Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
The Phantom Menace - How can one mobile App rot...
Search
OWASP Japan
March 02, 2016
Technology
0
140
The Phantom Menace - How can one mobile App rot everything?
Alexey Troshichev
@hackappcom
OWASP Japan
March 02, 2016
Tweet
Share
More Decks by OWASP Japan
See All by OWASP Japan
OWASP Night 2019.03 Tokyo
owaspjapan
0
370
OWASP SAMMを活用したセキュア開発の推進
owaspjapan
0
1.1k
20190107_AbuseCaseCheatSheet
owaspjapan
0
200
セキュリティ要求定義で使える非機能要求グレードとASVS
owaspjapan
5
1.1k
AWSクラスタに捧ぐウェブを衛っていく方法論と死なない程度の修羅場の価値
owaspjapan
9
3.4k
Shifting Left Like a Boss
owaspjapan
2
310
OWASP Top 10 and Your Web Apps
owaspjapan
2
400
OWASP Japan Proposal: Encouraging Japanese Translation
owaspjapan
1
260
elegance_of_OWASP_Top10_2017
owaspjapan
2
540
Other Decks in Technology
See All in Technology
AgentCoreとStrandsで社内d払いナレッジボットを作った話
motojimayu
1
1.1k
BidiAgent と Nova 2 Sonic から考える音声 AI について
yama3133
2
120
ペアーズにおけるAIエージェント 基盤とText to SQLツールの紹介
hisamouna
2
1.9k
2025年のデザインシステムとAI 活用を振り返る
leveragestech
0
450
[Data & AI Summit '25 Fall] AIでデータ活用を進化させる!Google Cloudで作るデータ活用の未来
kirimaru
0
4.1k
AIエージェントを5分で一気におさらい! AIエージェント「構築」元年に備えよう
yakumo
1
120
「もしもデータ基盤開発で『強くてニューゲーム』ができたなら今の僕はどんなデータ基盤を作っただろう」
aeonpeople
0
260
技術選定、下から見るか?横から見るか?
masakiokuda
0
150
Oracle Database@AWS:サービス概要のご紹介
oracle4engineer
PRO
2
450
SQLだけでマイグレーションしたい!
makki_d
0
1.2k
Knowledge Work の AI Backend
kworkdev
PRO
0
310
Building Serverless AI Memory with Mastra × AWS
vvatanabe
1
750
Featured
See All Featured
A better future with KSS
kneath
240
18k
Fireside Chat
paigeccino
41
3.8k
Money Talks: Using Revenue to Get Sh*t Done
nikkihalliwell
0
120
Navigating Team Friction
lara
191
16k
How to audit for AI Accessibility on your Front & Back End
davetheseo
0
130
WENDY [Excerpt]
tessaabrams
9
35k
Visual Storytelling: How to be a Superhuman Communicator
reverentgeek
2
400
Prompt Engineering for Job Search
mfonobong
0
130
Reflections from 52 weeks, 52 projects
jeffersonlam
355
21k
A Tale of Four Properties
chriscoyier
162
23k
10 Git Anti Patterns You Should be Aware of
lemiorhan
PRO
659
61k
Design of three-dimensional binary manipulators for pick-and-place task avoiding obstacles (IECON2024)
konakalab
0
320
Transcript
The Phantom Menace How can one mobile App rot everything?
Who am I? - Work hard on defense - Have
fun in offense - Break things 1 Alexey Troshichev @hackappcom
What may be wrong with an App? - Insecure transfer
- Injections - Insecure storage - Architecture flaws 2 OWASP mobile for details
Common Attacks 3
App is dangerous for users. What’s about vendors? Why should
we waste time attacking one user, when we can just break into backend to get them all? 4
What can an App tell us? - Environment disclosure -
Common authentication data - Built-in accounts - Anything you can’t even imagine =) 5
Why it’s interesting? - Static analysis - We are just
searching strings…and it could be automated =) 6
AWK, STRINGS, GREP? - Not suitable for binary containers -
Too much garbage 7
App in our dreams 8
App in the real world 9
Steps - Containers recursive traversal - Unusual files search -
Selective GREP - Structure validation (sqlite, binXML,plist, etc..) 10
Let’s take 21268 top apps from Google Play… …and scan
it ! 11
Shared cloud storage credentials 12
Environment disclosure 13
Backend sources 8( 14
Free Scanner 15 https://hackapp.com/scanner
Questions Alexey Troshichev @hackappcom 16
owaspjapan
motojimayu
yama3133
hisamouna
leveragestech
kirimaru
yakumo
aeonpeople
masakiokuda
oracle4engineer
makki_d
kworkdev
vvatanabe
kneath
paigeccino
nikkihalliwell
lara
davetheseo
tessaabrams
reverentgeek
mfonobong
jeffersonlam
chriscoyier
lemiorhan
konakalab
