -
Selective GREP - Structure validation (sqlite, binXML,plist, etc..) 10
Let’s take 21268 top apps from Google Play… …and scan
it ! 11
Shared cloud storage credentials 12
Environment disclosure 13
Backend sources 8( 14
Free Scanner 15 https://hackapp.com/scanner
Questions Alexey Troshichev @hackappcom 16