Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Bypassing Mobile Protections

Daiane Santos
March 26, 2022
Programming
1
9

Bypassing Mobile Protections

Besides SP - 2022
Trilha Cybersecurity Girls

Daiane Santos

March 26, 2022
Tweet

More Decks by Daiane Santos

See All by Daiane Santos
A Journey into Mobile Malwares
daianesantos
1
71
Securing Mobile Devices
daianesantos
1
13
Mobile Malwares: how to avoid them
daianesantos
1
15
Pegasus Spyware, a analysis
daianesantos
1
150
Mobile Malwares
daianesantos
1
4
Bypassing APK Protections
daianesantos
1
23
Mobile Hacking
daianesantos
1
20
CTF - From 0 to Hero
daianesantos
1
74
GDPR e LGPD: O que eu tenho a ver?
daianesantos
2
300

Other Decks in Programming

See All in Programming
レガシーシステムにどう立ち向かうか 複雑さと理想と現実/vs-legacy
suzukihoge
14
2.2k
A Journey of Contribution and Collaboration in Open Source
ivargrimstad
0
970
RubyLSPのマルチバイト文字対応
notfounds
0
120
『ドメイン駆動設計をはじめよう』のモデリングアプローチ
masuda220
PRO
8
540
Jakarta EE meets AI
ivargrimstad
0
130
NSOutlineView何もわからん:( 前編 / I Don't Understand About NSOutlineView :( Pt. 1
usagimaru
0
340
Generative AI Use Cases JP (略称:GenU)奮闘記
hideg
1
300
Hotwire or React? ~アフタートーク・本編に含めなかった話~ / Hotwire or React? after talk
harunatsujita
1
120
Creating a Free Video Ad Network on the Edge
mizoguchicoji
0
120
macOS でできる リアルタイム動画像処理
biacco42
9
2.4k
cmp.Or に感動した
otakakot
3
200
エンジニアとして関わる要件と仕様(公開用)
murabayashi
0
300

Featured

See All Featured
Code Review Best Practice
trishagee
64
17k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
329
21k
KATA
mclloyd
29
14k
BBQ
matthewcrist
85
9.3k
Facilitating Awesome Meetings
lara
50
6.1k
Fireside Chat
paigeccino
34
3k
Code Reviewing Like a Champion
maltzj
520
39k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
506
140k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
109
49k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
44
2.2k
Being A Developer After 40
akosma
87
590k
RailsConf 2023
tenderlove
29
900

Transcript

  1. Comunidade de mulheres em Cybersecurity 1

  2. Bypassing Mobile Protections DAIANE SANTOS

  3. Disclaimer: The content presented here is my responsibility and has

    nothing to do with the opinions of my employer.

  4. Disclaimer 2: The content presented here is only created for

    educational purposes.

  5. 02 01 whoami mobile timeline 03 owasp mobile top 10

    04 protections 05 bypasses 06 contact what we have for today Agenda

  6. Daiane Santos Mobile Security Engineer @ Nubank CTF Player and

    Captain @ RATF Autist AH/SD Enthusiast of Neuroscience I like chess whoami

  7. 1987 Calls Mobira Cityman 900 First GSM (2G) phone Calls

    SMS 1992 1996 Vibrate Mode GSM SMS Calls 2000 FM Radio Opera mini web browser Camera Voice Recorder Vibrate Mode GSM (3G) SMS Calls 2007 First iPhone Apps A lot of new features Timeline Nokia 2110 Motorola StarTAC Nokia 3310 iPhone 2G
  8. None
  9. None

  10. Reverse Engineering

  11. Change .apk for .zip And you're be able to see

    all the folders, AndroidManifest, etc. easy "hack"

  12. API calls or endpoints understanding the way some security controls

    are implemented root detection -> SuperUser hardcoded sensitive information inside the code backdoor accounts, API keys and secrets, passwords... interesting strings points of encryption and obfuscation so we can decrypt and de-obfuscate What we are looking for?

  13. Activities: Broadcast receivers: Services: Components that provide a screen with

    which users can interact. Components that receive and respond to broadcast messages from other apps or from the operating system. Components that perform operations in the background. What we are looking for?

  14. AndroidManifest.xml

  15. MobSF

  16. Frida.re

  17. What we can do?

  18. Magisk

  19. MagiskSU: Magisk Modules: MagiskBoot: Zygisk: Provide root access for applications

    Modify read-only partitions by installing modules The most complete tool for unpacking and repacking Android boot images Run code in every Android applications' processes What we can do?

  20. What we can do?

  21. Contact me: @Wh0isdxk Questions