Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
The Phantom Menace - How can one mobile App rot...
Search
Sponsored
·
Your Podcast. Everywhere. Effortlessly.
Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
→
OWASP Japan
March 02, 2016
Technology
0
140
The Phantom Menace - How can one mobile App rot everything?
Alexey Troshichev
@hackappcom
OWASP Japan
March 02, 2016
Tweet
Share
More Decks by OWASP Japan
See All by OWASP Japan
OWASP Night 2019.03 Tokyo
owaspjapan
0
380
OWASP SAMMを活用したセキュア開発の推進
owaspjapan
0
1.1k
20190107_AbuseCaseCheatSheet
owaspjapan
0
200
セキュリティ要求定義で使える非機能要求グレードとASVS
owaspjapan
5
1.1k
AWSクラスタに捧ぐウェブを衛っていく方法論と死なない程度の修羅場の価値
owaspjapan
9
3.4k
Shifting Left Like a Boss
owaspjapan
2
320
OWASP Top 10 and Your Web Apps
owaspjapan
2
410
OWASP Japan Proposal: Encouraging Japanese Translation
owaspjapan
1
270
elegance_of_OWASP_Top10_2017
owaspjapan
2
560
Other Decks in Technology
See All in Technology
Codex 5.3 と Opus 4.6 にコーポレートサイトを作らせてみた / Codex 5.3 vs Opus 4.6
ama_ch
0
200
We Built for Predictability; The Workloads Didn’t Care
stahnma
0
150
Cloud Runでコロプラが挑む 生成AI×ゲーム『神魔狩りのツクヨミ』の裏側
colopl
0
130
仕様書駆動AI開発の実践: Issue→Skill→PRテンプレで 再現性を作る
knishioka
2
680
フルカイテン株式会社 エンジニア向け採用資料
fullkaiten
0
10k
AWS Network Firewall Proxyを触ってみた
nagisa53
1
240
生成AIを活用した音声文字起こしシステムの2つの構築パターンについて
miu_crescent
PRO
3
220
データの整合性を保ちたいだけなんだ
shoheimitani
8
3.2k
コスト削減から「セキュリティと利便性」を担うプラットフォームへ
sansantech
PRO
3
1.6k
Context Engineeringが企業で不可欠になる理由
hirosatogamo
PRO
3
660
プロダクト成長を支える開発基盤とスケールに伴う課題
yuu26
4
1.4k
モダンUIでフルサーバーレスなAIエージェントをAmplifyとCDKでサクッとデプロイしよう
minorun365
4
220
Featured
See All Featured
The Illustrated Children's Guide to Kubernetes
chrisshort
51
51k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
254
22k
Leading Effective Engineering Teams in the AI Era
addyosmani
9
1.6k
Darren the Foodie - Storyboard
khoart
PRO
2
2.4k
Marketing to machines
jonoalderson
1
4.6k
AI in Enterprises - Java and Open Source to the Rescue
ivargrimstad
0
1.1k
Gemini Prompt Engineering: Practical Techniques for Tangible AI Outcomes
mfonobong
2
280
Odyssey Design
rkendrick25
PRO
1
500
Navigating Algorithm Shifts & AI Overviews - #SMXNext
aleyda
0
1.1k
JAMstack: Web Apps at Ludicrous Speed - All Things Open 2022
reverentgeek
1
350
Accessibility Awareness
sabderemane
0
56
The SEO identity crisis: Don't let AI make you average
varn
0
330
Transcript
The Phantom Menace How can one mobile App rot everything?
Who am I? - Work hard on defense - Have
fun in offense - Break things 1 Alexey Troshichev @hackappcom
What may be wrong with an App? - Insecure transfer
- Injections - Insecure storage - Architecture flaws 2 OWASP mobile for details
Common Attacks 3
App is dangerous for users. What’s about vendors? Why should
we waste time attacking one user, when we can just break into backend to get them all? 4
What can an App tell us? - Environment disclosure -
Common authentication data - Built-in accounts - Anything you can’t even imagine =) 5
Why it’s interesting? - Static analysis - We are just
searching strings…and it could be automated =) 6
AWK, STRINGS, GREP? - Not suitable for binary containers -
Too much garbage 7
App in our dreams 8
App in the real world 9
Steps - Containers recursive traversal - Unusual files search -
Selective GREP - Structure validation (sqlite, binXML,plist, etc..) 10
Let’s take 21268 top apps from Google Play… …and scan
it ! 11
Shared cloud storage credentials 12
Environment disclosure 13
Backend sources 8( 14
Free Scanner 15 https://hackapp.com/scanner
Questions Alexey Troshichev @hackappcom 16
owaspjapan
ama_ch
stahnma
colopl
knishioka
fullkaiten
nagisa53
miu_crescent
shoheimitani
sansantech
hirosatogamo
yuu26
minorun365
chrisshort
smashingmag
addyosmani
khoart
jonoalderson
ivargrimstad
mfonobong
rkendrick25
aleyda
reverentgeek
sabderemane
varn
