c0c0n 2020 | RT-WS-2 Practical Mobile App Attacks By Example

Red Team Village Workshop - 02

Practical Mobile App Attacks By Example

ABSTRACT

If you are the kind of person who enjoys workshops with practical information that youcan immediately apply when you go back to work, this workshop is for you, all action, nofluff :) Attendants will be provided with training portal access to practice some attack vectors,including multiple mobile app attack surface attacks, deeplinks and mobile app dataexfiltration with XSS. This includes: Lifetime access to a training VM, vulnerable apps topractice, guided exercise PDFs and video recording explaining how to solve theexercises.This workshop is a comprehensive review of interesting security flaws that we havediscovered over the years in many Android and iOS mobile apps:

An entirely practical walkthrough that covers anonymized juicy findings from reports that we could not make public, interesting vulnerabilities in open source apps with strong security requirementssuch as password vaults and privacy browsers, security issues in government-mandatedapps with considerable media coverage such as Smart Sheriff, apps that report humanright abuse where a security flaw could get somebody killed in the real world, and more.

The workshop offers a thorough review of interesting security anti-patterns and how theycould be abused, this is very valuable information for those intending to defend or findvulnerabilities in mobile apps.This workshop is for those who are intending to broaden their knowledge of mobilesecurity with actionable information derived from real-world penetration testing of mobileapps.Please come caffeinated, the audience will be challenged to spot vulnerabilities at anymoment :)

Speaker

Abraham Aranguren
CEO, Security Trainer, Director of Penetration Testing - 7A Security

After 13 years in itsec and 20 in IT Abraham is now the CEO of 7ASecurity(7asecurity.com), a company specializing in penetration testing of web/mobile apps,infrastructure, code reviews and training. Security Trainer at Blackhat USA, HITB,OWASP Global AppSec and many other events. Former senior penetration tester / teamlead at Cure53 (cure53.de) and Version 1 (www.version1.com). Creator of “PracticalWeb Defense” - a hands-on eLearnSecurity attack / defense course(www.elearnsecurity.com/PWD), OWASP OWTF project leader, an OWASP flagshipproject (owtf.org), Major degree and Diploma in Computer Science, some certs: CISSP,OSCP, GWEB, OSWP, CPTS, CEH, MCSE:Security, MCSA:Security, Security+. As a shell scripting fan trained by unix dinosaurs, Abraham wears a proud manly beard.

He writes on Twitter as @7asecurity @7a_ @owtfp or https://7asecurity.com/blog. Multiple presentations, pentest reports and recordings can be found at https://7asecurity.com/publications

CONFERENCE PARTNERS

Kerala Police

Kerala Police

https://keralapolice.gov.in/

ISRA

Information Security Research Association (ISRA)

https://is-ra.org

POLCYB

The Society for the Policing of Cyberspace (POLCYB)

https://polcyb.org/

PLATINUM SPONSORS

vensec

SILVER SPONSORS

Bharat Petroleum

Indian Oil Corporation

Cochin Shipyard

GAIL (India) Limited

Palo Alto Networks solutions

BRONZE SPONSORS

ICICI Bank

Canara Bank

South Indian Bank

Petronet LNG Limited

Geojit

V-Guard Industries

Damro

Luker

AVT

SUPPORTING PARTNERS

Cyberdome

Kerala Police Social Media Cell

CTF PARTNERS

Beagle Security

Winja

Security Innovation

COMMUNITY PARTNER

CyberPsy

null Community Platform

null Community Platform

Matriux

matriux

Bsides Maharashtra

Bsides Maharashtra

VILLAGE PARTNERS

Bug Discover

Bug Discover

VENUE PARTNER

CHAKOLAS PAVILION

CHAKOLAS PAVILION