Mobile AppSec From an Attacker's Perspective
Submitted by Abhisek Datta (@abhisek) on Tuesday, 5 September 2017
This primer talk is intended to set the context for a wider discussion on Mobile App Security with some background on web application security. This talk will briefly introduce the participants to the various tools and techniques available in the arsenal of a potential attacker with the objective of spreading security awareness. This will allow the participants to avoid common security issues during coding and better design apps that are secure. Expectations is developers who are quite technical will be able to come up with their mitigation strategies if they know/understand attackers approach.
The talk will cover few case studies of how mobile apps can be used as entrypoints into a larger solution consisting of backend applications and services. It is a common practise to assume that credentials or open web service endpoints hardcoded in a mobile app will not be discovered. We will show how trivial it is to extract such information from an app through static analysis.
Abhisek has over 10 years experience conducting security research and security services including penetration testing, source code review and expert training. He is Head of Technology at Appsecco, where his core focus is building security automation tools & techniques. He has also conducted multiple mobile app penetration testing and proposed solutions to enhance security of mobile apps for corporate clients.
He is an active vulnerability researcher with multiple CVE credited to his name including; CVE-2015-0085, CVE-2015-1650, CVE-2015-1682, CVE-2015-2376, CVE-2015-2555, CVE-2014-4117, CVE-2014-6113.
As an open source software contributor, he has developed or contributed to multiple projects including:
- Wireplay – TCP Session Replay and Fuzzing Tool
- Penovox – Generic Hidden Code Extraction using Dynamic Binary Instrumentation
- HiDump – Injected Code Extraction Tool for Windows Malware Analysis
- RbWinDBG – Pure Ruby Windows User Space Debugger
- Ruby-Libnet – Ruby binding for Libnet library