INTRODUCTION
CHARLES MUIRURI
 Security researcher.
Mobile developer.
twiitter: @icrackthecode
I enjoy breaking to build and building to make the
Blog: icrackthecode.github.io
world a better place
Recently released a bug on iOS platform
APPS , APPS AND MORE APPS
 Local sectors have embraced mobile applications to
the point that almost every problem is solved via an
app
Thinking deep
But what problems are introduced?
Brief history of mobile security
2016

2015 – Applications followed developer
guidelines. (less impact on security)

Early- Mid 2016 - Large
implementations of SSL pinning( Credits
to Emmanuel’s AHCON 2016 talk)

Mid 2016 – Reverse Engineering made
easy ( Credits to Christian and Chrispus
for the MARA Framework)
Risks
 Risks information were less with
regard to user.
WHAT ABOUT 2017?
Let’s rant about reverse engineering and function hooking threats
Function Hooking
Function call hooking
refers to a range of
techniques used to
intercept calls to preexisting functions and
wrap around them to
modify the function's
behavior at runtime
Reverse Engineering
The reproduction of
another manufacturer's
product following detailed
examination of its
construction or
composition
How it should be
Risks
 Static code injection
 Runtime code injection
 Reverse Engineering
Risks
 Infrastructure attacks
 Data violation(data leaks)
 Application monitoring
 Application Escalation
HOW TO BE SAFE
 Installer app - Use package manager to ensure the installing app is the
play/amazon app store
 Emulator check - Check system properties for telltale signs the app is being
run on emulator which outside of dev could indicate attack/tampering
 Debuggable check - Use package manager to check the debuggable flag,
this should be off in product so could indicate attack/tampering
 Signing certificate check - Use package manager to verify the app is signed
with your developer certificate (this would be broken if someone unpacked and
repacked/resigned the app)
Other issues (Credits to Christian to his previous research)
MOBILE (Client Side)










OWASP Top 10 Mobile Vulnerabilities
Hardcoded information such a
certificates, API keys, URLs
Insecure SSL implementation of the
mobile app
Weak of cryptography technologies
Allow app backup
Use of insecure random number
generation
Reverse engineering attacks
Application code injection attacks
Insecure implementation of 3rd party
services
Internal IP address exposure
Communication Channel
 Risks information were less with
regard to user.
More issues
Server side
 OWASP Top 10 Web Vulnerabilities
 Running services and version
 Insecure Transport Layer Security (TLS)/Secure Sockets Layer (SSL) implementation
 Multiple TLS/SSL based vulnerabilities
 Insecure Application Program Interface (API) implementation
 User login enumeration via brute forcing
 Use of vulnerable web services and applications
THANK YOU