NOTE: In 2020, a new talk will substantially improve this one to include an interesting third app and better explain the other ones. In late 2019, I had the privilege of giving a talk and an interview at SEC-T and DeepSec about “Chinese Police and CloudPets”. Basically a summary of highlights from 3 different pentest …
Part 1: Intro Part 2: Translating APKs Part 3: What is SSL? [ MSTG‑NETWORK‑1 ] Part 4: How NOT to implement SSL [ MSTG‑NETWORK‑2 ] Part 5: RCE in WebView [ MSTG-PLATFORM-7 ] Part 6: XOR Crypto FAIL [ MSTG-CRYPTO-1 ] Part 7: AES Crypto FAIL [ MSTG-CRYPTO-1 ] The OWASP Mobile Application Security Verification …
Bully API, Government-Mandated Apps, MASVS, Mobile Application Security Verification Standard, Mobile Security, Mobile Security Testing Guide, MSTG, MSTG-AUTH-1, Password Leak, Smart Sheriff, South Korea
Part 1: Intro Part 2: Translating APKs Part 3: What is SSL? [ MSTG‑NETWORK‑1 ] Part 4: How NOT to implement SSL [ MSTG‑NETWORK‑2 ] Part 5: RCE in WebView [ MSTG-PLATFORM-7 ] Part 6: XOR Crypto FAIL [ MSTG-CRYPTO-1 ] The OWASP Mobile Application Security Verification Standard classifies the flaw explained in this blog …
Android, Crypto, Government-Mandated Apps, Java, MASVS, MitM, Mobile Application Security Verification Standard, Mobile Security, Mobile Security Testing Guide, MSTG, MSTG-CRYPTO-1, Smart Sheriff, South Korea
Part 1: Intro Part 2: Translating APKs Part 3: What is SSL? [ MSTG‑NETWORK‑1 ] Part 4: How NOT to implement SSL [ MSTG‑NETWORK‑2 ] Part 5: RCE in WebView [ MSTG-PLATFORM-7 ] The OWASP Mobile Application Security Verification Standard classifies the flaw explained in this blog post, under section V3: Cryptography Requirements, as follows: …
Android, Crypto, Government-Mandated Apps, MASVS, Mobile Application Security Verification Standard, Mobile Security, Mobile Security Testing Guide, MSTG, MSTG-CRYPTO-1, Smart Sheriff, XOR
Part 1: Intro Part 2: Translating APKs Part 3: What is SSL? [ MSTG‑NETWORK‑1 ] Part 4: How NOT to implement SSL [ MSTG‑NETWORK‑2 ] The OWASP Mobile Application Security Verification Standard classifies the flaw explained in this blog post, under section V6: Platform Interaction Requirements, as follows: MSTG‑PLATFORM‑7: If native methods of the app …
addJavaScriptInterface, Android, Government-Mandated Apps, MASVS, MitM, Mobile Application Security Verification Standard, Mobile Security, Mobile Security Testing Guide, MSTG, MSTG-PLATFORM-7, Smart Sheriff, South Korea
Part 1: Intro Part 2: Translating APKs Part 3: What is SSL? [ MSTG‑NETWORK‑1 ] The OWASP Mobile Application Security Verification Standard classifies the flaw explained in this blog post, under section V5: Network Communication Requirements, as follows: MSTG‑NETWORK‑2: The TLS settings are in line with current best practices, or as close as possible if …
Android, DeepSec, Government-Mandated Apps, MASVS, MitM, Mobile Application Security Verification Standard, Mobile Security, Mobile Security Testing Guide, MSTG, MSTG‑NETWORK‑2, Public Speaking, Smart Dream, Smart Sheriff, South Korea
Previous blog posts you might have missed and maybe you would like to read first for background: Part 1: Intro Part 2: Translating APKs The OWASP Mobile Application Security Verification Standard classifies the flaw explained in this blog post, under section V5: Network Communication Requirements, as follows: MSTG-NETWORK-1: Data is encrypted on the network using …
Brucon, Government-Mandated Apps, MASVS, MitM, Mobile Application Security Verification Standard, Mobile Security, Mobile Security Testing Guide, MSTG, MSTG-NETWORK-1, Public Speaking, Smart Dream, Smart Sheriff, South Korea, SSL, TLS
If you missed Hacking Mandated Apps – Part 1: Intro please start there for background 🙂 Translating APKs in beautiful exotic languages As explained in the intro, the team did not get access to the sources of the app. We had to first retrieve the APK from a Korean APK download service, decompile the APK and then …
NOTE: This was all coordinated work with human rights activists, vulnerabilities were reported, findings public, and talk (below) given! 🙂 Is monitoring your children something your country’s government asks you to do? Do you feel you need the government’s help to parent your child, technologically? What if I told you there is a country that forced its …
With so many automated tools around it is no wonder that many organizations choose to automate some aspects of security testing. There is value in doing this, especially when we refer to fuzzing supervised by humans or in automated dynamic or static analysis to catch suspicious or low hanging fruit vulnerabilities early in the development …