Hacking Mandated Apps – Part 7: AES Crypto FAIL [ MSTG-CRYPTO-1 ]

Part 1: Intro Part 2: Translating APKs Part 3: What is SSL? [ MSTG‑NETWORK‑1 ] Part 4: How NOT to implement SSL [ MSTG‑NETWORK‑2 ] Part 5: RCE in WebView [ MSTG-PLATFORM-7 ] Part 6: XOR Crypto FAIL [ MSTG-CRYPTO-1 ] The OWASP Mobile Application Security Verification Standard classifies the flaw explained in this blog …

Hacking Mandated Apps – Part 6: XOR Crypto FAIL [ MSTG-CRYPTO-1 ]

Part 1: Intro Part 2: Translating APKs Part 3: What is SSL? [ MSTG‑NETWORK‑1 ] Part 4: How NOT to implement SSL [ MSTG‑NETWORK‑2 ] Part 5: RCE in WebView [ MSTG-PLATFORM-7 ] The OWASP Mobile Application Security Verification Standard classifies the flaw explained in this blog post, under section V3: Cryptography Requirements, as follows: …

Hacking Mandated Apps – Part 5: RCE in WebView [ MSTG-PLATFORM-7 ]

Part 1: Intro Part 2: Translating APKs Part 3: What is SSL? [ MSTG‑NETWORK‑1 ] Part 4: How NOT to implement SSL [ MSTG‑NETWORK‑2 ] The OWASP Mobile Application Security Verification Standard classifies the flaw explained in this blog post, under section V6: Platform Interaction Requirements, as follows: MSTG‑PLATFORM‑7: If native methods of the app …

Hacking Mandated Apps – Part 4: How NOT to implement SSL [ MSTG‑NETWORK‑2 ]

Part 1: Intro Part 2: Translating APKs Part 3: What is SSL? [ MSTG‑NETWORK‑1 ] The OWASP Mobile Application Security Verification Standard classifies the flaw explained in this blog post, under section V5: Network Communication Requirements, as follows: MSTG‑NETWORK‑2: The TLS settings are in line with current best practices, or as close as possible if …

Hacking Mandated Apps – Part 2: Translating APKs

If you missed Hacking Mandated Apps – Part 1: Intro please start there for background 🙂 Translating APKs in beautiful exotic languages As explained in the intro, the team did not get access to the sources of the app. We had to first retrieve the APK from a Korean APK download service, decompile the APK and then …