Scribd
Upload
178 views11 pages

Mobile App Security Insights

This document discusses mobile app security and hacking mobile apps. It provides an overview of mobile app security risks, including vulnerabilities in Android and iOS applications and sensitive user data stored by apps. It also shares results from the author's experience penetration testing mobile apps, finding that 90% result in critical or high severity security issues. Specific examples are given of hacking a major gaming platform app and discovering unprotected APIs that exposed user invoices. The document advocates for in-depth manual penetration testing of business-critical apps and integrating security practices into development.

Uploaded by

Mohamad Ridzuan Abdul Rahman
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
178 views11 pages

Mobile App Security Insights

This document discusses mobile app security and hacking mobile apps. It provides an overview of mobile app security risks, including vulnerabilities in Android and iOS applications and sensitive user data stored by apps. It also shares results from the author's experience penetration testing mobile apps, finding that 90% result in critical or high severity security issues. Specific examples are given of hacking a major gaming platform app and discovering unprotected APIs that exposed user invoices. The document advocates for in-depth manual penetration testing of business-critical apps and integrating security practices into development.

Uploaded by

Mohamad Ridzuan Abdul Rahman
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 11

Mobile App

Security
Examine The Complexity To
Hacking Mobile Apps & How To
Secure Them
Abhinav Mishra

- Founder & CEO: Enciphers


- Decade+ Experience in Hacking Web/Mobile/Infra
- Author: Mobile App Reverse Engineering
- Trainer | Penetration Tester
- Twitter: 0ctac0der

2
Enciphers
- Cyber Security Consulting & Training Company
- Penetration Testing:
- Web | Mobile | Cloud | Infra
- Training:
- Web | Mobile | Cloud | Reverse Engineering
- Responsible Disclosure Management
- Bug Bounty Triaging

www.enciphers.com | training.enciphers.com

3
Mobile App Security

- Android & iOS Application


Packages
- User & Application Data
- APIs & Infrastructure
- Android & iOS vulnerabilities
- Device Security

4
Some Analytics

Mobile apps are the primary target


for hacker & malicious actors. It’s
critically important to secure the
mobile apps, which handle sensitive
user information.

In our experience 90% of mobile


application security reviews result in
critical and high severity security
issues.

5
Attacking iOS Apps

Demonstrating how login


screen of an iOS app can be
brute forced, to find the
correct PIN.

Tweet Link

6
Myths & Reality

- Operating system security controls are enough to


protect the data
- Application code can not be reverse engineered
- Traffic interception is not possible on modern platforms
like Flutter
- Client side controls are enough for defence

7
Case Study
Hacking One Of The Biggest Gaming Platform

- Analyzed the application binary, through reverse


engineering
- Bypassed the certificate pinning
- Analyzed the API endpoints
- Fuzzing for undocumented API endpoints
{app.com/api/subs/FUZZ}

8
Case Study
Hacking One Of The Biggest Gaming Platform

- Discovered an API endpoint with no access control


{app.com/api/subs/v2/invoice/[sequential
identifier]}
- Fuzzed for sequential identifier to extract all valid
invoices
- Invoices contain personal details like name, phone
number, card details (last 4 digits), address etc.

9
What’s The Answer

In-Depth Penetration Testing


Believe it or not, for all business critical applications, manual
penetration tests are proven to be the best tool.

Injecting Security Into Development


Develop secure applications, by implement secure coding
practices & security trained developers

Automate The Baseline


Even though the automated scanner fail miserably at
finding critical/high issues, they are good to perform basic
scan and checks

10
THANK YOU

Reach out to me at:

0ctac0der

[email protected]

11

You might also like