What if I told you that there was an alarming number of security flaws in most major cities' mass transit apps? And what if I told you I could demonstrate the successful exploitation of these apps? In this talk, I will do precisely that. The results of successful exploitation can range from the relatively harmless ""stealing"" (or forging) of e-tickets to the critical exposure of customer PII information and account takeovers.
Often, mobile apps are synonymous with thick clients - meaning they run locally and cannot trust their runtime, and come with the same vulnerabilities as their ancestors. As such, I will explore dynamic instrumentation using Frida and demonstrate practical use-cases to bypass security.
During my presentation, you'll learn about the analysis of client-side obfuscation measures such as encrypted HTTP body and encrypted application storage (flat files/SQliteDb/Custom mobile SDK-based encryption) in mobile applications, which can be instrumental in uncovering security vulnerabilities.