What The Frida Gave Me: A Novel Take on E-Ticket Forging and E-Ticket Stealing

Presented at THOTCON 0xA (2019), May 4, 2019, 3 p.m. (50 minutes).

Millions of people rely on mobile e-ticketing applications to get from Point A to Point B every day. These applications serve as vital components for mass transit and essentially power America's major cities. But thanks to Frida - a well-known but not very popular dynamic instrumentation framework - you can easily reverse engineer mobile e-ticketing applications. In this talk, we'll explore new application-specific attack avenues using Frida. We will be leaving the jailbreak bypasses and SSL pinning bypasses of yesteryear by the wayside as we explore a new attack vector. We'll use Frida's code injection and module loading capabilities to demonstrate e-ticket forging and e-ticket "stealing." (And your commute just became that much less of a pain). Expect to learn the analysis of intermediate-level obfuscation measures such as encrypted HTTP body and encrypted application storage in mobile applications, which can be instrumental in uncovering security vulnerabilities.


Presenters:

  • Priyank Nigam
    Priyank is a Senior Security Analyst at Bishop Fox and focuses mainly on secure code reviews, (web/mobile) app sec and network sec. Research interests include anything offensive - RE, mobile, IoT. He also contributes to bug bounties/responsible disclosure at regular intervals.

Similar Presentations: