Bishop Fox consultants Luis de la Rosa and José Emiliano Perez present practical, experience-driven sessions on mobile penetration testing and the attack surface of modern JavaScript bundlers at BSides Panama. For full details, visit the conference website: https://bsidespa.org.

"Mobile Pentest Survival Guide Reloaded"

Speaker: Luis de la Rosa, Security Consultant II, Bishop Fox

Date/Time: January 24, 2026 | 11:20 a.m. – 12:05 p.m. CT

Abstract:

In an environment where Android apps increasingly incorporate security controls, such as root detection, integrity validation, SSL pinning, and protected storage, effectively auditing them requires a deep understanding of these mechanisms. This talk offers a practical guide for mobile penetration testers based on real-world experience, explaining how these defenses work, why they are often implemented incorrectly, and what signals can identify weak configurations. The most common controls in the Android ecosystem and the challenges they present during assessments are reviewed, along with common analysis tools. To illustrate these concepts, a vulnerable app created specifically for the session will be used, allowing for the examination of common issues such as insecure storage, exposed content providers, and poorly designed authentication flows. The audience will gain a clear understanding of modern defenses, their common weaknesses, and how to address them responsibly in professional audits.

"Unpacking the Bundle - Weaponizing Webpack & Source Maps for Critical Info Disclosure"

Speaker: José Emiliano Perez, Security Consultant, Bishop Fox

Date/Time: January 24, 2026 | 3:20-4:05 p.m. CT

Abstract:

This talk explores the overlooked attack surface of modern JavaScript bundlers (Webpack, Vite, Parcel) and demonstrates how they frequently become a goldmine for sensitive information disclosure. While developers focus on server-side security, the “build pipeline” often suffers from Insecure Design (OWASP A04:2021). By failing to segregate development artifacts from production environments, organizations expose source maps (.map files) and unminified bundles to the public internet.