Reverse Engineering Mobile Apps: Never Pay for Transit Again

BSidesLV 2019

Presented by: Priyank Nigam
Date: Tuesday August 06, 2019
Time: 14:00 - 14:55
Location: Underground

What if I told you that there was an alarming number of security flaws in most major cities’ mass transit apps? And what if I told you I could demonstrate the successful exploitation of these apps? In this talk, I will do precisely that. The results of successful exploitation can range from the relatively harmless “”stealing”” (or forging) of e-tickets to the critical exposure of customer PII information and account takeovers.

Often, mobile apps are synonymous with thick clients – meaning they run locally and cannot trust their runtime, and come with the same vulnerabilities as their ancestors. As such, I will explore dynamic instrumentation using Frida and demonstrate practical use-cases to bypass security.

During my presentation, you’ll learn about the analysis of client-side obfuscation measures such as encrypted HTTP body and encrypted application storage (flat files/SQliteDb/Custom mobile SDK-based encryption) in mobile applications, which can be instrumental in uncovering security vulnerabilities.

Priyank Nigam

As a senior security engineer, Priyank’s primary areas of focus are mobile application penetration testing and secure source code reviews. Over the past 4 years, he has advised Fortune 500 brands and startups and does mobile and IoT related research in his spare time. He also believes it is unwise to place trust in your smartphones.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats