Cracking the Mobile Application Code by Sreenarayan A. at c0c0n - International Cyber Security and Policing Conference http://is-ra.org/c0c0n/speakers.html
Attacking and Defending Apple iOS DevicesTom Eston
IT loves to use Apple iPhones and iPads, but hates supporting them. For most environments, they represent the exception, and are not subject to standard corporate controls. The reason the exception is allowed is usually the fact that the CEO bought an iPhone and iPad the day they were released, and then quickly filled them with sensitive corporate data. With their portability and popularity, it is only a matter of time before one of these devices ends up missing. How worried should you be? This presentation will cover the latest real-world attack techniques for compromising Apple’s iOS devices, introduce a new assessment methodology that can be used by penetration testers, and discuss the latest defensive techniques for securely deploying iOS devices within your enterprise.
The Password Is Dead: An Argument for Multifactor Biometric AuthenticationVeridium
In 2015, 63 percent of all confirmed data breaches were the result of weak, default, or stolen passwords. In fact, this was the second primary cause of all data breaches, globally, according to the 2016 Verizon Data Breach Investigations Report.
The death of passwords has been heralded for over a decade now, but these reports were often greatly exaggerated. However, in recent years this has begun to change, as new technologies are allowing companies to change how they secure access to digital assets. From traditional usernames and passwords to two-factor authentication, outdated security practices are failing to keep data secure. Whether it’s a lack of user adoption or actual flaws in the security infrastructure, businesses need a better option to protect access to their most important resources.
In this webinar, we will discuss the prevalence of data breaches today and where passwords and two-factor authentication fall short, followed by how biometrics, when properly deployed through end-to-end solutions like HoyosID, can provide the missing piece for fully securing digital access.
Attacking and Defending Apple iOS DevicesTom Eston
IT loves to use Apple iPhones and iPads, but hates supporting them. For most environments, they represent the exception, and are not subject to standard corporate controls. The reason the exception is allowed is usually the fact that the CEO bought an iPhone and iPad the day they were released, and then quickly filled them with sensitive corporate data. With their portability and popularity, it is only a matter of time before one of these devices ends up missing. How worried should you be? This presentation will cover the latest real-world attack techniques for compromising Apple’s iOS devices, introduce a new assessment methodology that can be used by penetration testers, and discuss the latest defensive techniques for securely deploying iOS devices within your enterprise.
The Password Is Dead: An Argument for Multifactor Biometric AuthenticationVeridium
In 2015, 63 percent of all confirmed data breaches were the result of weak, default, or stolen passwords. In fact, this was the second primary cause of all data breaches, globally, according to the 2016 Verizon Data Breach Investigations Report.
The death of passwords has been heralded for over a decade now, but these reports were often greatly exaggerated. However, in recent years this has begun to change, as new technologies are allowing companies to change how they secure access to digital assets. From traditional usernames and passwords to two-factor authentication, outdated security practices are failing to keep data secure. Whether it’s a lack of user adoption or actual flaws in the security infrastructure, businesses need a better option to protect access to their most important resources.
In this webinar, we will discuss the prevalence of data breaches today and where passwords and two-factor authentication fall short, followed by how biometrics, when properly deployed through end-to-end solutions like HoyosID, can provide the missing piece for fully securing digital access.
Discusses how to perform malware analysis on Android devices. Initially presented at BSidesDE 2011 (in a much more fun format), the version here is as-presented at Rochester Security Summit 2011.
UI-Redressing Attacks - The Process & Exploitation by Amol Naik at c0c0n - International Cyber Security and Policing Conference
http://is-ra.org/c0c0n/speakers.html
Web Application Security 101 - 02 The BasicsWebsecurify
In part 2 of Web Application Security 101 we cover the basics of HTTP, HTML, XML, JSON, JavaScript, CSS and more in order to get you up to speed with the technology. This knowledge will be used during the rest of the course to explore the various security aspects effecting web applications today.
Leveraging Mobile & Wireless Technology for Law and Order by Lishoy Bhaskar at c0c0n - International Cyber Security and Policing Conference http://is-ra.org/c0c0n/speakers.html
Web-App Remote Code Execution Via Scripting Engines by Rahul Sasi at c0c0n - International Cyber Security and Policing Conference http://is-ra.org/c0c0n/speakers.html
"I haz you and pwn your maal" by Harsimran Walia @b44nz0r at c0c0n - International Cyber Security and Policing Conference http://is-ra.org/c0c0n/speakers.html
As most people are aware, there has been an expansion in mobile banking applications in recent years. The Czech Republic is no exception to this, as nearly all banks have developed a mobile application for their modern mobile operating systems. Although different banks solve their security concepts in different ways, it is possible to discuss typical situations and problems that inevitably appear while designing mobile banking applications.
Discusses how to perform malware analysis on Android devices. Initially presented at BSidesDE 2011 (in a much more fun format), the version here is as-presented at Rochester Security Summit 2011.
UI-Redressing Attacks - The Process & Exploitation by Amol Naik at c0c0n - International Cyber Security and Policing Conference
http://is-ra.org/c0c0n/speakers.html
Web Application Security 101 - 02 The BasicsWebsecurify
In part 2 of Web Application Security 101 we cover the basics of HTTP, HTML, XML, JSON, JavaScript, CSS and more in order to get you up to speed with the technology. This knowledge will be used during the rest of the course to explore the various security aspects effecting web applications today.
Leveraging Mobile & Wireless Technology for Law and Order by Lishoy Bhaskar at c0c0n - International Cyber Security and Policing Conference http://is-ra.org/c0c0n/speakers.html
Web-App Remote Code Execution Via Scripting Engines by Rahul Sasi at c0c0n - International Cyber Security and Policing Conference http://is-ra.org/c0c0n/speakers.html
"I haz you and pwn your maal" by Harsimran Walia @b44nz0r at c0c0n - International Cyber Security and Policing Conference http://is-ra.org/c0c0n/speakers.html
As most people are aware, there has been an expansion in mobile banking applications in recent years. The Czech Republic is no exception to this, as nearly all banks have developed a mobile application for their modern mobile operating systems. Although different banks solve their security concepts in different ways, it is possible to discuss typical situations and problems that inevitably appear while designing mobile banking applications.
Reading Group Presentation: Why Eve and Mallory Love AndroidMichael Rushanan
This presentation contains multiple pointers to academic research pertaining to Android and its security model. I presented these works to a weekly Security and Privacy reading group.
The academic proceeding can be found here:
www2.dcsec.uni-hannover.de/files/android/p50-fahl.pdf
How to Test Security and Vulnerability of Your Android and iOS AppsBitbar
Watch a live presentation at http://offer.bitbar.com/how-to-test-security-and-vulnerability-of-your-android-and-ios-apps
Majority of today’s mobile apps consist of third-party code/libraries. This is a prudent and well-accepted development practice that offloads the task of developing code for non-core functions of your mobile app – or game. Identifying third-party code, its vulnerabilities and its license restrictions, is highly critical in order to understand your security exposure and your liability.
Stay tuned and join our upcoming webinars at http://bitbar.com/testing/webinars/
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud XiaoShakacon
Since 2014, fifteen new malware or riskware families successfully attacked non-jailbroken iOS devices (e.g., WireLurker, Oneclickfraud, XcodeGhost, InstaAgent, ZergHelper, AceDeceiver), affected thousands of iOS apps and tens of millions users around the world. Ten of them even bypassed Apple’s code vetting and occurred at App Store. In this presentation, we will systematically study how could these malware, riskware and some Proof-of-Concepts infect non-jailbroken devices via practical vectors and approaches including abusing development certificates, bypassing code review by obfuscation, performing FairPlay MITM attack, abusing MDM solution, abusing private APIs, exploiting design flaws or app level vulnerabilities, and stealing privacy data. For each topic, we will introduce its implementation, explore real world cases, analyze its risky and consequences, explain Apple’s countermeasures, and discuss why some problems will still exist in near future. We will also share some stories of how we discovered those interesting iOS malware. Through this topic, audiences could make more effective policies to protect iOS devices in their organizations, build their own systems/tools to evaluate security risks in iOS apps, and hunt more iOS malware in the future.
if you think that ZXing is all you need to do barcode scanning on Android and you're happy with it, this presentation is not for you.
Barcodes are a very old technology that is not going away anytime soon and if you need to scan a lot of barcodes, better to know what are the alternatives.
This slide deck covers the automated & manual static code discovery of Android Application using opensource tools, Reverse engineering of apk file and Secure code review
Similar to Cracking the Mobile Application Code (20)
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Connector Corner: Automate dynamic content and events by pushing a button
Cracking the Mobile Application Code
1. Cracking the Mobile Application
Code
- Sreenarayan A
Paladion Mobile Security Team
2. Take Away for the day
• Purpose of Decompiling Mobile Applications
• Methodology of Decompilation
• Live Demo’s:
– Android App
– iOS (iPhone / iPad App)
– Blackberry Apps / Nokia App
3. Why is security relevant for Mobile Platform?
• 400% Increase in the number for Organizations Developing
Mobile Platform based applications.
• 300% Increase in the no of Mobile Banking Applications.
• 500% Increase in the number of people using the Mobile
Phones for their day to day transactions.
• 82% Chances of end users not using their Mobile Phones with
proper caution.
• 79% Chances of Mobile Phone users Jail Breaking their
Phones.
• 65% Chances of Mobile Phone users not installing Anti-virus on
their Mobile Phones.
• 71% Chances of any application to get misused.
• 57% Chances of a user losing his sensitive credentials to a
hacker.
10. Why did we learn the above types??
• Which applications can be Decompiled?
– WAP Mobile Applications ?
– Native Mobile Applications ?
– Hybrid Mobile Applications ?
• We have to get to know of the basics!
12. Cracking the Mobile Application Code
•What do you mean by Reverse Engineering?
•What do you mean by Decompilation? -> What is Compilation?
Questions to be answered:
•What are the goals/purpose of Cracking the code?
•What is the methodology of Decompilation?
•What the tools which can be used to Decompile?
•Can Decompilation be done on all platforms?
1. ANDROID ?
2. iPHONE / iPAD ?
3. BLACKBERRY ?
4. NOKIA ?
14. Goals of Cracking the Source Code
•“UNDERSTAND THE WORKING OF THE APPLICATION AND TO FIGURE OUT
THE LOOPHOLES!”
•To find Treasure Key Words (password , keys , sql, algo, AES, DES, Base64,
etc)
•Figure out the Algorithms Used and their keys.
•By-passing the client side checks by rebuilding the app.
•E.g. Password in Banking Application (Sensitive Information)
•E.g. Angry Birds Malware (Stealing Data)
•E.g. Zitmo Malware (Sending SMS)
•We have understood the goals, how to achieve them? Methodology.
16. Methodology / Study
S1: Gaining access to the executable
S2: Understanding the Technology used to code the application.
S3: Finding out ways to derive the Object Code from the Executable.
S4: Figuring out a way to derive the Class Files from the Object Code.
S5: Figuring out a way to derive the Function Definitions from the Object
Code
20. Demo - Reverse Engineer the Blackberry
Application
•Tools used:
-JD – GUI (Java Decompiler)
-Notepad
•There are two types of Application files found in Blackberry:
1. .Jar (.jad -> .jar)
2. .Cod (.jad -> .cod (Blackberry Code Files)
•Steps
1. .jar -> .java (JD-GUI)
Or
1. Notepad to open .cod (No luck!)
• Demo
• Limitation
21. Tip - Reverse Engineer the Windows Phone
Application
•Tools used:
-.net decompiler
-Visual Studio with Windows Phone SDK
22. Palisade Articles
• iOS vs Android Testing
• Mobile Data Encryption
• Mobile Application Security Testing
• Demystifying the Android
• And …
• Website link: palpapers.paladion.net