All aboard the Pineapple Express, its a speeding bullet to the mobile backend! I’m looking forward to speaking at the upcoming B-Sides San Francisco. Most of the mobile security research has been focused on the apps on devices, but I have been more interested in the services and back-ends that power mobile apps.
In this talk, we’ll go beyond the typical discussion points on mobile security to delve into the vulnerable back-ends mobile applications. I will demonstrate how easy it is to find vulnerabilities and attack the service calls in social media, banking and payment applications.
These applications leverage new formats like JSON, AJAX and REST to deliver a rich user experience, but unfortunately they are too often exposing the same familiar vulnerabilities like SQL and Command injection. During this talk, I will demonstrate just how vulnerable these back-ends can be and how easy it is to watch the traffic and attack these interfaces.
The first step in learning to attack these mobile applications is understanding the formats used. Participants learn how to break-down these new formats, where to attack them and which tools and techniques make it easy to attack these back-end interfaces.
The audience will have the opportunity to connect to my Wifi Pineapple and use their real apps, which I will snoop and demonstrate how to hack the backends. While they won’t actually hack applications, the group will watch the live traffic and the discuss techniques that can be used to hack those applications.