Bishop Fox named “Leader” in 2024 GigaOm Radar for Attack Surface Management. Read the Report ›

BSides Las Vegas 2019 - Reverse Engineering Mobile Apps: Never Pay for Transit Again

Past Event
Tuscany Hotel & Casino, Las Vegas, Nevada
Illustration fox speaking at podium to audience

What if I told you that there was an alarming number of security flaws in most major cities’ mass transit apps? And what if I told you I could demonstrate the successful exploitation of these apps? In this talk, I will do precisely that. The results of successful exploitation can range from the relatively harmless “”stealing”” (or forging) of e-tickets to the critical exposure of customer PII information and account takeovers.

Often, mobile apps are synonymous with thick clients – meaning they run locally and cannot trust their runtime, and come with the same vulnerabilities as their ancestors. As such, I will explore dynamic instrumentation using Frida and demonstrate practical use-cases to bypass security.

During my presentation, you’ll learn about the analysis of client-side obfuscation measures such as encrypted HTTP body and encrypted application storage (flat files/SQliteDb/Custom mobile SDK-based encryption) in mobile applications, which can be instrumental in uncovering security vulnerabilities.

Download the presentation.

To see some examples of Priyank's research, check out his Greyhound and Amtrak advisories.

Priyank nigam

About the speaker, Priyank Nigam

Senior Security Consultant

Priyank Nigam (OSCP, OSWP, GCFE) is a Senior Security Consultant at Bishop Fox. He focuses on source code reviews, web and mobile application penetration testing, and network security. As a researcher, he is interested in all things offensive security, reverse engineering, mobile security, Internet of Things.
More by Priyank

Ready to get started? We can help.

Contact Us

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.