Description: Providing a native mobile application in addition to an existing web solution, whether it is for usability/performance/connectivity reasons, has far more security implications than it may seem. Very often the mobile integration moves logic from server to client side, but this code cannot be considered secret anymore. We will see with the exploitation of a real world Android application how it is possible to
- retrieve documents without paying for them
- decrypt and use them on any device despite the DRM in place
The approach will combine some Java reverse engineering and HTTP monitoring, enabling to understand how basic cryptography is used by the server authentication logic. The various vulnerabilities discovered, at design or code level, will be detailed and serve as examples not to follow. Then it will be explained how to use them altogether to collect and decrypt unauthorized resources via a Python script.
To conclude, practical recommendations will be provided to address those common categories of issues.
Biography: Jeremy Matos (@SecuringApps)
Jeremy Matos has been working in building secure software over the last 10 years.
With an initial academic background as a developer, he has a clear insight of what is a software development lifecycle in practice.
Designing and developing for a two-factor authentication product during 6 years made him deal with challenging threat models, particularly when delivering a public mobile application. And also practice extensively secure coding guidelines, as the solution was regularly reviewed and penetration tested by 3rd parties.
Being responsible for the integration and deployment with customers was for him a great opportunity to work with diverse production infrastructures and security providers, in critical sectors such as banking, health or industry. Understanding the various stakeholders constraints was key to reduce operational costs as much as possible.
His experience was used in both internal and external consulting roles. He helped in the security requirements definition and implementation, including cryptographic protocols, for applications where the insider is the enemy. He also led code reviews and security validation activities for companies exposed to reputation damage.
In addition, he participated in research projects to mitigate Man-In-The-Browser and Man-In-The-Mobile attacks.
For More Information Please Visit:- http://area41.io/
Tags:
Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.