Reverse Engineering Mobile Apps: Never Pay for Transit Again

Presented at BSidesLV 2019, Aug. 6, 2019, 2 p.m. (55 minutes).

What if I told you that there was an alarming number of security flaws in most major cities' mass transit apps? And what if I told you I could demonstrate the successful exploitation of these apps? In this talk, I will do precisely that. The results of successful exploitation can range from the relatively harmless ""stealing"" (or forging) of e-tickets to the critical exposure of customer PII information and account takeovers.

Often, mobile apps are synonymous with thick clients - meaning they run locally and cannot trust their runtime, and come with the same vulnerabilities as their ancestors. As such, I will explore dynamic instrumentation using Frida and demonstrate practical use-cases to bypass security.

During my presentation, you'll learn about the analysis of client-side obfuscation measures such as encrypted HTTP body and encrypted application storage (flat files/SQliteDb/Custom mobile SDK-based encryption) in mobile applications, which can be instrumental in uncovering security vulnerabilities.


Presenters:

  • Priyank Nigam
    As a senior security engineer, Priyank's primary areas of focus are mobile application penetration testing and secure source code reviews. Over the past 4 years, he has advised Fortune 500 brands and startups and does mobile and IoT related research in his spare time. He also believes it is unwise to place trust in your smartphones.

Similar Presentations: