Hunting Vulnerabilities of gRPC Protocol Armed Mobile/IoT Applications

Presented at Black Hat Asia 2021 Virtual, May 6, 2021, 2:20 p.m. (40 minutes).

Google's open source network communication protocol, gRPC has been used by thousands of mobile applications, including some IoT devices, and supports tens of billions of network services every day. Unlike the traditional Https protocol, gRPC is faster, more secure and more usable. Through research, it was found that due to the reliability of the private protocol, developers often ignore the security verification mechanism of the application itself, causing a large number of security vulnerabilities in some applications.<br><br>The main reasons for these problems: <span style="font-size: 12px; background-color: initial;">In mobile applications, when developers use the gRPC protocol, they usually don't pay attention to the integrity and reliability of the data sent by the mobile application. Because the application uses ssl certificate verification and data signature verification, it ignores the security logic behind the server application.</span><br><br>During this talk, we will introduce a method for automatic fuzz of vulnerabilities in the mobile application server interface. Through this method, in the past year, we have discovered hundreds of vulnerabilities in the application interfaces of hundreds of millions of users, including serious vulnerabilities such as SSRF, command execution, and unauthorized access to logic.

Presenters:

  • Shijie Cao - Security Researcher, Ant Group
    Shijie Cao is a security researcher in TianChen Lab of Ant Group. He has been engaged in mobile/Iot security for 6 years and focuses on researching mobile security architecture construction and application vulnerability fuzzing. During the past year, his research has been on automated vulnerability fuzzing on mobile applications and IoT, and hundreds of security vulnerabilities have been discovered.
  • Hao Zhao - Chief Mobile Security Architect, Ant Group
    Hao Zhao is the chief mobile security architect at Ant Group and the founder of Ant Group Frontage Security Lab. He has more than 8 years of experience in mobile and IoT security research. He is also responsible for Ant Group's client security defense building. He has shared many of his research results at Black Hat and RSAC.

Links:

Similar Presentations: