A talk on the essence of Mobile app and mobile security. The agenda was as follows: Why we need to secure the mobile apps! What do you check when installing an app ? Mobile app security assessment Some interesting cases of vulnerabilities Let’s takeover your account My Research and reported vulnerabilities

1. Ankit Giri
Security Researcher
The curious case of
Mobile App Security

2. About Me: (@aankitgiri)
 Web and Mobile Application Security Researcher
 Bug Hunter
(Hall of Fame: EFF, GM, HTC, Sony, Mobikwik, Pagerduty )
 Blogger, Orator and an active contributor to OWASP and
null Community
 The Most Viewed Writer in Web application Security,
Network Security and Penetration Testing on Quora

3. About Me: (@aankitgiri)

4. About Today's Talk:
● Why we need to secure the mobile apps!
● What do you check when installing an
app ?
● Mobile app security assessment
● Some interesting cases of vulnerabilities
● Let’s takeover your account
● My Research and reported vulnerabilities

5. Why we need to secure the
mobile apps!
● The mobile application is becoming the
interface between enterprise and end user.
● In contrast to web applications, where if your
website had a security vulnerability you could
rectify it and release the safe code.In mobile
app, the vulnerable version is very difficult to
remove from the user’s devices.

6. Why we need to secure the
mobile apps!

7. Have you seen this?

8. What do you check when installing an
app ?
An application when being
installed always asks you to
provide it with certain
permissions such as to read
sms, listen to the mic etc.

9. Let’s takeover your account

10. Demo:
Online accounting software for your small business
This vulnerability allowed a malicious app (or an attacker) to kill
the following application being used by the user. If the same
activity is being repeated by the attacker, the user will not be able
to use app and do any meaningful work as the vulnerable app will
keep on crashing.
This is also known as “Denial of Service”.
Reason: Improper permissions set in the app activities

11. Demo:
Online accounting software for your small business
This vulnerability allowed an user to set a weak password, which
was not possible in the web application of the same. The same
can lead to account takeover of an user.
This is also known as “Password Policy bypass”.
Reason: Missing password policy implementation

12. Vulnerability - Authentication Bypass
Application - PayPal mobile app
Severity - High
Found By - Zach Lanier
PayPal 2FA
Security Approval Restriction Auth Bypass
Session Vulnerability

13. Description of the Attack
The authentication flow for PayPal’s API web services. In particular, api.paypal.com, a
REST-ful API which uses OAuth for authentication/authorization, does not directly enforce
two-factor authentication requirements server-side when authenticating a user.
*The standard browser-based PayPal web interface is not affected by the bypass. However, since an attacker
can simply use the underlying API to gain full account access, this distinction is purely academic.

14. Cause:
The vulnerability lies primarily in the authentication flow for the PayPal API web service
(api.paypal.com) — an API used by PayPal’s official mobile applications.

16. Impact
An attacker only needs a victim’s PayPal username and password in order to access a two-factor protected
account and send money. The protection offered by the two-factor Security Key mechanism can be bypassed
and essentially nullified.
While PayPal’s mobile apps do not currently support 2FA-enabled accounts, it is possible to effectively trick the
PayPal mobile applications into ignoring the 2FA flag on the account, subsequently allowing the an attacker to
log in without requiring secondary authentication.

17. Thank You!
Ankit Giri
agiri@securitycompass.com
www.securitycompass.com