SlideShare ist ein Scribd-Unternehmen logo

Real Mobile Applications Pentesting Scinarios (The Weird, the bad and the ugly)

PiTechnologies
PiTechnologies

An overview of what truly happens during mobile applications penetration testing

Technologie
1 von 28
Downloaden Sie, um offline zu lesen
THE WEIRD, THE BAD AND THE UGLY MOBILE DEVELOPER WEEKEND AHMED YOSSEF
ROAD MAP ▸ Mobile Apps vs Web Apps ▸ Mobile Apps Pentesting Environment ▸ The Weird - Gov app ▸ The bad - eCommerce app ▸ The ugly - that looked pretty
whoami ▸ Software Developer since 2007 ▸ Desktop, Web, iOS, Android and JME ▸ Penetration Testing since 2015 ▸ Applications Security Specialist Solution Architect and Trainer
Mobile Apps Vs Web Apps
THE WEIRD, THE BAD AND THE UGLY FIRST THINGS FIRST .. During a penetration test, what is the first thing to look for ? SQL Injection ? Cross Site Scripting ?
THE WEIRD, THE BAD AND THE UGLY WHERE SOFTWARE LIVES OS FTP Server Mail Server Web Server Web Application 2 3 4 1 3
THE WEIRD, THE BAD AND THE UGLY WHY MOBILE APPS SECURITY MATTERS ! Custom built software New Platform* Local storage Sometimes reversible Needed ASAP LimitedTampering** * New with respect to Web Applications Security and definitely to Network Security ** Limited user access gives a very misleading sense of security to developers
Mobile Apps Pentesting Env.
THE WEIRD, THE BAD AND THE UGLY BASIC ENVIRONMENT SETUP Physical or Emulator (genymotion) HTTP Proxy (BurpSuite or ZAP) Backend Server (nvm) it is already there
THE WEIRD, THE BAD AND THE UGLY BASIC STEPS 1 2 3 Start the proxy and intercept the traffic Identify parameters and API end points Tamper Data and mess with the logic
The Weird GOVERNMENTAL app !
THE WEIRD, THE BAD AND THE UGLY ABOUT THE APP It was a governmental app for public consumers Using that minister data centre for backend hosting
THE WEIRD, THE BAD AND THE UGLY ISSUES FOUND One API end point with different parameters Parameters like: item=tbl_news&limit=10
THE WEIRD, THE BAD AND THE UGLY WHAT I DID item=tbl_users&limit=100 Hashed Passwords Weak Passwords
THE WEIRD, THE BAD AND THE UGLY WHAT I FOUND Username : admin Password: ******* Works on the Admin Portal
The Bad The epic failure
THE WEIRD, THE BAD AND THE UGLY ABOUT THE APP It is an eCommerce App With mobile payment and online purchase enabled
THE WEIRD, THE BAD AND THE UGLY ISSUES FOUND Mobile Application Connects to the API without access token Auto Increment User Ids Reset password API doesn’t require current password
THE WEIRD, THE BAD AND THE UGLY WHAT I DID Python script with single for loop calling the getProfile service Dump personal data of 170K+ users
THE WEIRD, THE BAD AND THE UGLY WHAT I DID NOT DO Python script with single for loop calling the resetPassword service Reset passwords of all system’s users
THE WEIRD, THE BAD AND THE UGLY WHAT I DID NOT DO Use API to add items to someone’s shopping cart Edit his shipping to mine Call the checkout service Get free expensive products
The Ugly That looked pretty
THE WEIRD, THE BAD AND THE UGLY ABOUT THE APP It is restaurants chain app App seemed secure at the first glance !
THE WEIRD, THE BAD AND THE UGLY ISSUES FOUND Token Based Authentication .. so far so good App apples Authentication without Authorisation Log in to your account Get a token that can be used to access others’ accounts
THE WEIRD, THE BAD AND THE UGLY WHAT I DID Dump Other users’ data Data Manipulation
Summery Wrap Up
THE WEIRD, THE BAD AND THE UGLY REMEMBER 1 Mobile App Interface is not the only interface to be used 2 Authentication using user id is not authentication 3 It is not enough to authorise the login screen only 4 Injection attacks are dangerous but logic attacks even even worse 5 For a pentester; brain and patience are the most important tools
The END Thanks for your time :) me@ayossef.net linkedin.com/in/ayossef facebook.com/ahmedabdallah21

Empfohlen

Building Mobile Proximity Apps with iBeacon
Building Mobile Proximity Apps with iBeaconBuilding Mobile Proximity Apps with iBeacon
Building Mobile Proximity Apps with iBeaconDavid Helms
 
Establishing An Enterprise Mobile Practice by Ron McCamish
Establishing An Enterprise Mobile Practice by Ron McCamishEstablishing An Enterprise Mobile Practice by Ron McCamish
Establishing An Enterprise Mobile Practice by Ron McCamishkarch15
 
Index proxy app
Index proxy appIndex proxy app
Index proxy appNandkishor Dhekane
 
Yapper Application
Yapper ApplicationYapper Application
Yapper ApplicationBambulin
 
The iPhone Bus Card App
The iPhone Bus Card AppThe iPhone Bus Card App
The iPhone Bus Card AppBrad Andersohn
 
What are the challenges in i os app development
What are the challenges in i os app developmentWhat are the challenges in i os app development
What are the challenges in i os app developmentSatawareTechnologies
 
Iphone app developers virginia
Iphone app developers virginiaIphone app developers virginia
Iphone app developers virginiaiapp Techologies LLP
 
Native Apps vs. Web Apps – What Is the Better Choice?
Native Apps vs. Web Apps – What Is the Better Choice?Native Apps vs. Web Apps – What Is the Better Choice?
Native Apps vs. Web Apps – What Is the Better Choice?ChromeInfo Technologies
 

Empfohlen

Building Mobile Proximity Apps with iBeacon
Building Mobile Proximity Apps with iBeaconBuilding Mobile Proximity Apps with iBeacon
Building Mobile Proximity Apps with iBeaconDavid Helms
 
Establishing An Enterprise Mobile Practice by Ron McCamish
Establishing An Enterprise Mobile Practice by Ron McCamishEstablishing An Enterprise Mobile Practice by Ron McCamish
Establishing An Enterprise Mobile Practice by Ron McCamishkarch15
 
Index proxy app
Index proxy appIndex proxy app
Index proxy appNandkishor Dhekane
 
Yapper Application
Yapper ApplicationYapper Application
Yapper ApplicationBambulin
 
The iPhone Bus Card App
The iPhone Bus Card AppThe iPhone Bus Card App
The iPhone Bus Card AppBrad Andersohn
 
What are the challenges in i os app development
What are the challenges in i os app developmentWhat are the challenges in i os app development
What are the challenges in i os app developmentSatawareTechnologies
 
Iphone app developers virginia
Iphone app developers virginiaIphone app developers virginia
Iphone app developers virginiaiapp Techologies LLP
 
Native Apps vs. Web Apps – What Is the Better Choice?
Native Apps vs. Web Apps – What Is the Better Choice?Native Apps vs. Web Apps – What Is the Better Choice?
Native Apps vs. Web Apps – What Is the Better Choice?ChromeInfo Technologies
 
iBeacon Workshop by Reque.st
iBeacon Workshop by Reque.stiBeacon Workshop by Reque.st
iBeacon Workshop by Reque.st1request
 
iPhone App Developers
iPhone App Developers iPhone App Developers
iPhone App Developersiapp Techologies LLP
 
Mobile App Development Singapore
Mobile App Development SingaporeMobile App Development Singapore
Mobile App Development SingaporeMYOB!Assist
 
moc_expertise
moc_expertisemoc_expertise
moc_expertiseDmitriy Lukhanin
 
Taking Your Small Business Mobile - 101
Taking Your Small Business Mobile - 101Taking Your Small Business Mobile - 101
Taking Your Small Business Mobile - 101Wayne Sutton
 
it new ครูทรงศักดิ์ โพธิ์เอี่ยม
it new ครูทรงศักดิ์ โพธิ์เอี่ยมit new ครูทรงศักดิ์ โพธิ์เอี่ยม
it new ครูทรงศักดิ์ โพธิ์เอี่ยมคิมโบะ ฮับ
 
12 top app testing tools
12 top app testing tools12 top app testing tools
12 top app testing toolsGabirel Machuret
 
CodeStrong ASO Keynote
CodeStrong ASO KeynoteCodeStrong ASO Keynote
CodeStrong ASO KeynoteJeremia Kimelamn
 
Alexa skill development
Alexa skill developmentAlexa skill development
Alexa skill developmentGoran Vuksic
 
Mobile HTML5 Web Apps - Codemotion 2012
Mobile HTML5 Web Apps - Codemotion 2012Mobile HTML5 Web Apps - Codemotion 2012
Mobile HTML5 Web Apps - Codemotion 2012marcocasario
 
Iphone app developers
Iphone app developersIphone app developers
Iphone app developersiapp Techologies LLP
 
Iphone app developers ny
Iphone app developers nyIphone app developers ny
Iphone app developers nyiapp Techologies LLP
 
Iphone app developers virginia
Iphone app developers virginiaIphone app developers virginia
Iphone app developers virginiaiapp Techologies LLP
 
AppXperts Melbourne
AppXperts MelbourneAppXperts Melbourne
AppXperts Melbourneappxperts
 
The Mobile Search Universe by @aleyda at #SMXMuenchen
The Mobile Search Universe by @aleyda at #SMXMuenchen The Mobile Search Universe by @aleyda at #SMXMuenchen
The Mobile Search Universe by @aleyda at #SMXMuenchen Aleyda Solís
 
Aws meetup serverless front apps delivery using aws
Aws meetup serverless front apps delivery using awsAws meetup serverless front apps delivery using aws
Aws meetup serverless front apps delivery using awsRodrigue Koffi
 
IPhone App Developers
IPhone App Developers IPhone App Developers
IPhone App Developers iapp Techologies LLP
 
Uber for Security Guards App Clone
Uber for Security Guards App CloneUber for Security Guards App Clone
Uber for Security Guards App CloneeSiteWorld TechnoLabs Pvt. Ltd.
 
I Phone Session Mufix
I Phone Session MufixI Phone Session Mufix
I Phone Session MufixSiliconExpert Technologies
 
Gcit present (1) (1)
Gcit present (1) (1)Gcit present (1) (1)
Gcit present (1) (1)Billy Cheung
 
Openbar Kontich // Mobile app automation on a budget by Wim Vervust & Bram Thys
Openbar Kontich // Mobile app automation on a budget by Wim Vervust & Bram ThysOpenbar Kontich // Mobile app automation on a budget by Wim Vervust & Bram Thys
Openbar Kontich // Mobile app automation on a budget by Wim Vervust & Bram ThysOpenbar
 
Alex jubien-think mobile
Alex jubien-think mobileAlex jubien-think mobile
Alex jubien-think mobileApp Promotion Summit Conference
 

Weitere ähnliche Inhalte

Was ist angesagt?

iBeacon Workshop by Reque.st
iBeacon Workshop by Reque.stiBeacon Workshop by Reque.st
iBeacon Workshop by Reque.st1request
 
Mobile App Development Singapore
Mobile App Development SingaporeMobile App Development Singapore
Mobile App Development SingaporeMYOB!Assist
 
Taking Your Small Business Mobile - 101
Taking Your Small Business Mobile - 101Taking Your Small Business Mobile - 101
Taking Your Small Business Mobile - 101Wayne Sutton
 
it new ครูทรงศักดิ์ โพธิ์เอี่ยม
it new ครูทรงศักดิ์ โพธิ์เอี่ยมit new ครูทรงศักดิ์ โพธิ์เอี่ยม
it new ครูทรงศักดิ์ โพธิ์เอี่ยมคิมโบะ ฮับ
 
Alexa skill development
Alexa skill developmentAlexa skill development
Alexa skill developmentGoran Vuksic
 
Mobile HTML5 Web Apps - Codemotion 2012
Mobile HTML5 Web Apps - Codemotion 2012Mobile HTML5 Web Apps - Codemotion 2012
Mobile HTML5 Web Apps - Codemotion 2012marcocasario
 
AppXperts Melbourne
AppXperts MelbourneAppXperts Melbourne
AppXperts Melbourneappxperts
 
The Mobile Search Universe by @aleyda at #SMXMuenchen
The Mobile Search Universe by @aleyda at #SMXMuenchen The Mobile Search Universe by @aleyda at #SMXMuenchen
The Mobile Search Universe by @aleyda at #SMXMuenchen Aleyda Solís
 
Aws meetup serverless front apps delivery using aws
Aws meetup serverless front apps delivery using awsAws meetup serverless front apps delivery using aws
Aws meetup serverless front apps delivery using awsRodrigue Koffi
 
Gcit present (1) (1)
Gcit present (1) (1)Gcit present (1) (1)
Gcit present (1) (1)Billy Cheung
 

Was ist angesagt? (20)

iBeacon Workshop by Reque.st
iBeacon Workshop by Reque.stiBeacon Workshop by Reque.st
iBeacon Workshop by Reque.st
 
iPhone App Developers
iPhone App Developers iPhone App Developers
iPhone App Developers
 
Mobile App Development Singapore
Mobile App Development SingaporeMobile App Development Singapore
Mobile App Development Singapore
 
moc_expertise
moc_expertisemoc_expertise
moc_expertise
 
Taking Your Small Business Mobile - 101
Taking Your Small Business Mobile - 101Taking Your Small Business Mobile - 101
Taking Your Small Business Mobile - 101
 
it new ครูทรงศักดิ์ โพธิ์เอี่ยม
it new ครูทรงศักดิ์ โพธิ์เอี่ยมit new ครูทรงศักดิ์ โพธิ์เอี่ยม
it new ครูทรงศักดิ์ โพธิ์เอี่ยม
 
12 top app testing tools
12 top app testing tools12 top app testing tools
12 top app testing tools
 
CodeStrong ASO Keynote
CodeStrong ASO KeynoteCodeStrong ASO Keynote
CodeStrong ASO Keynote
 
Alexa skill development
Alexa skill developmentAlexa skill development
Alexa skill development
 
Mobile HTML5 Web Apps - Codemotion 2012
Mobile HTML5 Web Apps - Codemotion 2012Mobile HTML5 Web Apps - Codemotion 2012
Mobile HTML5 Web Apps - Codemotion 2012
 
Iphone app developers
Iphone app developersIphone app developers
Iphone app developers
 
Iphone app developers ny
Iphone app developers nyIphone app developers ny
Iphone app developers ny
 
Iphone app developers virginia
Iphone app developers virginiaIphone app developers virginia
Iphone app developers virginia
 
AppXperts Melbourne
AppXperts MelbourneAppXperts Melbourne
AppXperts Melbourne
 
The Mobile Search Universe by @aleyda at #SMXMuenchen
The Mobile Search Universe by @aleyda at #SMXMuenchen The Mobile Search Universe by @aleyda at #SMXMuenchen
The Mobile Search Universe by @aleyda at #SMXMuenchen
 
Aws meetup serverless front apps delivery using aws
Aws meetup serverless front apps delivery using awsAws meetup serverless front apps delivery using aws
Aws meetup serverless front apps delivery using aws
 
IPhone App Developers
IPhone App Developers IPhone App Developers
IPhone App Developers
 
Uber for Security Guards App Clone
Uber for Security Guards App CloneUber for Security Guards App Clone
Uber for Security Guards App Clone
 
I Phone Session Mufix
I Phone Session MufixI Phone Session Mufix
I Phone Session Mufix
 
Gcit present (1) (1)
Gcit present (1) (1)Gcit present (1) (1)
Gcit present (1) (1)
 

Ähnlich wie Real Mobile Applications Pentesting Scinarios (The Weird, the bad and the ugly)

Openbar Kontich // Mobile app automation on a budget by Wim Vervust & Bram Thys
Openbar Kontich // Mobile app automation on a budget by Wim Vervust & Bram ThysOpenbar Kontich // Mobile app automation on a budget by Wim Vervust & Bram Thys
Openbar Kontich // Mobile app automation on a budget by Wim Vervust & Bram ThysOpenbar
 
HTML5 or Native Apps: Which Will it Be?
HTML5 or Native Apps: Which Will it Be?HTML5 or Native Apps: Which Will it Be?
HTML5 or Native Apps: Which Will it Be?jwhatcott
 
The curious case of mobile app security.pptx
The curious case of mobile app security.pptxThe curious case of mobile app security.pptx
The curious case of mobile app security.pptxAnkit Giri
 
Architecting eCommerce APIs - Gluecon 13
Architecting eCommerce APIs - Gluecon 13Architecting eCommerce APIs - Gluecon 13
Architecting eCommerce APIs - Gluecon 13Saranyan Vigraham
 
Hybrid App vs Native App Development
Hybrid App vs Native App DevelopmentHybrid App vs Native App Development
Hybrid App vs Native App DevelopmentSagar Salvi
 
Benvenuti nella “API Economy”
Benvenuti nella “API Economy”Benvenuti nella “API Economy”
Benvenuti nella “API Economy”Codemotion
 
Deep linking at App Promotion Summit
Deep linking at App Promotion SummitDeep linking at App Promotion Summit
Deep linking at App Promotion SummitAlexandre Jubien
 
Pepperoni 2.0 - How to spice up your mobile apps
Pepperoni 2.0 - How to spice up your mobile apps Pepperoni 2.0 - How to spice up your mobile apps
Pepperoni 2.0 - How to spice up your mobile apps Futurice
 
QR Codes and Your Business
QR Codes and Your BusinessQR Codes and Your Business
QR Codes and Your BusinessMarc Hindley
 
Appium meet up noida
Appium meet up noidaAppium meet up noida
Appium meet up noidaAmit Rawat
 
Enabling the Multi-Device Universe
Enabling the Multi-Device UniverseEnabling the Multi-Device Universe
Enabling the Multi-Device UniverseCA API Management
 
Building an iPhone Business
Building an iPhone BusinessBuilding an iPhone Business
Building an iPhone BusinessElia Freedman
 
The Art and Science of Mobile App Success - Seattle Interactive Conference 20...
The Art and Science of Mobile App Success - Seattle Interactive Conference 20...The Art and Science of Mobile App Success - Seattle Interactive Conference 20...
The Art and Science of Mobile App Success - Seattle Interactive Conference 20...Jennifer Wong
 
2022 APIsecure_A day in the life of an API; Fighting the odds
2022 APIsecure_A day in the life of an API; Fighting the odds2022 APIsecure_A day in the life of an API; Fighting the odds
2022 APIsecure_A day in the life of an API; Fighting the oddsAPIsecure_ Official
 
Mobile App Development Cost in India - iTrobes
Mobile App Development Cost in India - iTrobesMobile App Development Cost in India - iTrobes
Mobile App Development Cost in India - iTrobesiTrobes
 
App stores + cordova... get excited!
App stores + cordova... get excited!App stores + cordova... get excited!
App stores + cordova... get excited!Drake Emko
 
iPad designed Keynote presentation for EPA
iPad designed Keynote presentation for EPAiPad designed Keynote presentation for EPA
iPad designed Keynote presentation for EPAKol Peterson
 
Beautiful PhoneGap Apps
Beautiful PhoneGap AppsBeautiful PhoneGap Apps
Beautiful PhoneGap AppsTerry Ryan
 

Ähnlich wie Real Mobile Applications Pentesting Scinarios (The Weird, the bad and the ugly) (20)

Openbar Kontich // Mobile app automation on a budget by Wim Vervust & Bram Thys
Openbar Kontich // Mobile app automation on a budget by Wim Vervust & Bram ThysOpenbar Kontich // Mobile app automation on a budget by Wim Vervust & Bram Thys
Openbar Kontich // Mobile app automation on a budget by Wim Vervust & Bram Thys
 
Alex jubien-think mobile
Alex jubien-think mobileAlex jubien-think mobile
Alex jubien-think mobile
 
HTML5 or Native Apps: Which Will it Be?
HTML5 or Native Apps: Which Will it Be?HTML5 or Native Apps: Which Will it Be?
HTML5 or Native Apps: Which Will it Be?
 
The curious case of mobile app security.pptx
The curious case of mobile app security.pptxThe curious case of mobile app security.pptx
The curious case of mobile app security.pptx
 
Architecting eCommerce APIs - Gluecon 13
Architecting eCommerce APIs - Gluecon 13Architecting eCommerce APIs - Gluecon 13
Architecting eCommerce APIs - Gluecon 13
 
Hybrid App vs Native App Development
Hybrid App vs Native App DevelopmentHybrid App vs Native App Development
Hybrid App vs Native App Development
 
Benvenuti nella “API Economy”
Benvenuti nella “API Economy”Benvenuti nella “API Economy”
Benvenuti nella “API Economy”
 
Deep linking at App Promotion Summit
Deep linking at App Promotion SummitDeep linking at App Promotion Summit
Deep linking at App Promotion Summit
 
Pepperoni 2.0 - How to spice up your mobile apps
Pepperoni 2.0 - How to spice up your mobile apps Pepperoni 2.0 - How to spice up your mobile apps
Pepperoni 2.0 - How to spice up your mobile apps
 
QR Codes and Your Business
QR Codes and Your BusinessQR Codes and Your Business
QR Codes and Your Business
 
Appium meet up noida
Appium meet up noidaAppium meet up noida
Appium meet up noida
 
Enabling the Multi-Device Universe
Enabling the Multi-Device UniverseEnabling the Multi-Device Universe
Enabling the Multi-Device Universe
 
Building an iPhone Business
Building an iPhone BusinessBuilding an iPhone Business
Building an iPhone Business
 
The Art and Science of Mobile App Success - Seattle Interactive Conference 20...
The Art and Science of Mobile App Success - Seattle Interactive Conference 20...The Art and Science of Mobile App Success - Seattle Interactive Conference 20...
The Art and Science of Mobile App Success - Seattle Interactive Conference 20...
 
2022 APIsecure_A day in the life of an API; Fighting the odds
2022 APIsecure_A day in the life of an API; Fighting the odds2022 APIsecure_A day in the life of an API; Fighting the odds
2022 APIsecure_A day in the life of an API; Fighting the odds
 
Mobile app vs web app
Mobile app vs web appMobile app vs web app
Mobile app vs web app
 
Mobile App Development Cost in India - iTrobes
Mobile App Development Cost in India - iTrobesMobile App Development Cost in India - iTrobes
Mobile App Development Cost in India - iTrobes
 
App stores + cordova... get excited!
App stores + cordova... get excited!App stores + cordova... get excited!
App stores + cordova... get excited!
 
iPad designed Keynote presentation for EPA
iPad designed Keynote presentation for EPAiPad designed Keynote presentation for EPA
iPad designed Keynote presentation for EPA
 
Beautiful PhoneGap Apps
Beautiful PhoneGap AppsBeautiful PhoneGap Apps
Beautiful PhoneGap Apps
 

Mehr von PiTechnologies

PiTechnologies Profile and Portfolio Dec 2015
PiTechnologies Profile and Portfolio Dec 2015PiTechnologies Profile and Portfolio Dec 2015
PiTechnologies Profile and Portfolio Dec 2015PiTechnologies
 
PiTechnologies Services
PiTechnologies ServicesPiTechnologies Services
PiTechnologies ServicesPiTechnologies
 
PiTechnologies Sample of Work
PiTechnologies Sample of WorkPiTechnologies Sample of Work
PiTechnologies Sample of WorkPiTechnologies
 
Basics of Software and Security
Basics of Software and SecurityBasics of Software and Security
Basics of Software and SecurityPiTechnologies
 
Mobile Application Values for Business
Mobile Application Values for BusinessMobile Application Values for Business
Mobile Application Values for BusinessPiTechnologies
 
PiTechnologies Company Profile
PiTechnologies Company ProfilePiTechnologies Company Profile
PiTechnologies Company ProfilePiTechnologies
 
Professional Graduation Project
Professional Graduation ProjectProfessional Graduation Project
Professional Graduation ProjectPiTechnologies
 

Mehr von PiTechnologies (18)

OWASP Top 10 Overview
OWASP Top 10 OverviewOWASP Top 10 Overview
OWASP Top 10 Overview
 
PiTechnologies Profile and Portfolio Dec 2015
PiTechnologies Profile and Portfolio Dec 2015PiTechnologies Profile and Portfolio Dec 2015
PiTechnologies Profile and Portfolio Dec 2015
 
PiTechnologies Services
PiTechnologies ServicesPiTechnologies Services
PiTechnologies Services
 
PiTechnologies Sample of Work
PiTechnologies Sample of WorkPiTechnologies Sample of Work
PiTechnologies Sample of Work
 
Basics of Software and Security
Basics of Software and SecurityBasics of Software and Security
Basics of Software and Security
 
Getting Things Done
Getting Things DoneGetting Things Done
Getting Things Done
 
Mobile Application Values for Business
Mobile Application Values for BusinessMobile Application Values for Business
Mobile Application Values for Business
 
Internet Of Things
Internet Of ThingsInternet Of Things
Internet Of Things
 
PiTechnologies Company Profile
PiTechnologies Company ProfilePiTechnologies Company Profile
PiTechnologies Company Profile
 
ITO'13 Orientation
ITO'13 OrientationITO'13 Orientation
ITO'13 Orientation
 
My CV
My CVMy CV
My CV
 
Design document
Design documentDesign document
Design document
 
Mac story
Mac storyMac story
Mac story
 
Being different
Being different Being different
Being different
 
Professional Graduation Project
Professional Graduation ProjectProfessional Graduation Project
Professional Graduation Project
 
Freelancing
FreelancingFreelancing
Freelancing
 
I os2 2
I os2 2I os2 2
I os2 2
 
I os1
I os1I os1
I os1
 

Kürzlich hochgeladen

Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 

Kürzlich hochgeladen (20)

Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 

Real Mobile Applications Pentesting Scinarios (The Weird, the bad and the ugly)

  • 1. THE WEIRD, THE BAD AND THE UGLY MOBILE DEVELOPER WEEKEND AHMED YOSSEF
  • 2. ROAD MAP ▸ Mobile Apps vs Web Apps ▸ Mobile Apps Pentesting Environment ▸ The Weird - Gov app ▸ The bad - eCommerce app ▸ The ugly - that looked pretty
  • 3. whoami ▸ Software Developer since 2007 ▸ Desktop, Web, iOS, Android and JME ▸ Penetration Testing since 2015 ▸ Applications Security Specialist Solution Architect and Trainer
  • 5. THE WEIRD, THE BAD AND THE UGLY FIRST THINGS FIRST .. During a penetration test, what is the first thing to look for ? SQL Injection ? Cross Site Scripting ?
  • 6. THE WEIRD, THE BAD AND THE UGLY WHERE SOFTWARE LIVES OS FTP Server Mail Server Web Server Web Application 2 3 4 1 3
  • 7. THE WEIRD, THE BAD AND THE UGLY WHY MOBILE APPS SECURITY MATTERS ! Custom built software New Platform* Local storage Sometimes reversible Needed ASAP LimitedTampering** * New with respect to Web Applications Security and definitely to Network Security ** Limited user access gives a very misleading sense of security to developers
  • 9. THE WEIRD, THE BAD AND THE UGLY BASIC ENVIRONMENT SETUP Physical or Emulator (genymotion) HTTP Proxy (BurpSuite or ZAP) Backend Server (nvm) it is already there
  • 10. THE WEIRD, THE BAD AND THE UGLY BASIC STEPS 1 2 3 Start the proxy and intercept the traffic Identify parameters and API end points Tamper Data and mess with the logic
  • 12. THE WEIRD, THE BAD AND THE UGLY ABOUT THE APP It was a governmental app for public consumers Using that minister data centre for backend hosting
  • 13. THE WEIRD, THE BAD AND THE UGLY ISSUES FOUND One API end point with different parameters Parameters like: item=tbl_news&limit=10
  • 14. THE WEIRD, THE BAD AND THE UGLY WHAT I DID item=tbl_users&limit=100 Hashed Passwords Weak Passwords
  • 15. THE WEIRD, THE BAD AND THE UGLY WHAT I FOUND Username : admin Password: ******* Works on the Admin Portal
  • 16. The Bad The epic failure
  • 17. THE WEIRD, THE BAD AND THE UGLY ABOUT THE APP It is an eCommerce App With mobile payment and online purchase enabled
  • 18. THE WEIRD, THE BAD AND THE UGLY ISSUES FOUND Mobile Application Connects to the API without access token Auto Increment User Ids Reset password API doesn’t require current password
  • 19. THE WEIRD, THE BAD AND THE UGLY WHAT I DID Python script with single for loop calling the getProfile service Dump personal data of 170K+ users
  • 20. THE WEIRD, THE BAD AND THE UGLY WHAT I DID NOT DO Python script with single for loop calling the resetPassword service Reset passwords of all system’s users
  • 21. THE WEIRD, THE BAD AND THE UGLY WHAT I DID NOT DO Use API to add items to someone’s shopping cart Edit his shipping to mine Call the checkout service Get free expensive products
  • 23. THE WEIRD, THE BAD AND THE UGLY ABOUT THE APP It is restaurants chain app App seemed secure at the first glance !
  • 24. THE WEIRD, THE BAD AND THE UGLY ISSUES FOUND Token Based Authentication .. so far so good App apples Authentication without Authorisation Log in to your account Get a token that can be used to access others’ accounts
  • 25. THE WEIRD, THE BAD AND THE UGLY WHAT I DID Dump Other users’ data Data Manipulation
  • 27. THE WEIRD, THE BAD AND THE UGLY REMEMBER 1 Mobile App Interface is not the only interface to be used 2 Authentication using user id is not authentication 3 It is not enough to authorise the login screen only 4 Injection attacks are dangerous but logic attacks even even worse 5 For a pentester; brain and patience are the most important tools
  • 28. The END Thanks for your time :) me@ayossef.net linkedin.com/in/ayossef facebook.com/ahmedabdallah21