Millions of people rely on mobile e-ticketing applications to get from Point A to Point B every day. These applications serve as vital components for mass transit and essentially power America's major cities. But thanks to Frida - a well-known but not very popular dynamic instrumentation framework - you can easily reverse engineer mobile e-ticketing applications. In this talk, we'll explore new application-specific attack avenues using Frida. We will be leaving the jailbreak bypasses and SSL pinning bypasses of yesteryear by the wayside as we explore a new attack vector. We'll use Frida's code injection and module loading capabilities to demonstrate e-ticket forging and e-ticket "stealing." (And your commute just became that much less of a pain). Expect to learn the analysis of intermediate-level obfuscation measures such as encrypted HTTP body and encrypted application storage in mobile applications, which can be instrumental in uncovering security vulnerabilities.
Senior Security Analyst Priyank Nigam will present What the Frida Gave Me: A Novel Take on E-Ticket Forging and E-Ticket Stealing at THOTCON in Chicago this May 2019.
Check out some of Priyank Nigam's recent security advisories in the meantime - some of these will be discussed during the presentation.