Please enable JavaScript.
Coggle requires JavaScript to display documents.
Mobile Hacking Crash Course (Lookout (session-keeping (sessions typically…
Mobile Hacking Crash Course
pure native apps
no web views
Hybrid apps
both native and web views
web wrapper apps
thin web views
allow most code be shared btw
exisitng web apps and new
mobile apps
Hybrid frameworkds
Xamarin
PhoneGap
Cordova
Titanium
languages
iOS
Objective-C
Sqift
Android
Java
Both
Javascript
Target Selection
user a large numb of web views
wrap a web app
apps that expose a lot of different functionality when talking to servers
Games with leaderboards
vulenrable
stored XSS
SQL Injection
Set up a Proxy
proxy listening on all interfaces
default
listen on localhost
Standard web bugs
SQL injection
Direct object reference
Improper authorization/authentication
insecure uploads
check credential storage
Look for insecure connections
all connections
over HTTPS
plain HTTP connections
sign that critical data may go over wire in plaintext
Lookout
secrets
most contain embedded secret keys
decompilation
session-keeping
sessions typically handled via cookies
sent with every single request
redirect to your server may lead to account compromise
Find debug/dev interfaces
change web service targerts
communications, modify sessions
app data
cached credentials
transaction histories
low-hanging fruit
mobile applications
Insecure Crypto
hand-rolled cryptosystems
data at rest
universally broken
insecure cipher modes
known-bad algorithms
Check for screenshots
mobile app goes into bg
OS will take SC
show in app switcher
SC stored in disk
reveal things like acct numb
sensitive data when switching app
vulnerability