Hackers of India

Mobile Code mining for discovery and exploits

 Hemil Shah 

2013/03/01

Presentation Material

Presentation

Mobile code mining for discovery and exploits nullcongoa2013 from Blueinfy Solutions

Video


 

Abstract

Application source code is a major source for vulnerabilities. One of the CSI surveys on vulnerability distribution suggests that 80% of the time, a vulnerability crops up due to programming errors. According to IBM labs, there is a possibility of at least one security issue contained in every 1000 lines of code. To avoid these sort of security issues one needs to follow sound secure coding and design principals. It is also imperative to know code review methodologies and strategies to assess the quality of code before deploying to the production. The talk covers common mobile vulnerabilities with use cases, demos and tools to identify vulnerabilities in mobile application on iOS, Android and Windows phone applications. It is imperative to understand the source code review methodology for mobile applications and presentation will cover this in detail.

AI Generated Summarymay contain errors

Here is a summary of the content:

The speaker is discussing a tool for identifying security vulnerabilities in mobile applications. The tool uses rules written in XML to scan application code for potential issues, such as accessing PII (Personally Identifiable Information), storing sensitive data locally, and exploiting SSL certificates.

The speaker demonstrates how to use the tool on an Android app, showing how to select the source code, choose the categories to scan, and run the pattern matching. The results are displayed in a report, including traces of logging, sequel injection, and client-side exploitation.

Next, the speaker shows how to use the tool on an iOS app, selecting the source code and categories to scan, and running the pattern matching. The results again include reports of logging, sequel injection, and potential vulnerabilities.

Finally, the speaker discusses a specific check for debuggable flags in Android apps, which can be exploited by attackers to gain full access to the Java process and execute arbitrary code on the device. A script is available on the website to detect whether the debuggable flag is enabled in an app.

Overall, the tool provides a way to identify potential security vulnerabilities in mobile applications and help developers improve their app’s security.