Abstract
Millions of people rely on mobile e-ticketing applications to get from Point A to Point B every day. These applications serve as vital components for mass transit and essentially power America’s major cities. But thanks to Frida - a well-known but not very popular dynamic instrumentation framework - you can easily reverse engineer mobile e-ticketing applications. In this talk, we’ll explore new application-specific attack avenues using Frida. We will be leaving the jailbreak bypasses and SSL pinning bypasses of yesteryear by the wayside as we explore a new attack vector. We’ll use Frida’s code injection and module loading capabilities to demonstrate e-ticket forging and e-ticket “stealing.” (And your commute just became that much less of a pain). Expect to learn the analysis of intermediate-level obfuscation measures such as encrypted HTTP body and encrypted application storage in mobile applications, which can be instrumental in uncovering security vulnerabilities.