First of all, we would like to wish you a happy new year 2020! Wishing you all the best. We have some exciting news regarding our training schedule for this year. Our Mobile Hacking course will be delivered in 3 different infosec conferences! If you want to have a preview of the covered subjects, we are going to tweet #mobile #hacking #tips in February. BSides Budapest - Workshop - March 26 Coming back to BSides Budapest in order to deliver not one but two workshops!
Training During the DeepSec event, we gave our Mobile Hacking training (this training was also provided at Hack In Paris). This training presented the toolset needed when assessing mobile applications (such as adb, Apktool, Jadx, Androguard, Cycript, Frida, Needle and MobSF) and, also, the techniques to help you to work faster and in a more efficient way in the mobile ecosystem. This 2-days training focused on Android and iOS applications.
Guillaume et moi-même avons écrit trois articles sur la sécurité des applications mobiles (tout le dossier en fait ;), qui ont été publiés dans le magazine MISC106 de novembre/décembre : Contournement de l’API Google Play Billing (for fun and profit ;) Auditer la sécurité d’une application iOS (avec et sans jailbreak) Présentation du Mobile Security Testing Guide de l’OWASP (devenu LA référence dans le domaine) Comme à notre habitude nous aurions aimé opter pour une licence CC dans le but de mettre les articles à disposition au plus grand nombre dès l’expiration des droits d’auteur, mais cela n’a été possible que pour un seul des trois articles.
RandoriSec is going back to DeepSec (Vienna, Austria) this year. Guillaume Lopes will give a talk about abusing the Google Play Billing API and he’ll give a training with Davy Douhine. The Mobile Hacking training, running the 27 and 28 November, is intended for penetration testers, bug bounty researchers or just curious who would like to improve their security testing skills applied to the mobile ecosystem. The objective of the course is to introduce the basic toolset (Adb, Apktool, Jadx, Cycript, Drozer, Frida, Hopper, Needle, etc.
RandoriSec was at Hack In Paris 2019 and it was wonderful! This 9th edition took place at Maison de la Chimie in Paris (of course;)). The event was divided in two parts: June 16th to 18th: 3 days of trainings with 13 different subjects (IoT, ICS, Windows exploitation, Web and mobile hacking, etc.) June 19th to 20th: 2 days of talks with a unique track.
The March 23th, Guillaume Lopes gave a talk at BSides Dublin about how to bypass the payment on Google Play Billing API. Synopsis: In 2017, the estimated global in-app purchase revenue was projected to exceed $37 billion. Just in the Google Play Store, for 2018, more than 200 000 apps are offering in-app purchases. However, the Google Play Billing API is not offering a sufficient level of protection in order to ensure the security of the payment transactions.
Guillaume Lopes (@Guillaume_Lopes) and Davy Douhine (@ddouhine), senior pentesters, will share many techniques, tips and tricks to deliver to pentesters, bug bounty researchers or just curious a 100% hands-on 2 days mobile training. Goal is to introduce tools (Adb, Apktool, Jadx, Cycript, Frida, Hopper, Needle, etc.) and techniques to help you to work faster and in a more efficient way in the mobile (Android and iOS) ecosystem. This is the exact training that you would have liked to have before wasting your precious time trying and failing while testing.
As Google defines it “Google Play Billing is a service that lets you sell digital content from inside an Android app, or in-app.“ It can be used to sell one-time products like additional game levels, premium loot boxes, media files or subscriptions like online magazines or music streaming services. But what could possibly go wrong when this service is doing client side validation ? Guillaume worked on this for Checkmarx and published a complete blog post explaining the results and the detailed steps to bypass the InApp Billing process and obtain unlimited credits: https://www.