The session will provide the risk of insecure mobile application development in various types with demonstration; Client-side, Communication channel and Server side. The presentation includes case study of insecure development practice which lead attacker to abuse the vulnerable application (e.g. Coin/Gem cheating on gaming app, Bypassing security control on client-side and server-side).

1. Mobile App Hacking In A Nutshell presentation at Mobile Conf 25 Aug 2018, BKK, Thailand
Content is available under Creative Commons Attribution-ShareAlike unless otherwise noted.
Mobile app hacking
in a nutshell
Prathan Phongthiproek
2600 Thailand

2. Chapter one
The Attitude

3. 1
The
MistakenHacker
Point of View

4. 1
The
MistakenSecurity Through
Obscurity

5. Chapter two
init 1

6. What is Mobile app ?

7. Attack Surface on Web Application

8. Attack Surface on Mobile Application

9. Why does it matter ?

12. Runtime Manipulation

13. Root/Jailbreak
Detection

14. Runtime
Manipulation Binary Patching

15. Patch Them All - Android

16. Patch Them All - iOS

17. Is secure channel enough ?
SSL/TLS

18. The SSL Pinning Rises

19. SuperSU SSL Pinning

20. Manipulating request/response
over secure channel
SSL/TLS

21. Attacking on API

22. Mobile Application Hacking Diary Ep.1
https://www.exploit-db.com/papers/26620/
Internet

23. Chapter three
Shields Up

24. Quick Wins !!
o Secure coding and configuration practices (e.g. OWASP) on server-side:
• REST Security Cheatsheet
• Authentication Cheatsheet
• Session Management Cheatsheet
• Cryptographic Storage Cheatsheet
• Password Storage Cheatsheet
• Transaction Authorization Cheatsheet
• Access Control Cheatsheet
o SSL Pinning Implementation(End-to-end encryption is preferred)
o Code Obfuscation

25. OWASP MASVS
https://github.com/OWASP/owasp-masvs

26. Thank you
init 0