Wes Wineberg .jpg

Mobile Application Hacking

Wesley Wineberg

Mobile applications are often treated like a modern black box: Everyone uses them, but no one really knows how they work. This presentation will show how to get past that sense of mystery, and effectively examine the security of various mobile apps.

Learning how to begin security testing for websites or network applications is extremely well documented, but the same is not true for mobile applications. There is, of course, a variety of guides on this subject, but putting it all together into a practical starting point can be challenging.

This talk will cover how to get started with mobile application security (both iOS and Android), covering two major areas. The first is network traffic analysis, which will focus on HTTP communications to and from mobile apps. The second area will be application reverse engineering. Reverse engineering may sound pretty advanced, but for many applications this ends up being no harder than reading the source code. With a very basic understanding of both these areas it is possible to get great results when examining mobile applications.

To demonstrate this, a variety of current and past mobile applications will be shown with the techniques that were just introduced in this presentation. It may be surprising to see which well known applications suffer (or previously suffered) from some easy to discover issues.

Speakers Bio: Wesley Wineberg has over 10 years experience working in information security. Wes is currently working full-time on various bug bounty programs. Prior to being a professional bounty hunter, Wes used to work on the Azure Red Team at Microsoft (Azure is a shade of Blue, which is who the Red Team is making great again). Wes has had various security roles, covering everything from web apps to hardware security but primarily enjoys offensive security work.